none
Multiple SIP domain support?

    Question

  • I read some threads here about the same topic but need more clarification... so apologies for asking the same kind of question.

    Basically, we have multiple SIP domains, and users have email addresses with various domain suffix. If I want the users to use their email address as their Lync sign in address (their SIP address)...

    1. does that mean I'll have to create DNS records for different SIP domains? for ex> sip.1.com, sip.2.com, sip.3.com... 

    2. How about the simple URLs? Would I need to create meet.1.com, meet.2.com, meet.3.com... etc?

    3. If so, would I also need to add all those to the certificates? We have 6 domains that we support and putting all those SANs on one cert would not be possible (As far as I understand, only one cert can be asssigned to a service)

    4. internal SRV records will need to be created for each SIP domain?

    5. And of course, I assume that all public DNS records required will need to be created for each supported SIP domain...?

    Appreciate the help!


    me

    Wednesday, April 11, 2012 1:37 PM

Answers

  • It's not required to create SimpleURLs for all domains, you can you a configuration that shares a single domain name.  Only the Access Edge sip.domainx.com FQDN needs to be created for all domains in use.  you can use a format of meet.domain1.com/domain1, meet.domain1.com/domain2, etc.

    I've seen certificates with up to 150 SAN entries, so it can scale quite high.


    Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

    Wednesday, April 11, 2012 8:16 PM
    Moderator
  • Hi,eyesoft2222,

    For each SIP domain you need creat a simple URL and corresponding DNS records and certificates,but you can use the same base url with different subpath to define the simple URLs for each sip domain to reduce the DNS record and certificates as Jeff said,you can check the following link to get more details about naming simple URLs.(The option 3 is the way requires least DNS records and SAN entires)

    http://technet.microsoft.com/en-us/library/gg398287.aspx

    Hope this can clarify your questions.

    B/R

    Sharon


    Sharon Shen

    TechNet Community Support

    ************************************************************************************************************************

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.

    Friday, April 13, 2012 5:56 AM
    Moderator
  • To answer the question accurately, you need to think about what the certificate is identifying.  Assuming that this is the Edge Server, then it will be the name of your Access Edge (as compared tot he Web Conferencing Edge or the AV Confferencing Edge).  If you have named (by way of DNS and configuration in Topology Builder) the Access Edge interface "sip.<your domain name>" then the subject name for the certificate that is assigned to the Edge external interface would be 'sip.<your external domain name>.  Note that this name should appear in the subject alternative name (SAN) list as well.

    Note - in a pooled Edge environment, this is going to be the pool name for the Access Edge VIP or in a DNS LB environment, will be the same on all external edge interfaces.

    The Web conferencing interface will be in the SAN.

    Rick


    Rick OCS UA

    Sunday, April 15, 2012 2:22 PM
  • Normally, yes.  But make sure to double-check the planned output of the wizard and if anything is missing you can add additional FQDNs manually in the final steps prior to creating the request.  There are some scenarios where something could be left out  (e.g. lyncdiscover FQDN if request is issued on a Director server).

    Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

    Monday, April 16, 2012 11:53 AM
    Moderator

All replies

  • For each domain you will need to create SRV locator record for internal and external access (_sip._tls.domain.com)

    Each domain will also need the correct A records (meet, dialin, lyncdiscover, sip etc...)

    Simple URLS will need to be made for each sip domain as you mentioned (meet.1.com meet.2.com etc...)

    As for the certificate, you will need to purchase a UCC Certificate with all the names you will need. I use GoDaddy/StarField and work 100% and will give you upto 100 domains in their UCC. but your CN (Common Name) will be sip.primarysipdomain.com

    Internal will also need their SRV records (sipinternal)

    Also the first domain name you use when you deploy lync will become your primary sip domain. so on your external certificates your Common Name will be primarySIPdomain.com


    If this post answered your question, Mark As Answer If this post was helpful, Vote as Helpful ---------------------------------------------------------- http://lyncme.blogspot.com

    Wednesday, April 11, 2012 2:05 PM
  • Tim, thank you for the reply that really helps.

    Some more q's... If I may..

    1. Isn't there a limit to how many SANs can be on a UCC cert? from my experience, GoDaddy cert has a limit of 15 SANs, and DigiCert has 10 SANs limit... (I'm guessing there are more pricey options that can increase the limit?) I'm concerned about this because we have 5 SIP domains; if I need to include all entries required for each of the 5 domains, it's most likely more than 15.. And I know I can only assing one cert to Lync services. I'm only planning to deploy one Standard Edition Front End (for now)

    2. What if I configure simple URL's so that its in the format : sipdomain.com/meet and sipdomain.com/dialin, etc. I assume this will reduce the number of SANs that needs to be on the cert?

    Appreciate the help!


    me

    Wednesday, April 11, 2012 2:27 PM
  • It's not required to create SimpleURLs for all domains, you can you a configuration that shares a single domain name.  Only the Access Edge sip.domainx.com FQDN needs to be created for all domains in use.  you can use a format of meet.domain1.com/domain1, meet.domain1.com/domain2, etc.

    I've seen certificates with up to 150 SAN entries, so it can scale quite high.


    Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

    Wednesday, April 11, 2012 8:16 PM
    Moderator
  • Hi,

    As I know, the following records you need to create (I assumed 1.com is domain that Lync Server installed and it is default sip domain):

    1. Auto sign in for each sip domain:

    _sipinternaltls._tcp.1.com---pool.1.com (Frond end pool FQND)

    pool.1.com-- IP address of front end

     

    _sipinternaltls._tcp.1.com---sip.2.com

    sip.2.com-- IP address of front end

     

    _sipinternaltls._tcp.3.com---sip.3.com

    sip.3.com-- IP address of front end

     

    2. The simple URLs:

    https://meet.1.com

    https://meet.2.com

    https://meet.3.com

    https://dialin.1.com

    https://admin.1.com

     

    3. Certificate for Frond End:

    SN=pool.1.com

    SAN=pool.1.com

    SAN=Front end server FQND (If it is Enterprise Edition)

    SAN=internal Web Services pool FQDN (If it is Enterprise Edition)

    SAN=meet.1com

    SAN=meet.2.com

    SAN=meet.3.com

    SAN=dialin.1.com

    SAN=admin.1.com

     

    NOTE: If this pool is the auto-logon server for clients and strict DNS matching is required in group policy, you also need SAN=sip.1.com; SAN=sip.3.com

    In addition, you can also use Option 3 in the following link. Option 3 is most useful if you have many SIP domains, and you want them to have separate Meet simple URLs but want to minimize the DNS record and certificate requirements for these simple URLs.

    http://technet.microsoft.com/en-us/library/gg398287.aspx

     

    4. Automatic Sign-in for external users

    SRV record:       

    _sip._tls.1.com -> sip.1.com (Access Edge FQND, this record should be existed since you deployed Edge Server)

    _sip._tls.2.com -> sip.2.com

    _sip._tls.3.com -> sip.3.com

    A record:

    sip.2.com points to IP address of Access Edge Server

    sip.3.com points to IP address of Access Edge Server

    Add sip.domain2.com and sip.domain3.com to Edge external certificate SANs list.

     

    Regards,

    Kelly

    Thursday, April 12, 2012 10:55 AM
  • 1. Isn't there a limit to how many SANs can be on a UCC cert? from my experience, GoDaddy cert has a limit of 15 SANs...

    Hey eyesoft2222,

    You can get between 5-100 SANs at this time from Go Daddy on a single certificate in increments of 5.

    Thursday, April 12, 2012 4:48 PM
  • Hi,eyesoft2222,

    For each SIP domain you need creat a simple URL and corresponding DNS records and certificates,but you can use the same base url with different subpath to define the simple URLs for each sip domain to reduce the DNS record and certificates as Jeff said,you can check the following link to get more details about naming simple URLs.(The option 3 is the way requires least DNS records and SAN entires)

    http://technet.microsoft.com/en-us/library/gg398287.aspx

    Hope this can clarify your questions.

    B/R

    Sharon


    Sharon Shen

    TechNet Community Support

    ************************************************************************************************************************

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.

    Friday, April 13, 2012 5:56 AM
    Moderator
  • Thank you all for the help...

    When I order a certificate from a public CA, it asks to enter the domain. Which domain should this be? the default SIP domain is my guess?


    me

    Friday, April 13, 2012 5:59 PM
  • To answer the question accurately, you need to think about what the certificate is identifying.  Assuming that this is the Edge Server, then it will be the name of your Access Edge (as compared tot he Web Conferencing Edge or the AV Confferencing Edge).  If you have named (by way of DNS and configuration in Topology Builder) the Access Edge interface "sip.<your domain name>" then the subject name for the certificate that is assigned to the Edge external interface would be 'sip.<your external domain name>.  Note that this name should appear in the subject alternative name (SAN) list as well.

    Note - in a pooled Edge environment, this is going to be the pool name for the Access Edge VIP or in a DNS LB environment, will be the same on all external edge interfaces.

    The Web conferencing interface will be in the SAN.

    Rick


    Rick OCS UA

    Sunday, April 15, 2012 2:22 PM
  • I'm assuming just using the Lync Deployment Wizard to generate the cert request will include all the SANs needed?

    me

    Monday, April 16, 2012 9:34 AM
  • Normally, yes.  But make sure to double-check the planned output of the wizard and if anything is missing you can add additional FQDNs manually in the final steps prior to creating the request.  There are some scenarios where something could be left out  (e.g. lyncdiscover FQDN if request is issued on a Director server).

    Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

    Monday, April 16, 2012 11:53 AM
    Moderator
  • Thank you all for the help.

    To publish through TMG, which SAN should the certificate assigned to the TMG rule include?


    me

    Monday, April 16, 2012 5:09 PM
  •  

    Hi eyesoft2222,

    We need to request the Public SSL certificate to external internal of Reverse Proxy:

    SN=External Web Services FQDN

    SAN=External Web Services FQDN

    SAN= Meeting simple URL

    SAN= Dial-in simple URL

    SAN=External Autodiscover Service URL (For mobility)

    Here's the common way of deploying Reverse Proxy Certificate.

    http://technet.microsoft.com/en-us/library/gg429704.aspx

    Regards,

    Kent

    Tuesday, April 17, 2012 9:27 AM
  • Can someone lay out the option 3 idea?  How do I create a DNS record for 

    https://lync.contoso.com/meet

    how is that trailing /meet created?

    I am trying to add SIP domains and use option 3 so I don't have to update certificate.

    Regards,
    John Rolstead


    Tuesday, April 17, 2012 7:47 PM
  • Hi,John,

    If you choose option 3 to deploy simple url,you need only one DNS A record,which resolves lync.contoso.con to the IP address of a Director pool or Front End pool.You needn't create DNS records for the sub pages,as long as the base URL can be resolved it will auto load the sub page which is defined for simple urls with Sub-pages separator "/".

    B/R

    Sharon


    Sharon Shen

    TechNet Community Support

    ************************************************************************************************************************

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.

    Wednesday, April 18, 2012 1:27 AM
    Moderator
  • Thank you for the feedback Sharon.  Can you then examine this article:http://blog.lyncfreak.com/2011/10/04/adding-new-sip-domains-to-lync/

    and help me understand how to add a SIP domain to our existing Lync Standard setup with one server as Director and one server at the edge?  Keeping Option 3 in mind?  If I can understand adding one SIP, then I can add the 50 or so other e-mail domains our users use.

    my existing sip domain is abc.com and I have A record lync.abc.com pointing to front-end and on certificate.

    If I am adding SIP domain xyz.com, do I edit properties of Lync Server 2010, add sip domain xyz.com, then edit Simple URL from:

    https://meet.xyz.com to https://lync.abc.com/xyzcom/meet

    Regards,


    John Rolstead


    Wednesday, April 18, 2012 6:20 PM