none
Problem with self signed certificate for Exchange 2010 and Lync 2010

    Question

  • I've extended a development environment that we run for a Sharepoint 2010 based application to include Exchange 2010 SP1 and Lync Server 2010 RC.  The domain on which this has been setup previously is DEMO1.com but as it's never exposed publicly, this domain name has been just fine.

    Now it seems that Lync on a client can't connect to Exchange because the certificate installed on the Exchange environment is just the default self-issued certificate. 

    We can't buy a Unified Communications certificate because we obviously don't own the top level domain DEMO1.COM, so it seems the only choices we have is to rebuild the entire environment with a public domain name that we do own, so that we can then buy a Unified Comms certificate and install it.

    We created a certificate request in Exchange 2010 and tried to create the certificate in Certificate Services but it is apparent that Certificate Services has no template for a Unified Communications Certificate.

    Is there no other way to make this work - we only need it to operate internally within a private network - we don't need it to be accessible at all on the internet?

    Thanks

    Saturday, November 06, 2010 4:28 AM

All replies

  • You cannot use a self-signed certificate for UM integration as you have discovered.  Your best option would be to simple deploy an internal Enterprise CA on a server, issue a certificate to the Exchange server and then place the Root certificate in the trusted store of the Lync Server to provide for TLS communications between the servers.


    Jeff Schertz, Microsoft Solutions Architect - Polycom | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    • Proposed as answer by Charbel Hanna Monday, November 08, 2010 10:07 AM
    Saturday, November 06, 2010 12:08 PM
    Moderator
  • Hi,

    i have a similar problem which is i have added unified messaging to exchange server after deploying monitoring server so the probleme is how to place the new exchange server certificate on the trusted store of the lync Server.

    Regards,

    Mohamed


    Mohamed BEN CHAABENE
    Tuesday, May 10, 2011 11:20 AM
  • Mohamed;

     

    What you need to do is ensure that you have an Internal Enterprise CA as jeff stated above, you will then need to go into your Exchange Server ,

     

    1. Click on Server Configuration,
    2. Click on the Server you wish to request a Certifiate for then on the right hand side request a new exchange certifiate ensure you request it to your Enterprise Root CA. Here is the technet article : http://technet.microsoft.com/en-us/library/dd351057.aspx
    3. When you see the Certificate at the bottom pane.
    4. Click the Certifcate and on the right Click on Assign Services and ensure you select all the appropriate ones including UM.

     

    Next you will need to ensure that your Lync Server has a certifcate assigned to it from the same Enterprise Root CA, here is the technet article for requesting a certificate for your Lync Front End. http://technet.microsoft.com/en-us/library/gg398995.aspx

     

    Also here is how you create a Enterprise Root CA for Server 2003 http://technet.microsoft.com/en-us/library/cc700804.aspx and for Server 2008 http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx

     

    Regards
    Habib

    • Proposed as answer by Habib Mankal Friday, May 20, 2011 1:42 PM
    Tuesday, May 10, 2011 2:06 PM
  • Hi Habib,

    I have tried as you told me but alwaus the same problem lync don't accept the certificat coming from exchange server.

    Regards.

    Mohamed


    Mohamed BEN CHAABENE
    Wednesday, May 18, 2011 3:31 PM
  • Mohamed;

     

    Can you post or email me the screenshot of your certificates on the Lync and Exchange servers?

     

    Habib

    Wednesday, May 18, 2011 5:56 PM
  • Hi Habib,

    This the error message which i get on exchange server:

    " UM server can't exchange required certificats with ip gateway to activate TLSfor ingoing call"

    and a warning :

    "UM ip gateways don't respond to sip request :

    Transport =  TLS, Address = lyncserver, Port 5061, "

    i have a questiion

    i have collocated the mediation server with Fornt end server but the mediation server is not configured yet but voice entreprise is enabled for all user.

    Regards,

    Mohamed.


    Mohamed BEN CHAABENE
    Thursday, May 19, 2011 8:23 AM
  • Mohamed;

     

    I need to know if the certificate on your exchange server and the certificate from your lync server have been provided by the same Enterprise Root CA.

     

    On your exchange and lync server click start -> type mmc -> click file -> add/remove snapin -> Click Certificates -> Click Add -> Click Computer -> CLick Next -> Click Local Computer -> Click Finish -> CLick Ok

    1. Expand Certificates
    2. Expand Personal
    3. Click on Certificates

    Take a screen shot of both of them and email them to me, also tell me what is the name of your lync and exchange server.

     

    With regards to your questions, it's ok to have everyone configured for enterprise voice eventhough your mediation has not yet been configured. All the users will not be able to dial out from their lync client or lync devices until you have setup the mediation server and configured all the appropriate voice routing options.

    Also under Voice Routing -> Trunk Configuration -> Edit the Global Policy and Remove the check box from "Enable Refer Support", CLick ok and commit all changes. This is required if you are goign to route calls from your exchange um autoattendant to your enterprise voice users.

     

    Habib

    Thursday, May 19, 2011 1:46 PM
  • Hi Habib,

    Thank you for your precious explanation.

    For the certificats i have found that certificats for both lync server and exchange server are  not provided by the same Enterprise Root CA : the exchange certificat is from the exchange server itself but the lync certificat is from the Enterprise Root CA.

    thank you Habib at least now i have an idea about the problem.

    Regards,

    Mohamed


    Mohamed BEN CHAABENE
    Friday, May 20, 2011 8:09 AM
  • Hi,

    my problem was with Authority certification  you must install all roles on your certification authority like IIS and others and then you must create a certificat with your exchange server and then go to the certification authority and generate personolized certificate based on the new certificate generated with exchange server

    And then you must install your certificat on your exchange server;

    Regards,

    Mohamed.


    Mohamed BEN CHAABENE
    • Proposed as answer by mohamedben Friday, June 24, 2011 9:25 AM
    Friday, June 24, 2011 9:24 AM