locked
SAN certificate for external access for edge server and reverse proxy RRS feed

  • Question

  • Hello

    I have a question related to the certificate planning for LYNC 2013 EDGE SERVER .

    For external access and mobile user's , Iwant to enable all the feature for external user's .

    im planning to purchase san certificate ,

    my first question do I need only one SAN for both my edge server and the reverse proxy ?

    my second question about the name's that shoud be added to the certificate ?

    sip.mydomain.com

    av.mydomain.com

    webconf.mydomain.com

    what else I should add ? I want to add the names for all feature access.

    Kind Regards

    MK

    Wednesday, April 22, 2015 9:14 PM

Answers

  • You can use one cert for both, the additional SANs you would need would depend on your configuration but they would likely be: lyncdiscover.sipdomain.com, meet.sipdomain.com, dialin.sipdomain.com, you front end pool's external web services FQDN as defined in your topology builder, and maybe the farm name for your Office Web Application server.

    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications

    This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Proposed as answer by Eason Huang Thursday, April 23, 2015 1:35 AM
    • Marked as answer by Mohammed AK Wednesday, April 29, 2015 7:29 PM
    Wednesday, April 22, 2015 11:17 PM
  • Hi,

    Agree with Anthony Caragol.

    You can use single SAN public certificate for both Edge Server external interface and Reverse Proxy. You need add all needed SANs for Edge Server and Reverse Proxy. Because Transport Layer Security (TLS) ignores the subject name and uses the subject alternative name entries for validation.

    Best Regards,
    Eason Huang


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Eason Huang
    TechNet Community Support

    • Marked as answer by Mohammed AK Wednesday, April 29, 2015 7:29 PM
    Thursday, April 23, 2015 1:44 AM
  • Your Front End Pool should only contain front end servers, does it also contain your edge and back end? If so, this is a misconfiguration.

    If you're planning to implement high availability, you'll want a different internal web services FQDN name than your pool name (unless you load balance the entire pool with a hardware load balancer).

    You'll want your external web services FQDN to be different from your pool name if you want to use the mobile client on the internal network.  Once you've come up with a new and otherwise unused FQDN for this purpose, you'll want that as additional SAN on your cert.

    Since you're not using this for the internal certificate, you can also pull admin.mydomain.com and LYNC2013-FE.mydomain.com off of the cert as those are needed internally only. 

    Lyncdiscoverinternal you can leave on if you need your internal mobile clients to not throw certificate errors because they don't trust your internal certificate authority, but this name would then need to be pointed to a reverse proxy or something that can present the third party certificate.


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications

    This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Marked as answer by Mohammed AK Wednesday, April 29, 2015 7:28 PM
    Friday, April 24, 2015 5:20 PM
  • Ok, that all makes sense.

    The mobile client will always want to connect to the external web services FQDN.  If you'll have more than one front end, then you want a different name for it because you'd typically want to use DNS load balancing for your pool name and hardware load balancing for your external web services FQDN. 

    As long as the mobile clients can access that FQDN, it's redirecting requests on port 443 to port 4443 on your front end, and it's presenting a certificate the mobile device is OK with, you're good.


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications

    This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Marked as answer by Mohammed AK Wednesday, April 29, 2015 7:28 PM
    Friday, April 24, 2015 6:30 PM

All replies

  • You can use one cert for both, the additional SANs you would need would depend on your configuration but they would likely be: lyncdiscover.sipdomain.com, meet.sipdomain.com, dialin.sipdomain.com, you front end pool's external web services FQDN as defined in your topology builder, and maybe the farm name for your Office Web Application server.

    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications

    This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Proposed as answer by Eason Huang Thursday, April 23, 2015 1:35 AM
    • Marked as answer by Mohammed AK Wednesday, April 29, 2015 7:29 PM
    Wednesday, April 22, 2015 11:17 PM
  • Hi,

    Agree with Anthony Caragol.

    You can use single SAN public certificate for both Edge Server external interface and Reverse Proxy. You need add all needed SANs for Edge Server and Reverse Proxy. Because Transport Layer Security (TLS) ignores the subject name and uses the subject alternative name entries for validation.

    Best Regards,
    Eason Huang


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Eason Huang
    TechNet Community Support

    • Marked as answer by Mohammed AK Wednesday, April 29, 2015 7:29 PM
    Thursday, April 23, 2015 1:44 AM
  • Hello ,

    Thanks for u r replay .

    I will add these subjects :

    av.mydomain.com
    sip.mydomain.com
    webcon.NYDOMAIN
    POOL2013.mydomain.com
    LYNC2013-FE.mydomain.com
    dialin.mydomain.com
    meet.mydomain.com
    admin.mydomain.com
    LyncdiscoverInternal.mydomain.com
    Lyncdiscover.mydomain.com

    what i can add for my reverse proxy ?

    any advice if some thing is missing ?

    Kind Regards

    MK


    • Edited by Mohammed AK Thursday, April 23, 2015 11:20 AM
    Thursday, April 23, 2015 5:40 AM
  • Actually, you don't need av.mydomain.com.  That won't be required on the edge.  If you're using the same certificate internally the rest may be good assuming your external web services FQDN is pool2013 or Lync2013-FE.

    To be sure, what is your internal web services FQDN, external web services FQDN, pool name, how many servers in the pool, and are you using this certificate for internal access as well?


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications

    This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, April 24, 2015 3:29 PM
  • Hello Anthony

    Thanks for your response .

    Internal web services FQDN  : NOT CONFIGURED ,but  I can configure it to use  pool2013.mydomain.com  (TEH SAME AS MY POOL NAME)

    External web services FQDN : pool2013.mydomain.com (TEH SAME AS MY POOL NAME)

    My pool name is : pool2013.mydomain.com this pool contain three servers (lync 2013 FE, LYNC 2013 BE, lync 2013 Edge server ).

    for internal access I'm using internal certificate authority for my domain user's

    Kind Regards

    MK

     

    Friday, April 24, 2015 4:32 PM
  • Your Front End Pool should only contain front end servers, does it also contain your edge and back end? If so, this is a misconfiguration.

    If you're planning to implement high availability, you'll want a different internal web services FQDN name than your pool name (unless you load balance the entire pool with a hardware load balancer).

    You'll want your external web services FQDN to be different from your pool name if you want to use the mobile client on the internal network.  Once you've come up with a new and otherwise unused FQDN for this purpose, you'll want that as additional SAN on your cert.

    Since you're not using this for the internal certificate, you can also pull admin.mydomain.com and LYNC2013-FE.mydomain.com off of the cert as those are needed internally only. 

    Lyncdiscoverinternal you can leave on if you need your internal mobile clients to not throw certificate errors because they don't trust your internal certificate authority, but this name would then need to be pointed to a reverse proxy or something that can present the third party certificate.


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications

    This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Marked as answer by Mohammed AK Wednesday, April 29, 2015 7:28 PM
    Friday, April 24, 2015 5:20 PM
  • Hello

    Thanks Anthony.

    one more question I have for external web services FQDN which is my pool name pool2013.mydomain.com , I tested  for internal mobile client user , using internal certificate and it is working fine , I think you mean it is better to change it so that both internal and external mobile user will use the same  external web services FQDN  and the same external certificate ? is this correct ?

    sorry by mistake I wrote it ,  I mean my topology contains three server's   (lync 2013 FE, LYNC 2013 BE, lync 2013 Edge server ).

    My Front End Pool only contain only front end servers which is only one server which is  LYNC2013-FE.mydomain.com .

    Kind Regards

    MK

    Friday, April 24, 2015 6:20 PM
  • Ok, that all makes sense.

    The mobile client will always want to connect to the external web services FQDN.  If you'll have more than one front end, then you want a different name for it because you'd typically want to use DNS load balancing for your pool name and hardware load balancing for your external web services FQDN. 

    As long as the mobile clients can access that FQDN, it's redirecting requests on port 443 to port 4443 on your front end, and it's presenting a certificate the mobile device is OK with, you're good.


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications

    This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Marked as answer by Mohammed AK Wednesday, April 29, 2015 7:28 PM
    Friday, April 24, 2015 6:30 PM