none
Skype for business 2015 Edge Server SSL Certification Failure RRS feed

  • Question

  • Anyone had the issue when deployed SFB 2015 edge server with single external IP and NAT enabled I get an SSL Certification error from https://testconnectivity.microsoft.com “The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server skype.gendac.co.za on port 443.” I am using a wildcard Certificate and all services are running on my edge server. Any suggestions?
    Monday, August 17, 2015 8:13 AM

Answers

  • Hi,

    Wildcard certificates are not supported in Lync Server, except where used to summarize the Simple URLs through the reverse proxy. You must define distinct subject alternate names (SANs) for each SIP domain name, Web Conferencing Edge service, A/V Edge service and XMPP domain offered by your deployment.

    In the event of a pool of Edge Servers, you export the certificate with the private key to each Edge Server and assign the certificate to each Edge Server service. Do the same for the internal Edge Server certificate, exporting the certificate with the private key and assigning to each internal Edge interface.

    Best Regards,
    Eason Huang


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Eason Huang
    TechNet Community Support

    • Marked as answer by kortgat Friday, August 21, 2015 11:34 AM
    Tuesday, August 18, 2015 7:32 AM
    Moderator
  • Hi

    The problem is that for the Edge server, a wildcard certificate is not supported. You will find things like desktop sharing, federation and some other services will either not work at all, or have poor experience and reliability.

    You will need to purchase a SAN certificate for the edge server. If you are using the Single IP model then the certificate should be like this

    Subject Name: <access-edge>.domain.com

    SAN: <access-edge>.domain.com, domain.com

    Where <Access-edge> is your access edge service FQDN, usually sip.domain.com

    A wildcard certificate is supported for Reverse Proxy for Lync web services only.

    thanks


    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    • Proposed as answer by Eason HuangModerator Tuesday, August 18, 2015 7:30 AM
    • Marked as answer by kortgat Friday, August 21, 2015 11:34 AM
    Monday, August 17, 2015 8:33 AM

All replies

  • Hi

    The problem is that for the Edge server, a wildcard certificate is not supported. You will find things like desktop sharing, federation and some other services will either not work at all, or have poor experience and reliability.

    You will need to purchase a SAN certificate for the edge server. If you are using the Single IP model then the certificate should be like this

    Subject Name: <access-edge>.domain.com

    SAN: <access-edge>.domain.com, domain.com

    Where <Access-edge> is your access edge service FQDN, usually sip.domain.com

    A wildcard certificate is supported for Reverse Proxy for Lync web services only.

    thanks


    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    • Proposed as answer by Eason HuangModerator Tuesday, August 18, 2015 7:30 AM
    • Marked as answer by kortgat Friday, August 21, 2015 11:34 AM
    Monday, August 17, 2015 8:33 AM
  • Hi,

    Wildcard certificates are not supported in Lync Server, except where used to summarize the Simple URLs through the reverse proxy. You must define distinct subject alternate names (SANs) for each SIP domain name, Web Conferencing Edge service, A/V Edge service and XMPP domain offered by your deployment.

    In the event of a pool of Edge Servers, you export the certificate with the private key to each Edge Server and assign the certificate to each Edge Server service. Do the same for the internal Edge Server certificate, exporting the certificate with the private key and assigning to each internal Edge interface.

    Best Regards,
    Eason Huang


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Eason Huang
    TechNet Community Support

    • Marked as answer by kortgat Friday, August 21, 2015 11:34 AM
    Tuesday, August 18, 2015 7:32 AM
    Moderator
  • Hi all,

    i have the same issue on egde in the same scenario: when deployed SFB 2015 edge server with single external IP and NAT enabled I get an SSL Certification error from https://testconnectivity.microsoft.com “The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server sip.domain.com on port 443.” I am using a Sectigo public Certificate with all SANs  and all services are running on my edge server. Any suggestions?

    Thursday, October 3, 2019 2:19 PM