locked
Lync Edge Certificate RRS feed

  • Question

  • Hi All
    I am Doing POC of Microsoft Lync 2010 for one of my client, i had deployed lync Front End server (STD Edition) and configured the same. I have also installed lync on some client side and test all the features internally was sucessfull, now i want to deploy lync Edge server, i have done all the necassary configuration for Lync edge server, but now i have stuck in part of External certificate, though this is just a POC i dont want to import any public certificate now for this POC, so is there is any way to import private certificate on Lync Edge server which can be used externally so that i can bring internet users in my lync environment

    please provide me some step, how to create private certificate for Lync edge server and also how to import the same

    Thanks in advance

    Vinayak

    Saturday, January 28, 2012 6:15 AM

Answers

  • If you just want users to be able to access externally then you can send the request to your internal Certificate Authority and use that to produce certificates. As long as the users have the Trusted Root certificates on their machine then they will connect. In most cases that is not a problem for laptop users but should you want to use mobile devices or people to use personal home computers then they will need to import the Root CA certificate chain.

    You cannot do federation using internal certs unless the company you federate with installs your CA root on their edge.


    Chris Clark - | MCTS:OCS & UC Voice Specialization | MCSE | MCSA | CCNA http://www.unitycomms.com
    • Proposed as answer by Sean_Xiao Tuesday, January 31, 2012 7:11 AM
    • Marked as answer by Sean_Xiao Thursday, February 2, 2012 4:57 AM
    Saturday, January 28, 2012 11:10 AM

All replies

  • If you just want users to be able to access externally then you can send the request to your internal Certificate Authority and use that to produce certificates. As long as the users have the Trusted Root certificates on their machine then they will connect. In most cases that is not a problem for laptop users but should you want to use mobile devices or people to use personal home computers then they will need to import the Root CA certificate chain.

    You cannot do federation using internal certs unless the company you federate with installs your CA root on their edge.


    Chris Clark - | MCTS:OCS & UC Voice Specialization | MCSE | MCSA | CCNA http://www.unitycomms.com
    • Proposed as answer by Sean_Xiao Tuesday, January 31, 2012 7:11 AM
    • Marked as answer by Sean_Xiao Thursday, February 2, 2012 4:57 AM
    Saturday, January 28, 2012 11:10 AM
  • Hi,

    Basically the steps are the same as how you've create for the internal certificates, using an internal Microsoft CA Server:

    1. Using the Installation Wizard, generate an offline certificate requests for your external domain: sip.domain.com, webconf.domain.com, av.domain.com, meet.domain.com & dialin.domain.com.
    2. With that, log in to your internal CA server (e.g. https://servername/certserv)
    3. Paste the offline certificate request onto the web page, make sure you've select Web Server as the certificate type
    4. Download the generate certificate
    5. Assign the downloaded certificate using the Lync installation wizard to the Access Edge external interface
    6. If you're publishing via a Reverse Proxy, just export the certificate from the Access Edge and install it into your TMG certificate store

    Alternatively, VeriSign also offers a free 30 days trial - http://www.verisign.com/ssl/free-30day-trial/index.html

    Hope this helps.


    James Ooi MCITP Lync Server 2010 | Blog: http://jamesosw.wordpress.com Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread
    Saturday, January 28, 2012 11:17 AM
  • Be aware that the Verisign free trial certificate is not signed by the same Verisign root and subordinate CA servers, so many clients and devices will still not trust that free certificate by default.

    If your pilot user's workstations are already a member of the same domain in which a Windows Enterprise CA is deployed then they will inherently trust that private certificate you deploy on the Edge Server.  You will not be able to test PIC though, and you can only test Federation if you supply your internal CA certificate to the remote Lync organization for them to install on their Edge server.


    Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP
    Sunday, January 29, 2012 12:36 PM
  • Hi Jeff,

    Thanks for the note. Had went through a couple of Proof-of-concepts but touch wood, everything went smooth till today...

    Anyway, thanks for the tip!

    Cheers :)


    James Ooi MCITP Lync Server 2010 | Blog: http://jamesosw.wordpress.com Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread
    Monday, January 30, 2012 2:12 PM
  • Hi Jeff,

    Is this applicable for Lync 2013 also,because it gives me

    "there was a problem verifying the certificate from the server"

    Any hint

    Ghassan


    Ghassan

    Wednesday, September 24, 2014 3:41 AM
  • In Lync 2013 the client's also perform a Certificate Revocation List download, so if the internal CA's CRL download URL is not also externally published then the client will fail to connect.

    Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

    Monday, September 29, 2014 7:56 PM
  • Hi Jeff,

    I m using an internal AD with sip domain as <domain.net>

    but for the external it is <domain.org>

    should the internal sip domain match the same as external sip domain because I don't want to publish

    <domain.net> on public,can we map the internal sip domain to external sip domain,

    I want the internal users to login from outside using <domain.org>

    Ghassan


    Ghassan

    Sunday, October 5, 2014 10:43 AM
  • Your SIP domain should always be a public namespace and never a private internal namespace unless it's simply an internal only test lab.  A single SIP domain should be used for users both internal and external.

    Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

    Wednesday, October 8, 2014 7:10 PM