Remove From My Forums

SSL Certificate is same as external certificate

Question
0

Sign in to vote

Hello

I have bought a domain name and they are providing 1 SSL certificate with that domain..is it the same as external certificate used in edge and reverse proxy or is it a diffrent certificate? Will I need it in my SFB setup?

what is the diff between them and where are they used?

Monday, November 7, 2016 8:57 AM

Answers

0

Sign in to vote
Hi Lexi,

No you would need to purchase an additional certificate, you need an UCC / SAN (Subject Alternative Names) certificate. UCC certificates are SSL certificate that secures multiple domain names and multiple host names within a domain name.

Wildcard certificates are not supported for the edge server role.

Edge Server certificate requirements are dependent on the number of sip domains that will be deployed. With a single sip domain you need the following SANs

accessedge.domain.com (Common Name)
accessedge.domain.com (SAN)
webconf.domain.com (SAN)
sip.domain.com (SAN)

If you access edge is sip.domain.com you can save a SAN.

sip.domain.com (Common Name)
sip.domain.com (SAN)
webconf.domain.com (SAN)

A great blog from Jeff Schertz explaining Edge server best practices as well.

http://blog.schertz.name/2012/07/lync-edge-server-best-practices/

Thanks,

Martin

Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". Thank you. This forum post is based upon my personal experience and does not reflect the opinion or view of my employer.
- Proposed as answer by Liinus Monday, November 7, 2016 10:00 AM
- Marked as answer by Lexi Mace Monday, November 28, 2016 10:27 AM
Monday, November 7, 2016 9:58 AM
0

Sign in to vote
Hi Lexi Mace,

Welcome to post in our forum.

If the SSL certificate is a public certificate, you could use it for Edge server and reverse proxy.

Each Edge Server requires a public certificate on the interface between the perimeter network and the Internet, and the certificate’s subject alternative name must contain the external names of the Access Edge service and Web Conferencing Edge service fully qualified domain names (FQDNs).

Each reverse proxy server requires a web server certificate for use by the listening service. The web server certificate must be issued by a public certification authority (CA).

The following blog is about setting up certificates for the external edge interface for Lync Server 2013, it’s similar to SFB 2015

https://technet.microsoft.com/en-us/library/gg398409%28v=ocs.15%29.aspx?f=255&MSPPError=-2147217396

Hope this reply helpful to you.
Regards,

Alice Wang

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Marked as answer by Lexi Mace Monday, November 28, 2016 10:27 AM
Tuesday, November 8, 2016 5:59 AM
0

Sign in to vote
Hi Lexi Mace,

If the SSL certificate provided by the domain company is an internal certificate, you can't use it for SFB edge server and reverse proxy.

If the certificate if a public certificate, you could use it for SFB edge server and reverse proxy.
Regards,

Alice Wang

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Marked as answer by Lexi Mace Monday, November 28, 2016 10:26 AM
Tuesday, November 8, 2016 10:14 AM
0

Sign in to vote
Hi Lexi,

The edge server requires two certificate, the external certificate must be from a public CA such as digicert, globalsign etc and the other internal certificate can be generated from an internal CA if you have one.

Supported Public CAs are https://support.microsoft.com/en-gb/kb/929395

The public certificate must be UCC / SAN certificate that allows for multiple subject names and you must ensute the trusted root certs are deployed on the server as well so the chain is valid. The SfB deployment wizard will generate certificate requested for both certificates. The certificate you deploy to the edge server must have the private key assigned.

Its recommended for security reasons not to mark the certificate as exportable with the private keys.

Hope this helps.

Martin
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". Thank you. This forum post is based upon my personal experience and does not reflect the opinion or view of my employer.
- Proposed as answer by Alice-Wang Saturday, November 12, 2016 8:50 AM
- Marked as answer by Lexi Mace Monday, November 28, 2016 10:26 AM
Wednesday, November 9, 2016 11:40 AM

All replies

0

Sign in to vote
Hi Lexi,

No you would need to purchase an additional certificate, you need an UCC / SAN (Subject Alternative Names) certificate. UCC certificates are SSL certificate that secures multiple domain names and multiple host names within a domain name.

Wildcard certificates are not supported for the edge server role.

Edge Server certificate requirements are dependent on the number of sip domains that will be deployed. With a single sip domain you need the following SANs

accessedge.domain.com (Common Name)
accessedge.domain.com (SAN)
webconf.domain.com (SAN)
sip.domain.com (SAN)

If you access edge is sip.domain.com you can save a SAN.

sip.domain.com (Common Name)
sip.domain.com (SAN)
webconf.domain.com (SAN)

A great blog from Jeff Schertz explaining Edge server best practices as well.

http://blog.schertz.name/2012/07/lync-edge-server-best-practices/

Thanks,

Martin

Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". Thank you. This forum post is based upon my personal experience and does not reflect the opinion or view of my employer.
- Proposed as answer by Liinus Monday, November 7, 2016 10:00 AM
- Marked as answer by Lexi Mace Monday, November 28, 2016 10:27 AM
Monday, November 7, 2016 9:58 AM
0

Sign in to vote
Hi Lexi Mace,

Welcome to post in our forum.

If the SSL certificate is a public certificate, you could use it for Edge server and reverse proxy.

Each Edge Server requires a public certificate on the interface between the perimeter network and the Internet, and the certificate’s subject alternative name must contain the external names of the Access Edge service and Web Conferencing Edge service fully qualified domain names (FQDNs).

Each reverse proxy server requires a web server certificate for use by the listening service. The web server certificate must be issued by a public certification authority (CA).

The following blog is about setting up certificates for the external edge interface for Lync Server 2013, it’s similar to SFB 2015

https://technet.microsoft.com/en-us/library/gg398409%28v=ocs.15%29.aspx?f=255&MSPPError=-2147217396

Hope this reply helpful to you.
Regards,

Alice Wang

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Marked as answer by Lexi Mace Monday, November 28, 2016 10:27 AM
Tuesday, November 8, 2016 5:59 AM
0

Sign in to vote

Sorry still dint get it... the SSL certificate provided by my domain company can be used or no?

I mean while setting this up(edge server) will I have to download private key of the certificate and stuff?

what exactly do i need for this external certificate service

Tuesday, November 8, 2016 8:36 AM
0

Sign in to vote
Hi Lexi Mace,

If the SSL certificate provided by the domain company is an internal certificate, you can't use it for SFB edge server and reverse proxy.

If the certificate if a public certificate, you could use it for SFB edge server and reverse proxy.
Regards,

Alice Wang

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Marked as answer by Lexi Mace Monday, November 28, 2016 10:26 AM
Tuesday, November 8, 2016 10:14 AM
0

Sign in to vote
Hi Lexi,

The edge server requires two certificate, the external certificate must be from a public CA such as digicert, globalsign etc and the other internal certificate can be generated from an internal CA if you have one.

Supported Public CAs are https://support.microsoft.com/en-gb/kb/929395

The public certificate must be UCC / SAN certificate that allows for multiple subject names and you must ensute the trusted root certs are deployed on the server as well so the chain is valid. The SfB deployment wizard will generate certificate requested for both certificates. The certificate you deploy to the edge server must have the private key assigned.

Its recommended for security reasons not to mark the certificate as exportable with the private keys.

Hope this helps.

Martin
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". Thank you. This forum post is based upon my personal experience and does not reflect the opinion or view of my employer.
- Proposed as answer by Alice-Wang Saturday, November 12, 2016 8:50 AM
- Marked as answer by Lexi Mace Monday, November 28, 2016 10:26 AM
Wednesday, November 9, 2016 11:40 AM
0

Sign in to vote

Hi Lexi,

I am checking to see how things are going there on this case.

would you please provide us with an update on the status of your issue?

If there's anything you'd like to know, don't hesitate to ask.

Or

If the answer is helpful to you, please mark it as an answer in order to help others with similar issue.
Regards,

Alice Wang

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Monday, November 28, 2016 9:52 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

SSL Certificate is same as external certificate

Question

Answers

All replies