locked
Skype for business-Internal Cert SAN name RRS feed

  • Question

  • Hi,

    We are doing an upgrade from Lync 2013 to SFB 2015 on new hardware by creating new sfb pools. We will move all users from Lync 2013 pool to sfb pool. We have additional 20 sip domains alongwith primary sip domain. We will publish only primary sip domain on internet for federation.

    We have created SRV records for all sip domains pointing to FE pool. I have query on SAN names for additional sip domain.

    Do we really need to have lyncdiscoverinternal.domain.com and sip.domain.com SAN names in Internal cert for each sip domain or only the SAN names of primary sip.domain.com will be sufficient.

    Thanks

     


    • Edited by Pawan11 Wednesday, April 27, 2016 1:14 PM
    Wednesday, April 27, 2016 1:05 PM

Answers

  • Hi,

    there should be the following for each domain:

    • AccessEdge (sip)
    • Lyncdiscover
    • Meet (not required, depends what you have defined in your topology)


    Then only one of these

    • External webservice (frontend)
    • dialin
    • AVedge
    • Office web app (if you plan to deploy one)
    • Scheduler (if you plan to deploy it)
    This is usually generated when you run certificate wizard from Skype deployment tool

    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    • Proposed as answer by Ram OjhaMVP Tuesday, May 3, 2016 2:53 AM
    • Marked as answer by Eason Huang Sunday, May 8, 2016 6:17 AM
    Wednesday, April 27, 2016 6:32 PM
  • Hi,

    For the FE Server certificate, you need to add lyncdiscoverinternal and sip SAN entries for each SIP domains.

    Best Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Eason Huang
    TechNet Community Support

    • Proposed as answer by Ram OjhaMVP Tuesday, May 3, 2016 2:53 AM
    • Marked as answer by Eason Huang Sunday, May 8, 2016 6:17 AM
    Tuesday, May 3, 2016 2:28 AM

All replies

  • Hi,

    there should be the following for each domain:

    • AccessEdge (sip)
    • Lyncdiscover
    • Meet (not required, depends what you have defined in your topology)


    Then only one of these

    • External webservice (frontend)
    • dialin
    • AVedge
    • Office web app (if you plan to deploy one)
    • Scheduler (if you plan to deploy it)
    This is usually generated when you run certificate wizard from Skype deployment tool

    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    • Proposed as answer by Ram OjhaMVP Tuesday, May 3, 2016 2:53 AM
    • Marked as answer by Eason Huang Sunday, May 8, 2016 6:17 AM
    Wednesday, April 27, 2016 6:32 PM
  • Hi,

    For the FE Server certificate, you need to add lyncdiscoverinternal and sip SAN entries for each SIP domains.

    Best Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Eason Huang
    TechNet Community Support

    • Proposed as answer by Ram OjhaMVP Tuesday, May 3, 2016 2:53 AM
    • Marked as answer by Eason Huang Sunday, May 8, 2016 6:17 AM
    Tuesday, May 3, 2016 2:28 AM