Remove From My Forums

Lync services certificate renewal

Question
0

Sign in to vote

our setup has Lync front end standard edition server & Edge server.
We are using lync services web-conferencing, online meeting, Lync web app, meeting URL's which are issued by Windows CA.

Now we are planning to implement SAN certificate from Public CA e.g. Godaddy, Digicert etc. for lync services.

Can someone guide necessary steps to be followed in order to face minimal downtime & avoid issues.

Thanks

Thursday, November 1, 2012 10:46 AM

Answers

0

Sign in to vote
Glad it works.

You need 5061 if you have Federation setup.

Thank you.
Please “Vote As Helpful” and/or “Mark As Answer” if this post helped you.
- Marked as answer by Exchange_support Thursday, November 8, 2012 5:35 PM
Thursday, November 8, 2012 1:53 PM

All replies

0

Sign in to vote

You should not have any downtime. Just repeat the steps that you did when you created the original Windows CA certificate from Lync Wizard and you will be OK. It will not remove your old certificate when you create a request for a new one. It will replace it when the new certificate is ready.

Just go to Lync Server Deployment Wizard, click on Install or Update Lync Server System and select Step number 3. First, you request certificate. When you receive this new certificate, go back to the same place and Assign it.

Thank you.
Please “Vote As Helpful” and/or “Mark As Answer” if this post helped you.

Thursday, November 1, 2012 1:32 PM
0

Sign in to vote

actly i was not with organization when Lync implemented. My doubt is we have Front end & Edge server. Can we use single SAN certificate to include Lync services published on Edge & Front end. Or need separate for each.

Does the process remain same for applying certificate on Edge & Front end remain same? Any specific order?

Also guide some links i can refer to.

Thursday, November 1, 2012 1:51 PM
0

Sign in to vote

You can have 1 Internal certificate for the Front End Server and 1 External certificate for the Edge server.

Is this what you wanted to know?
Please “Vote As Helpful” and/or “Mark As Answer” if this post helped you.

Thursday, November 1, 2012 2:16 PM
0

Sign in to vote

My question is can we have only single SAN certificate for Front end & Edge services url meet,messenger,dialin,conf etc.

If yes can you guide me in applying certificate renew process from Lync point of view.

Thursday, November 1, 2012 6:45 PM
2

Sign in to vote
If you mean one certificate on one server only, the answer is no, you cannot do it. You have to have certificates on every server.

I guess I do not understand why would you want to have 1 certificate. Based on your description, you have internal CA that you can use for the FE server. This one is free. And you can use External certificate for the Edge server.

If you really want to have the same certificate on both servers, you can create certificate request on the Edge server. You can use this as a guide how to do this: http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/deploying-lync-server-2010-part5.htm . You will have to use all your names for both servers in the SAN area of the certificate. After you done with Edge server, you can use Export and Import wizards to copy certificate to your FE server.

Thank you.
Please “Vote As Helpful” and/or “Mark As Answer” if this post helped you.
- Proposed as answer by Kent-Huang Tuesday, November 6, 2012 1:27 AM
Thursday, November 1, 2012 6:53 PM
1

Sign in to vote
Hi,

No, you cannot apply one certificate on Edge and Front end.

Here are details about certificate requirement:

Certificate Requirements for Internal Servers

http://technet.microsoft.com/en-us/library/gg398094.aspx

An internal enterprise certification authority (CA) is recommended for internal servers. As Igor said, it is free.

Certificate Requirements for External User Access

http://technet.microsoft.com/en-us/library/gg398920.aspx

You need to use a public certificate for Edge external interface.

Regards,

Kent Huang

TechNet Community Support ************************************************************************************************************************ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
- Edited by Kent-Huang Friday, November 2, 2012 7:24 AM
- Proposed as answer by Kent-Huang Tuesday, November 6, 2012 1:27 AM
Friday, November 2, 2012 7:24 AM
0

Sign in to vote
Hi,

You Can't use One Certificate for front end and Lync edge Services.

Lync Front End server; "web service Internal" & "Server Default" and Lync Edge Server ; "Edge Internal" will have Private Certificate generated from your Private Windows CA.
Lync Front End server; "web service External" And Lync Edge Server "External Edge Certificate (public Internet)" will have Public Certificate generated from public Certificate vendor Like Digicert or VeriSign ... etc.

Set Up Certificates for the Edge Internal Edge Interface

http://technet.microsoft.com/en-us/library/gg412750.aspx

Set Up Certificates for the Edge External Edge Interface

http://technet.microsoft.com/en-us/library/gg398409.aspx

Set Up Certificates for the Front End / Standard Internal and External Web services.

http://technet.microsoft.com/en-us/library/gg398995.aspx

Note: In the Front End / standard Certificate Request in the Certificate wizard screen select only " web service Internal" & "Server Default" to generate Certificate from internal private CA and then re-select only "web service External" then request certificate with getting a file request to send to the Public CA vendor to get certificate file then import to the Server.

Also, you can use one public SAN Certificate for Lync front End web services external and Lync Edge External services.

Regards,

Ahmed
Sunday, November 4, 2012 10:57 AM
0

Sign in to vote

Hi Ahmed,

thanks for the post. I will check the links to determine the all SAN to be added into certificate as we have 3-4 SIP domain & different urls.

In the meantime can you tell me if i can use wildcard certificate for Front end/Edge internal+external webservices. Any consideration while doing this as it will be easy to apply.

Sunday, November 4, 2012 12:43 PM
0

Sign in to vote
HI,

There is no support for a wildcard entry as the subject name , It's only supported in the SAN .

Here you can go :

http://technet.microsoft.com/en-us/library/hh202161.aspx

For normal Certificate , It will be UCC SAN Certificate you can use , it will require 5 DNS names

sip.domain.com (If you go for on FQDN for Lync edge services)

lsweb.domain.com

dialin.domain.com

meet.domain.com

autodiscover.domain.com

Then you need to change SN to lsweb.domain.com when you assign to front end external web services and import to the reveres proxy for publishing lync web services and mobility services.

And for Lync edge external services , the SN will be the sip.domain.com

Regards,

Ahmed
- Proposed as answer by Kent-Huang Tuesday, November 6, 2012 1:27 AM
Sunday, November 4, 2012 2:38 PM
0

Sign in to vote

Queston for people that say that it is not possible to use one cert on two servers. Just to be clear, I would never recommend to do this. Not because it is impossible, but I do not see the reason to do this. There is an internal CA that would give you free certificate and it is easy to use.

However, can you please explain me why do you think that it is impossible to have the same certificate on the Edge and on the FE servers? I am not going to argue, but if I am wrong, I want to understand why?

I've done it many times when I created certificate on the Edge server with extra SAN names. I would export it from the Edge and import it to the TMG server. This solution works without any issues.

Please tell me why can't I do the same with Edge and FE servers? I understand that it would be a problem to add internal FQDNs, but I've done it with GoDaddy SSLs.

Again, I just want to understand why this solution will not work.

Thank you.
Please “Vote As Helpful” and/or “Mark As Answer” if this post helped you.

Sunday, November 4, 2012 3:54 PM
0

Sign in to vote

one more thing i am using TMG for lync external publishing.
can you help me to identify steps for renewing certificate applied on TMG for lync.

Thanks

Tuesday, November 6, 2012 2:18 PM
0

Sign in to vote

How did you apply certificate on the TMG? You should do exactly the same for renewal. Nothing different.

These are the steps that I do:

Renew certificate on the Edge server. On the edge server go to MMC, Certificates, Local computer and export the certificate. You have to export it with the private key, but do not delete private key after the export is completed.

Next step is to copy exported file to the TMG server. Go to MMC, Certificates and import this certificate. After that in the TMG Management Console replace the old certificate with the new one.

Thank you.
Please “Vote As Helpful” and/or “Mark As Answer” if this post helped you.

Tuesday, November 6, 2012 2:22 PM
0

Sign in to vote

After applying the certificate on Edge server i can able to login Lync internally but when trying externally getting below error as

Error Code: 500 Internal Server Error. The signature of the certificate cannot be verified. (-2146869244)
kindly help what should check further now.

TMG comes into picture for external auto login of clients?

Tuesday, November 6, 2012 6:02 PM
0

Sign in to vote

Edge server has two network cards. One of them should be connected to LAN and have Internal Certificate. Another one should be connected to DMZ and have public certificate.

This article explains how to set Edge Server. Check how certificates should be setup.

http://ocsguy.com/2010/11/21/deploying-an-edge-server-with-lync/

Thank you.

Please “Vote As Helpful” and/or “Mark As Answer” if this post helped you.

Tuesday, November 6, 2012 6:18 PM
0

Sign in to vote

do we need to restart the services after renewing certificates?
when client tries to autodiscover from external network does TMG comes into picture?
All external service connection request are pass through TMG or directly server by Edge server?
Pls clear my confusion.

Tuesday, November 6, 2012 6:40 PM
0

Sign in to vote

No, you do not need to restart services when you renewed certificate.

Thank you.
Please “Vote As Helpful” and/or “Mark As Answer” if this post helped you.

Tuesday, November 6, 2012 6:42 PM
0

Sign in to vote

need to publish topology again after certificate renew done?

Tuesday, November 6, 2012 6:44 PM
0

Sign in to vote

No, you do not have to publish topology.

Thank you.
Please “Vote As Helpful” and/or “Mark As Answer” if this post helped you.

Tuesday, November 6, 2012 6:46 PM
0

Sign in to vote

what you advice me to check now.

I followed steps as per technet article to renew certificate for Front end, Edge & TMG. While applying certificate i have not received any error then apply to services as well. But now internally client login is happening but from external network its not working. We use all certificates issued by internal CA as before.

Can you advice how can i revert back or how to resolve the issue.

One doubt when login over internal client directly connects to Edge server pool or through TMG.

Tuesday, November 6, 2012 6:55 PM
0

Sign in to vote

External interface of the Edge server should have public certificate. The same certificate should be exported-imported to the TMG server.

Thank you.
Please “Vote As Helpful” and/or “Mark As Answer” if this post helped you.

Tuesday, November 6, 2012 6:57 PM
0

Sign in to vote

before also we were using certificates issued by internal CA still were able to login over internet.

Now renewed certificate using same CA.

Tuesday, November 6, 2012 7:01 PM
0

Sign in to vote

I guess it is possible that you were using internal certificate.

Something was not setup correctly. Can you double check that you assigned the same names and the same SANs for the new certificates as you have on the old ones? You should be able to open both to compare.

Thank you.
Please “Vote As Helpful” and/or “Mark As Answer” if this post helped you.

Tuesday, November 6, 2012 7:06 PM
0

Sign in to vote

i am checking on Digicert ssl check where it is still resolving to old certificate for lync URLs. Whereas certificates asssigned to services without any error.
Even on server if i use Get-Cscertificate shows new certificate.

Also clear my doubt which services TMG serves & which services Edge server serves?

Tuesday, November 6, 2012 7:11 PM
0

Sign in to vote

i am checking on Digicert ssl check where it is still resolving to old certificate for lync URLs.

I did not understand this. I thought you said you used internal certificate.
Please “Vote As Helpful” and/or “Mark As Answer” if this post helped you.

Tuesday, November 6, 2012 7:29 PM
0

Sign in to vote

yes we use internal CA certificate only.

I run wizard again to issue certificate from CA & renew it on Edge server internal, external interface & TMG. Now externally i login to Lync using mobile client by installing Lync & CA certificate locally. I tested mobile login on Android, Windows & Iphone it worked after installing Windows root CA locally.

When i use my laptop(which i use to login to domain) from home using Datacard it fails. I dont understand why i unable to login to Lync client on Laptop. Internally it works.

Kindly advice what should i check now.

Wednesday, November 7, 2012 5:51 PM
0

Sign in to vote

Mobile sign in requires Reverse Proxy (TMG) setup.

External user sign in requires Edge server setup. If you cannot sign in with Lync client, it means there is a problem with Edge server.

Please check the Edge server. Are all services running? Do you have correct certificates assigned? Correct SAN names on the certificates? Certificates are assigned to both interfaces?

Just double check everything on the Edge.

Thank you.
Please “Vote As Helpful” and/or “Mark As Answer” if this post helped you.

Wednesday, November 7, 2012 6:09 PM
0

Sign in to vote

Thanks for sharing info. That means my TMG configuration is working correct need to check Edge server now.

I have followed technet article & mentioned SAN as per recommendation. I dont understand where it is failing exactly. Client says server is not responding or cannot be reached

Below is the client logging.
====================================
11/07/2012|10:00:13.063 DD8:E54 INFO :: CUccPlatform::EnableTracing: tracing enabled
11/07/2012|10:00:13.094 DD8:E54 INFO :: CUccPlatform::EnableTracing : media stack tracing enabled
11/07/2012|10:00:13.094 DD8:E54 WARN :: CUccPlatform::EnableTracing: tracing is already enabled
11/07/2012|10:00:13.141 DD8:E54 INFO :: CUccPlatform::EnableTracing : media stack tracing enabled
11/07/2012|10:00:13.219 DD8:E54 ERROR :: CSIPAsyncSocket::OnConnectReady - Error: 10061 dest: 210.210.26.214:5061
11/07/2012|10:00:13.219 DD8:E54 ERROR :: CSIPClientConnection::OnConnect (80ee0067) this: 08081BB0
11/07/2012|10:00:13.219 DD8:E54 ERROR :: SIP_MSG_PROCESSOR::OnConnectComplete connect failed 80ee0067 retry connecting via HTTP tunnel
11/07/2012|10:00:13.219 DD8:E54 TRACE :: SIP_MSG_PROCESSOR::UseAutoHttpProxy try resolve HttpProxy
11/07/2012|10:00:13.219 DD8:E54 TRACE :: HTTPPROXYCB:internetStatus 0x3c
11/07/2012|10:00:13.219 DD8:E54 TRACE :: HTTPPROXYCB:internetStatus 0x3c
11/07/2012|10:00:13.219 DD8:BEC TRACE :: HTTPPROXYCB:internetStatus 0x50
11/07/2012|10:00:13.219 DD8:BEC TRACE :: HTTPPROXYCB:internetStatus 0xa
11/07/2012|10:00:13.219 DD8:E54 TRACE :: CSIPTransportLayerSecurity::Shutdown - [0x07EDBC20]
11/07/2012|10:00:13.219 DD8:E54 TRACE :: CSIPMessageCollator::~CSIPMessageCollator - [0x08071928]
11/07/2012|10:00:13.219 DD8:E54 TRACE :: CSIPTransportLayerNotify::~CSIPTransportLayerNotify - [0x08071928]
11/07/2012|10:00:13.219 DD8:E54 TRACE :: CSIPTransportLayerNotify::~CSIPTransportLayerNotify - [0x08443620]
11/07/2012|10:00:13.219 DD8:E54 TRACE :: CSIPTransportLayer::~CSIPTransportLayer - [0x08443618]
11/07/2012|10:00:13.219 DD8:E54 TRACE :: CSIPTransportLayerNotify::~CSIPTransportLayerNotify - [0x07EDBC28]
11/07/2012|10:00:13.219 DD8:E54 TRACE :: CSIPTransportLayer::~CSIPTransportLayer - [0x07EDBC20]
11/07/2012|10:00:13.219 DD8:E54 TRACE :: CSIPTransportLayerNotify::~CSIPTransportLayerNotify - [0x08443EA8]
11/07/2012|10:00:13.219 DD8:E54 TRACE :: CSIPTransportLayer::~CSIPTransportLayer - [0x08443EA0]
11/07/2012|10:00:13.219 DD8:E54 TRACE :: SSIPTransportContext::~SSIPTransportContext - [0x08081BE8]
11/07/2012|10:00:13.219 DD8:E54 TRACE :: CSIPTransportLayerNotify::~CSIPTransportLayerNotify - [0x08081BB8]
11/07/2012|10:00:13.219 DD8:E54 TRACE :: CSIPTransportLayer::~CSIPTransportLayer - [0x08081BB0]
11/07/2012|10:00:13.328 DD8:BEC TRACE :: HTTPPROXYCB:internetStatus 0xb
11/07/2012|10:00:13.328 DD8:BEC TRACE :: HTTPPROXYCB:internetStatus 0x14
11/07/2012|10:00:13.375 DD8:BEC TRACE :: HTTPPROXYCB:internetStatus 0x15
11/07/2012|10:00:13.546 DD8:BEC TRACE :: HTTPRPOXYCB:Proxy Address is1819590516.210.210.26:214
11/07/2012|10:00:13.546 DD8:BEC TRACE :: HTTPPROXYCB:internetStatus 0x1f
11/07/2012|10:00:13.546 DD8:BEC TRACE :: HTTPPROXYCB:internetStatus 0x28
11/07/2012|10:00:13.546 DD8:E54 ERROR :: HTTP_PROXY_RESOLVE_CONTEXT::~HTTP_PROXY_RESOLVE_CONTEXT HPContext handle 3 deleted, this 08473CC0
11/07/2012|10:00:13.546 DD8:E54 INFO :: SockMgr: Create New Connection:DestName:(sipexternal.***.com)DestPort:(5061)Transport:(2)httpTunnel:(1)TLS RemotePrincipalName:(sipexternal.***.com)
11/07/2012|10:00:13.546 DD8:E54 TRACE :: DestAddr :210.210.26.214:5061

11/07/2012|10:00:13.546 DD8:E54 TRACE :: ProxyAddr:210.210.26.214:443

====================================

Any clue where to check. Is there need disable enable user again?

Wednesday, November 7, 2012 6:35 PM
0

Sign in to vote

Based on the information that you gave me, I used telnet to test your ports.

telnet 210.210.26.214 443 works.

telnet 210.210.26.214 5061 does not work.

Your 5061 port is closed. Should be opened and forwarded to your Edge server.

Thank you.
Please “Vote As Helpful” and/or “Mark As Answer” if this post helped you.

Wednesday, November 7, 2012 6:43 PM
0

Sign in to vote
no there in nothing change in the network. i dont know if it is blocked or some services are not running on edge server or certificate error. I will try locally telnet on edge server to 5061 & check.

is it like from Lync client traffic will directly hit to Edge server on 5061 & 443 & logged in. (not working from my machine over internet)

mobile client connect to Proxy server over internet on 5061 & 443. (working in our case) So from Proxy is it fwrding traffic to Edge or front end server.

fyi

Edge server 210.210.26.214

TMG 210.210.26.216
- Edited by Exchange_support Wednesday, November 7, 2012 7:04 PM
Wednesday, November 7, 2012 7:03 PM
0

Sign in to vote

TMG forwards traffic to your FE server.

Take a look at this poster. Check the section for IM and Presence Workload. http://www.microsoft.com/en-us/download/details.aspx?id=6797

Thank you.
Please “Vote As Helpful” and/or “Mark As Answer” if this post helped you.

Wednesday, November 7, 2012 7:09 PM
0

Sign in to vote

Thanks i will check poster & do some troubleshooting to resolve the issue. Will let you know update.

Wednesday, November 7, 2012 7:30 PM
0

Sign in to vote

I am getting below error when trying to start Access edge services on Edge server.

The certificate received from the remote server has not validated correctly. The error code is 0x80096004. The SSL connection request has failed. The attached data contains the server certificate.

Thursday, November 8, 2012 3:46 AM
0

Sign in to vote

After restarting all Edge server services i can bale to login now from external with Lync clinet installed on my machine. Thanks.

One Doubt is even now from external i cannot telnet to edge server on 5061.....is it required? or TMG will accept connection on 443 & fwd it to Edge on 5061?

Thanks Igor for your help.

Thursday, November 8, 2012 9:35 AM
0

Sign in to vote
Glad it works.

You need 5061 if you have Federation setup.

Thank you.
Please “Vote As Helpful” and/or “Mark As Answer” if this post helped you.
- Marked as answer by Exchange_support Thursday, November 8, 2012 5:35 PM
Thursday, November 8, 2012 1:53 PM
0

Sign in to vote

ok
so it 5061 wont be applicable for us as we don't have federation.

So all mobile & machine lync client from outside will connect to TMG on 443 & then will be served by Edge server.

thanks

Thursday, November 8, 2012 5:35 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Lync services certificate renewal

Question

Answers

All replies