none
Lync FrontEnd Pool Certificate Requirement RRS feed

  • Question

  • Hi, 

    I have built one Lync 2013 Frontend pool not matching with internal AD name.. But the frontend server FQDN is matching with the local AD name.. 

    Local AD name contoso.local

    Lync Poolname      Pool.contoso.com

    Our clients connects internally directly to Frontend pool to get the service. 

    Since 3rd party CAs' are not going to provide SAN names which are not public domains.. in such case, how should we include the internal Server FQDN in the certificate.

    We dont want to publish internal Root CA for all machines through GPO.  

    Can we use two different certificates on Frontend pool, 1 with all public names pool.contoso.com and 1 with Server FQDNs.. 

    Appreciate immediate response


    Javed Khan

    Monday, November 2, 2015 2:43 PM

Answers

  • Hi JKhanMse,

     

    For internal servers (e.g. Front End Servers and Edge Server internal interface), you can request the certificates from your internal CA.

    For Reverse Proxy and Edge Server external interface, you should have public certificates installed.

    You can use SAN certificates, for example.

     

    Reverse Proxy:

    CN - WebExt.domain.com

    SAN - dialin.domain.com

    SAN - meet.domain.com

    SAN - wacwebext.domain.com

    SAN - lyncdiscover.domain.com

    SAN - WebExt.domain.com

     

    Edge Server:

    CN - Sip.domain.com

    SAN - Sip.domain.com

    SAN - Webconf.domain.com

    SAN - Sip.domain2.com

     


    Best regards,

    Eric

     


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by JKhanMse Tuesday, November 3, 2015 10:32 PM
    Tuesday, November 3, 2015 2:17 AM
    Moderator

All replies

  • You can kind of see in the image Ken posted that you can expand the dropdown and set up three individual certs for the Front End, only the Server Default needs the internal names, however clients will still need to trust this cert too and there's no getting around it.  You're going to need all clients to trust the internal certificate authority.  You can push this trust out through group policy however.

    http://ucken.blogspot.com/2011/01/lync-external-web-services-without.html


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Monday, November 2, 2015 3:15 PM
    Moderator
  • Hi

    Since the inside machines are (should be) domain joined, then these will already have the domain's internal root CA on them, supplied by AD.

    To add domain.local names into a certificate you now need to use internal CA as a mandatory requirement. Public CAs no longer sign non-routable domain FQDNs by law.

    Use the certificate request / assign process from the deployment wizard to request the certificate from the internal CA. This will fill in all the correct SAN names for each front end.

    thanks


    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    Monday, November 2, 2015 3:17 PM
  • It is hosted platform, the clients are not joined to the domain where the Lync servers are deployed. It is a resource forest topology. 

    In this scenario, Can i use only public names included in the cert and get it from 3rd party CA and for all internal names, will use Internal CA.. 


    Javed Khan

    Monday, November 2, 2015 4:45 PM
  • If all clients connected through a Lync Edge and a Reverse Proxy, it is possible to use only public certificate for your clients. Only the internal server needs a internal CA to connect together.

    regards Holger Technical Specialist UC


    Monday, November 2, 2015 5:17 PM
  • If you are not going via external means between user forest and hosted forest and you are going via VPN, then you can create a trust on the clients machine for the hosting domain internal name.

    https://support.microsoft.com/en-us/kb/2833618

    thanks


    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    Monday, November 2, 2015 5:22 PM
  • Hi Holger,

    What are the names should i include for the Certificate at Reverse proxy?


    Javed Khan

    Monday, November 2, 2015 5:43 PM
  • You need the external webservice of the Lync pool like webext.domain.com and the simple url like meet.domain.com and dialin.domain.com and also the lyncdiscover.domain.com. You need also the officewac.domain.com. I think it is easier to use a wildcard cert for the proxy if you have only one domain.

    regards Holger Technical Specialist UC

    Monday, November 2, 2015 6:08 PM
  • Hi JKhanMse,

     

    For internal servers (e.g. Front End Servers and Edge Server internal interface), you can request the certificates from your internal CA.

    For Reverse Proxy and Edge Server external interface, you should have public certificates installed.

    You can use SAN certificates, for example.

     

    Reverse Proxy:

    CN - WebExt.domain.com

    SAN - dialin.domain.com

    SAN - meet.domain.com

    SAN - wacwebext.domain.com

    SAN - lyncdiscover.domain.com

    SAN - WebExt.domain.com

     

    Edge Server:

    CN - Sip.domain.com

    SAN - Sip.domain.com

    SAN - Webconf.domain.com

    SAN - Sip.domain2.com

     


    Best regards,

    Eric

     


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by JKhanMse Tuesday, November 3, 2015 10:32 PM
    Tuesday, November 3, 2015 2:17 AM
    Moderator