Certificates for second central site


  • I am adding a new central site in China, and the main purpose of the location is for pbx integration.  I am sure some folks will want lync to work from home, which works right now through our main site in the USA (the only edge server is in the USA).  I was wondering what certs I actually need in this second site, as I would like to minimize cost.  Since all external connectivity is still planned to go through our edge server in the USA, what certs are actually needed at the new site?  Will I need a new edge cert with the name of the added front end server on it as a SAN?
    29. srpna 2011 15:09

Všechny reakce

  • You should get al three certs on the china site, but i believe that you'll see most of your sip traffic go to your primary edge.  The china av\webconf edges will see all traffic for meetings hosted by users homed in the china pool. but the initial join will hop to 443 on your main site web then redirect to the china interface.  You can chose whatever edge you want as its a per pool setting. You define this in the topology builder when setting up the edge. 

    30. srpna 2011 0:06
  • since we already have and as well published, i hadnt planned on publishing additional ip addresses for the new site in china since there are only a few users that would be using this outside the corporate network there.  Thats why I was hoping we would only need published externally there for group expansion/GAL, costing me only 1 external cert. 
    30. srpna 2011 12:13
  • Sounds to me like you will need 2 certs:

    1 for (access,web,av)

    1 for (meet,dialin)

    But if you are really strapped I guess you can test with no external edge in China.  Which means that any external traffic in china would need to hop to your other site then route over the wan to China.  Depending on the number of external attendees you have this might be a good option until you can economically justify having an edge there. 

    31. srpna 2011 15:57
  • thats the plan, to use the edge in the US site for both "central sites", which is why i am hoping i can get a cert for just and not need the other names. That way group expansion works externally, everything else uses the edge for the most part.
    31. srpna 2011 16:42
  • Your china frontend is not external facing so you can probably use an internal CA which is free if you can throw one up. One thing you might want to check is the web services for the second pool.  While i'm sure you can route the AV/Webconf to your main site I have not attempted to skip setting up the second site's web url.
    31. srpna 2011 17:31
  • i set it up with all internal issued certs, and then tested externally, the only thing the client appeared to go to china for was the frontend services, which is what I expected. At this point I am not buying any additional external certs, it looks like everything external can use my already valid certs on the USA edge server, and actual lync clients external will be able to use the frontend in china with an internal cert (these machines should be machines on my domain anyway, so should trust internal certs)
    31. srpna 2011 20:22