none
SN and SAN certificates required for lync architecture? RRS feed

  • Question

  • Hello,

    I need your help to determine the SN and SAN for the following lync architecture:

    I'm using :

    - 1 standard edition server in the main office, its FQDN= fe1.example.local

    - 1  standard edition server in the branche office, its FQDN= fe2.example.local

    - 1  edge server in the main office, its FQDN= edge1.example.local

    - 1 Reverse proxy in the main office, its FQDN= rp1.example.local or should be rp1.public.com??

    - SIP Domain = public.com

    I think that I need the following certificat SN and SAN:

    For the main office standard edition: SN=fe1.example.local and SAN= fe1.example.local, fe2.example.local, sip.public.com, rp1.public.com, admin.public.com,dialin.public.com,meet.public.com

    For the branche office standard edition: SN=fe2.example.local and SAN=SAN= fe1.example.local, fe2.example.local, sip.public.com, rp1.public.com, admin.public.com,dialin.public.com,meet.public.com

    For the Edge server :

    - Internal interace ==> SN=edge1.example.local and SAN is not required

    - External interface ==> SN=access.public.com and SAN= access.public.com, webconf.public.com, sip.public.com

    For the Reverse proxy:

    - Internal interface ==> SN= the server proxy FQDN? rp1.public.com and SAN=?

    - External interface ==> SN=rp1.public.com or extweb.public.com? and SAN= dialin.public.com, meet.public.com

    Could you please verify with me these SN and SAN?

    Thank you

    Wednesday, April 4, 2012 11:41 AM

Answers

  • Hi,

     

    As I know, if all users log on with user@public.com, the client running Lync gets the relevant information through group policy and attempts to connect to a Front End pool using each of the three SRV records in order, regardless of whether you are signing in from inside our outside your network.

     

    _sipinternaltls._tcp.public.com

    _sipinternal._tcp.public.com

    _sip._tls. public.com

     

    After the SRV record is returned, a query is performed for the DNS A record (by FQDN) of the server or Front End pool associated with the SRV record. If no records are found during the DNS SRV query, the Lync client performs an explicit lookup of sipinternal.public.com. If the explicit lookup does not produce results, the Lync client performs a lookup for sip.public.com.

    Thus, if front two queries fail, it will perform a lookup for sip.public.com automatically. In this case, if sip.public.com is not included in SAN of front end certificate, the auto sign-in will fail.

     

    It is recommended to include sip.public.com in SAN of front end certificate.

     

    If you have any other questions, you can mark answer to close this post and try to create new one.

     

    Regards,

    Kent

    • Marked as answer by Uchiha-Sasuke Wednesday, April 11, 2012 4:03 PM
    Wednesday, April 11, 2012 1:46 AM

All replies

  • Hi,

    The following SN and SANs should be included:

     

    Main office Standard edition

    SN=fe1.example.local

    SAN= fe1.example.local

    SAN=meet. public.com

    SAN=dialin. public.com

    SAN=admin. public.com

    Branche office standard edition:

     

    SN=fe2.example.local

    SAN= fe2.example.local

    SAN=meet. public.com

    SAN=dialin. public.com

    SAN=admin. public.com

     

    For the Edge server:

    Internal interface ==> SN=edge1.example.local and SAN is not required

    External interface ==> SN=access.public.com and SAN= access.public.com, webconf.public.com, sip.public.com(option,for Auto-config)

     

    For Lync Server deployment, we don’t need to request certificate for internal interface of Reverse Proxy.

    We need to request the Public SSL certificate to external internal of Reverse Proxy:

    SN= extweb.public.com (External Web Services FQDN)

    SAN= extweb.public.com (External Web Services FQDN)

    SAN=dialin.public.com

    SAN=meet.public.com

    SAN=yncdiscover.public.com (For mobility)

     

    For details:

    Certificate Requirements for Internal Servers

    http://technet.microsoft.com/en-us/library/gg398094.aspx

     

    Request and Configure a Certificate for Your Reverse HTTP Proxy:

    http://technet.microsoft.com/en-us/library/gg429704.aspx

    Regards,

    Kent

    Thursday, April 5, 2012 3:55 AM
  • Hi,

    Thank you for your help :)

    I have another question, do I have to install a director server in this architecture?

    Thanks

    Thursday, April 5, 2012 8:26 AM
  • Hi,

    Director server is an optional role for Lync Server deployment. Please check the following information to determine if you require it.

    http://technet.microsoft.com/en-us/library/gg398879.aspx

     

    Thus, if you don’t have a high volume of users, there is no requirement for you to deploy a Lync Director Server.

     

    Regards,

    Kent

    Thursday, April 5, 2012 9:22 AM
  • Hello,

    Thank you for your help :)

    I followed theinstructions on the site for certificat requirements (http://technet.microsoft.com/en-us/library/gg398094.aspx)  andI did not understandthis:

    If this pool is the auto-logon server for clients and strict Domain Name System (DNS) matching is required in group policy, you also need entries for sip.sipdomain (for each SIP domain you have).

    Can you explain to me what that's mean please, I dont know if I have to add a san= sip.public.com or not.

    Thank you

    Sunday, April 8, 2012 10:55 AM
  • Hi,

     

    As I know, if all users log on with user@public.com, the client running Lync gets the relevant information through group policy and attempts to connect to a Front End pool using each of the three SRV records in order, regardless of whether you are signing in from inside our outside your network.

     

    _sipinternaltls._tcp.public.com

    _sipinternal._tcp.public.com

    _sip._tls. public.com

     

    After the SRV record is returned, a query is performed for the DNS A record (by FQDN) of the server or Front End pool associated with the SRV record. If no records are found during the DNS SRV query, the Lync client performs an explicit lookup of sipinternal.public.com. If the explicit lookup does not produce results, the Lync client performs a lookup for sip.public.com.

    Thus, if front two queries fail, it will perform a lookup for sip.public.com automatically. In this case, if sip.public.com is not included in SAN of front end certificate, the auto sign-in will fail.

     

    It is recommended to include sip.public.com in SAN of front end certificate.

     

    If you have any other questions, you can mark answer to close this post and try to create new one.

     

    Regards,

    Kent

    • Marked as answer by Uchiha-Sasuke Wednesday, April 11, 2012 4:03 PM
    Wednesday, April 11, 2012 1:46 AM
  • Hi,

    it's very clear now, thank you :)

    Ok, I mark answer

    Wednesday, April 11, 2012 4:03 PM
  • Question with your example.  Let's say you define the SRV record for _sip._tls. public.com to point to a DNS A record of LyncAV.public.com.  Assume further sip.public.com is not defined.  It is my understanding that should work.  For auto-configuration to then work correctly, does that mean one of the alternate names in the cert needs to be LyncAV.public.com instead of sip.public.com?

    Monday, April 30, 2012 9:25 PM