Cert for multiple domains required?

Lync 2010.

I have several internal AD Domains in same forest.
Lync works fine inside.

I have several SIP Domains.  AAA.com, BBB.com, CCC.com

If my _sip._tls.AAA.com SRV records in AAA,BBB and CCC all point to sip.ZZZ.com, do I only need a cert for sip.ZZZ.com ?

Or maybe:

sip.ZZZ.com
sipexternal.ZZZ.com

I guest the question is, do I need a cert with all SIP DOmains, or does the SRV record remove that need?

Similar question for NATed (PATed) Front End.

Would the below be adequate for the Cert, or would I need to add every SIP Domain?

webconf.ZZZ.com
InternalHostname.ZZZ.com
meet.ZZZ.com
lync.ZZZ.com
dialin.ZZZ.com

August 16th, 2012 10:43pm

The SRV record does not remove the need for the SAN entries in your certificate. Also, the SRV record should point to an A record in the same domain. The SIMPLE URLs are a special case:

http://technet.microsoft.com/en-us/library/gg398287.aspx

Your internal host/pool names should be based on the AD namespace not your SIP namespce. Your external web services FQDNs can be shared since they are provisioned to the client in-band.

Free Windows Admin Tool Kit Click here and download it now
August 17th, 2012 6:10am

The SRV record does not remove the need for the SAN entries in your certificate. Also, the SRV record should point to an A record in the same domain. The SIMPLE URLs are a special case:

http://technet.microsoft.com/en-us/library/gg398287.aspx

Your internal host/pool names should be based on the AD namespace not your SIP namespce. Your external web services FQDNs can be shared since they are provisioned to the client in-band.

August 17th, 2012 6:10am

Hi,

In the internal network, you can let BBB and CCC SRV records all point to sip.zzz.com. But for external network, you'd better create SRV to point its sip domain sip record.

About the certificate for Lync FE server, the wildcard certificate is supported. You can use wildcard certificate to replace the simple URL entries. More about wildcard certificate, please refer:http://technet.microsoft.com/en-us/library/hh202161.aspx

Free Windows Admin Tool Kit Click here and download it now
August 17th, 2012 10:37am

Hi Steven,

Both your internal and external PKI certs for Lync should contain all SIP domains you intend to use.  Adding the extra SIP domains as Subject alternate Names (SAN) while implemeting means you shouldn't have to re-issue the certs at a later stage to troubleshoot or resolve TLS issues.

Regards

Dave

August 17th, 2012 8:23pm

I guess this article woould address your issue : http://blog.machsol.com/hosting-saas/external-dns-and-certificates-planning-for-lync-2010-as-hosting-service
Free Windows Admin Tool Kit Click here and download it now
August 19th, 2012 1:51pm

I guess this article woould address your issue : http://blog.machsol.com/hosting-saas/external-dns-and-certificates-planning-for-lync-2010-as-hosting-service
August 19th, 2012 1:51pm

I guess this article woould address your issue : http://blog.machsol.com/hosting-saas/external-dns-and-certificates-planning-for-lync-2010-as-hosting-service

Dear Abdullah,

do you trying to say that 

all entries should point SRV record _sip._tls.<hosteddomain> pointing to sip.<providerdomain>. can this bold sip.<providerdomain> to ip address. becuase on some of forum i have checked that you need to add ip address to get it working. 

further do you mean 

meet.  point to frontendserver or reverse proxy

dialin.   frontendserver or reverse proxy

autodiscover.  frontendserver or reverse proxy

sip.company.com  point to edge

webconf.company.com  point to edge

a/v.company.com point toedge. 

even if 3rd simple url is being used. 

SRV record need to poin to cname like sip. or ip address of reverse or front end server. 

Free Windows Admin Tool Kit Click here and download it now
February 16th, 2015 5:04am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics