Lync 2013 and SSL with edge

Dear All,

It is always come to be a confusing, about certificate when it comes to lync 2013 and edge. suppose i have domain abc.com and i have to plan to add additional sip domain like xyz.com, abc.com, dfg.com etc. and my default domain would be abc.com so my naming option would be like this meet.abc.com/sipdomain/meet. I am little confuse how this is teckle in frontend and edge role. Do i have to get new request in edge or have to just import certificate generated in frontend and import into edge. 

February 5th, 2015 3:03am

When you add the domain in topology builder, it will automatically configure the simple URLs. Then you need to publish and run the deployment wizard. You need to re run the certificate wizard which will add the new FQDNs as SAN records to the new certificate and assign to the server services.

As for Edge, you need to have sip.domain.com/AV.domain.com/webcon.domain.com record created for all the domain in public DNS and have SAN entries of above mentioned records in the certificate that assigned in Edge server. Create the new request in Edge server it self.

 

Free Windows Admin Tool Kit Click here and download it now
February 5th, 2015 3:21am

When you add the domain in topology builder, it will automatically configure the simple URLs. Then you need to publish and run the deployment wizard. You need to re run the certificate wizard which will add the new FQDNs as SAN records to the new certificate and assign to the server services.

As for Edge, you need to have sip.domain.com/AV.domain.com/webcon.domain.com record created for all the domain in public DNS and have SAN entries of above mentioned records in the certificate that assigned in Edge server. Create the new request in Edge server it self.

February 5th, 2015 3:44am

Front end server should have a cert generated from an internal CA. I assume that's the scenario with your setup (The recommended approach). If that also has a public CA generated certificate, then technically, you can have all SAN records in same certificate and use it for both FE server and Edge.

I missed the Reverse Proxy part before. So the certificate that you have put in to the Reverse Proxy must be re keyd with the new dialin, meet records.

Free Windows Admin Tool Kit Click here and download it now
February 5th, 2015 3:49am

Hi Zee.Shani,

Agree with thamaraw, you have to request new certificates for the following:

Front End Server Certificate (internal)

Edge Server Certificate (external)

Reverse Proxy Certificate (external)

Best regards,

Eric

February 6th, 2015 3:38am

Thanks Eric and Thamara,


So for internal CA, which means i have to install active directory certiificate and no need to buy certificate from public authority. and  which include following entries on first front end server admin.defaultsipdomain.com, dialin.defaultsipdomain,  lyncdiscoverinternal.defaultsipdomain,  lyncdiscover.defaultsipdomain.com

Or i should i get it from public authority and add all edge and front end requirement and reverse proxy in ucc certificate  and use same to import into front end and edge and reverse proxy. 

Free Windows Admin Tool Kit Click here and download it now
February 10th, 2015 2:06am

Lync server has internal and external web service. For internal web services, dialin, meet and lyncdiscover, lyncdiscoverinternal, admin SAN records need to be in a certificate that generated from an internal CA. So yes, you need to deploy ADCS on one of application servers (DC prefers) and generate the certificates for FE servers.

For external services, then you need to get the go for a public authority. Certificate for that must be generated from a public CA so that everyone will trust. Do not go for a public certificate for internal FE services.

February 10th, 2015 3:24am

Lync server has internal and external web service. For internal web services, dialin, meet and lyncdiscover, lyncdiscoverinternal, admin SAN records need to be in a certificate that generated from an internal CA. So yes, you need to deploy ADCS on one of application servers (DC prefers) and generate the certificates for FE servers.

For external services, then you need to get the go for a public authority. Certificate for that must be generated from a public CA so that everyone will trust. Do not go for a public certificate for internal FE services.

Free Windows Admin Tool Kit Click here and download it now
February 11th, 2015 7:48am

in the bottom of this article, you can see the internal and external certificate requirement

https://technet.microsoft.com/en-au/library/gg398066.aspx

February 11th, 2015 8:13am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics