Lync multitenant requires atleast one SAN entry for each domain. In hosting environment, there are lots of domains, so i am wandering that having SAN entry for each domain is going to be costly, further, I am also going to run out of SAN in my certificate. So, kindly tell me the choice for a certificate and also if possible, how can i avoid adding new domains to my certificate as this is overhead interms of cost and management.

You don't Need for each user a different sip Domain. Try to use less sip Domains.

With Lync CU6 also the Phones Support Wildcard certificates, so it should also possible to use Wildcard certificates instead of so much SAN.

To add new SAN to your certificate use a CA which will Support to Change or add SAN.

Thanks Holger. For lync mobility, i can run it on http and save certificate entry but for lync desktop client, i need to have one entry at least as per MS document:

"The FQDNs listed in the tenant-specific DNS Records table must be added as subject alternative names to the certificates used by those servers because the certificates used within the Lync Server infrastructure must match those used in the request."

Problem is, this solution is costly. Also, there are limited SAN entries (with verisgn cert i have, 40 SANs can be added) which means i can only add around 35 sip domains as per my understanding. I cannot limit number of sip domains as this is a hosting environment.

Any suggestions in this regard?

Hm ok,

you can use GoDaddy as example, they offer up to 100 Domain and you may change or add SAN names all the Time.

Thanks again, but still this is not a flexible solution. We will be having around 150 different domain users on our platform, i believe adding new FE pool with new cert might solve our issue, but again server + new cert cost involved ....

Hi,

For the SAN must be added in the certificate for each domain, you can do the following:

1. Like Holger said use less sip domains.
2. Choose another certificate from other CAs offering more SAN names.
3. Add the SAN in your current certificate with addition cost.

The thing you can do is to compare them to find the minimum cost.

Hi All,

I too am having this problem. A properly scaled Enterprise Edition Pool can support up to 80000 users. If within this environment, every tenant has 100 users, that's 800 different SAN's in the Cert. Not an acceptable Solution.

Lync Online does not generate a certificate for every Tenant they have, so why should the Multi-Tenant Pack have too?

All Clients work with a WildCard Cert that has the Primary SIP domain as a SAN except Lync Phone Edition. Even with the latest CU, the WildCard Cert is accepted but it has to match the Sign in domain. Not an acceptable solution for a Multi-Tenant Environment.

Does anyone have any updates on how to get around this with the latest CU? Any settings on Lync Phone edition to disable certificate matching?

Regards,

Eddie

Hi All,

Not only the management of all the SAN names is a problem, but also the fact that as a provider you expose all the tenants that are on your Multi-tenant deployment to the world .

There should be a workaround since Office 365 does not require the domains listed on their certificate. I think MS uses ADFS for this, but that is not a supported setup.

Have you tried to open a supportticket to get official statement?

Alex.

Hi Alex,

Completely agree. Digging deeper, there are a few things that Microsoft have developed their own solutions for but not allowed their Partners to have as a feature of their own environments. These are Push Notifications and Tenant Federation.

They have generated the "Hosting Provider" option to get around the cert issue with people using on-prem Lync federating with Lync Online. But what about Lync Online and Multi-Tenant Pack? Lync Online must be able to support other "Hosting Providers".

Tried opening a support ticket but just got told to follow the documentation and go away basically.

I do not accept the answer of "Use Less SIP Domains". Its almost laughable.

Eddie

It seems like you have identified scaling issues with a specific architecture based on the certificate requirements so change the architecture. There are downsides to changing the architecture but there are also advantages. As for cost I don't see why this should be an issue since you can factor it into the price that customers pay.

In the past I managed to get everything bar federation working by pointing the sip records of domain2.com > domain1.com thus saving on SANs. but ti's a bit of a fudge and wouldn't be supported :(

After seeking lot of help from MS, but all in vain, i have figured out how to plan DNS and certificates:

http://blog.machsol.com/hosting-saas/external-dns-and-certificates-planning-for-lync-2010-as-hosting-service

I hope this will help out people trying to offer lync as a hosting service.

• Marked as answer by Abdullah Afaq Ali Sunday, August 19, 2012 10:47 AM

Your suggestion is only 50% of the solution. Federation with for example Lync Online will not work without all tennant domains in the SAN field, since federation is based on server to server communication and will not allow you to suppress the certificate warning as you can do on the client

This suggestion seems to work fine, but in Multi-Tenant Environments it is advised to deploy Director server as the first point of contact. Which is the correct and supported configuration?

Yes Indeed, in a multi tenant pack environment, recommended design is the one with Director as first point of contact with the users.

The only work around I have that works for Domain to Domain Federation.

If user is on DomainA and you followed the following url to cut down the dns records.  http://blog.machsol.com/hosting-saas/external-dns-and-certificates-planning-for-lync-2010-as-hosting-service

Then anyone wanting to federate with him must have their lync server configured for federation but for the edge server enter sip.hostersnames.com  instead of sip.domaina.com

Yes Indeed, in a multi tenant pack environment, recommended design is the one with Director as first point of contact with the users.

Dear Abdullah,

do you trying to say that 

all entries should point SRV record _sip._tls.<hosteddomain> pointing to sip.<providerdomain>. can this bold sip.<providerdomain> to ip address. becuase on some of forum i have checked that you need to add ip address to get it working. 

further do you mean 

meet.  point to frontendserver or reverse proxy

dialin.   frontendserver or reverse proxy

autodiscover.  frontendserver or reverse proxy

sip.company.com  point to edge

webconf.company.com  point to edge

a/v.company.com point toedge. 

even if 3rd simple url is being used. 

SRV record need to poin to cname like sip. or ip address of reverse or front end server.