Skype for Business Front End Servers and Certificates Configuration Issue

Hi,

Currently I'm in the process of configuring a Skype for Business Test Environment. The SFB infrastructure/servers is being configured in our resources test domain however an alternate DNS zone is being used for the SIP domain eg test.something.wa.edu.au. This alternate DNS zone being used also contains the all the DNS records for the SFB environment eg skypepool, skypedir etc.

A publicly trusted certificate was purchased which will be used for configuring external access eg mobility, this is a wild card certificate eg *.test.something.wa.edu.au.

However the issue I'm having is when starting front end services I need to have the server default certificate configured for all front end servers which needs to contain the SANs of the front end server names (which is on our resources test domain and isn't matching that of the wildcard certificate name eg *.test.something.wa.edu.au).

I've managed to create a self signed certificate generated using OpenSSL for testing purposes eg skypepool.test.something.wa.edu.au that contains the front end servers name (SANs: FEServerName.resourcestestDomainName). This self signed certificate is assigned to the "Server Default" certificate for all front end servers and the wild card certificate *.test.something.wa.edu.au is assigned to the "web services internal" and "web services external" certificates.

I'm able to start my front end pool successfully however the issue I'm then presented with is the internal SFB clients trying to authenticate are presented with a certificate error due to the self signed certificate skypepool.test.something.wa.edu.au not being trusted. If I was to install this self signed certificate on a users workstation running the SFB client the authenication will work fine however this isn't the ideal method having to install the self signed cert on all user workstations.

Is it possible to configure internal clients to authenticate using the publicly trusted wildcard certificate? From what I can see the clients are looking at the certificate assigned to "Server default" which contains the self signed certificate and not the "Web services internal" which contains the wild card certificate. Please also note that the lyncdiscoverinternal CNAME and sipinternalsTLS SRV record are configured to point to the skypepool.test.something.wa.edu.au (Skype FE Pool) host record which is the domain name of the *.test.something.wa.edu.au wildcard certificate.

Regards,


Rad

September 15th, 2015 3:00am