hey guys,

I am trying to install lync server 2010 for the first time. After installing everying i have a problem on the edge server, the Lync Server Access Edge services doesn't want to start and is giving specific error:

The Lync Server Access Edge service terminated with service-specific error %%-2146762480.

i have searched in the forums, i only read that it might have something to do with the ip config or the certificates, but i have no idea what exactly.

I have the following servers:

sql server (domain member)
Archive server (domain member)
Monitoring server (domain member)
and the edge server (not a domain member)

this edge server has two nics, one with a internal address and one with a public address.
for the internet side i used an internal AD CA for a certificate, for the external side i used a go daddy certificate.

does anyone has any idea? i am happy to provide additional information.

thx, JW

This may be a stupid question but you don't mention having an internal pool server. Did you forget to mention it?

Hi,JW,

I suppose you deployed Lync standard edition server which collocated Backend Database server with FrontEnd server since you only mentioned SQL server and no FrontEnd pool.

For the ip configuration side,you stated you have one public ip address so your three edge server role will be assigned the one single public address,then you must specify different ports to your Access Edge server,Web conferencing edge server and A/V edge server.Would you please verify you have assign different ports to these three server role?

For the certificate side,could you elaborate more on this?How did you assign the certificate?Would you please check your certificate configuration with the following link

http://technet.microsoft.com/en-us/library/gg398519.aspx

Hope these useful!

Regards,

Sharon

 

 

 

For the edge server you need to specify either 3 ip address on the external interface, then update your topology on the edge server. ( 192.168.1.10 av.domain.com, 192.168.1.11 webconf.domain.com, 192.168.1.12 sip.domain.com. OR 1 ip address but need to change the port numbers in the edge topology to use just the 1 address.

 

For the certificates, you need 2. 1 for the internal certificate (perferably obtained by an internal CA). second one from a 3rd party SSL (godaddy, entrust etc...) which will have all your external names you configured in your topology. webconf.domain, sip.domain, lyncserver.domain.

Some docs say you need to add a/v name to your external ssl. this is not the case anymore you can publish your ssl cert for your edge server with needing only the 3 names.

 When i first started deploying Lync in a lab, i had the issue with not being able to start the edge service due to IP Address errors.

We used 3 ip address on the external interface. 192.168.1.10, 11, 12.  on the internet used 3 external routable IP Address, then we used our router to direct the traffic from the outside webconf, av, sip to the correct IP Address defined in the topology.

My rule of thumb for Lync certs, if you DONT require any additional SIP domains for the SSL. just leave the defaults that the certificate wizard selects.

• Proposed as answer by Tim_MCP Monday, August 01, 2011 8:54 PM

hey mike,

 

yes i am sorry, i forgot to mention it. I also have an Front End server with one nic and an internal address and is domain member.

 

 

thank you for your answer, but it is not the standard edition. THose are all separate servers.

Hey Tim,

thanks for helping me. I am using one IP address externally. And if i understand correctly i am using port 443, 444 and 5061 (as suggested automatically by the topology builder)

 

internally i used an internal CA and external i used a godaddy multidomein certificate,  as we are planning to use multiple domains on it.  i used the wizard from the setup. i ran a request. In the wizard i see then the follwing Subject names and subject alternate names:
sip.domain1.xx
webconf.domain1.xx

and then in the next screen i can check other domains, so i checked also the other domains:
domain2.xx
domain3.xx
domain4.xx
domain1.xx  (also the first domain is here and i checked it to be sure)

while i was gathering this information i noticed that the certificate wizard says that the external ede certifciate status = invalid. So there is my problem mostlikely. Although i do not understand why it is invalid.

Hey Tim,

thanks for helping me. I am using one IP address externally. And if i understand correctly i am using port 443, 444 and 5061 (as suggested automatically by the topology builder)

 

internally i used an internal CA and external i used a godaddy multidomein certificate,  as we are planning to use multiple domains on it.  i used the wizard from the setup. i ran a request. In the wizard i see then the follwing Subject names and subject alternate names:
sip.domain1.xx
webconf.domain1.xx

and then in the next screen i can check other domains, so i checked also the other domains:
domain2.xx
domain3.xx
domain4.xx
domain1.xx  (also the first domain is here and i checked it to be sure)

while i was gathering this information i noticed that the certificate wizard says that the external ede certifciate status = invalid. So there is my problem mostlikely. Although i do not understand why it is invalid.

So when using 1 ip address externally you will need to change the ports in your topology.

 

Under Edge Pools - > Right click your edge pool and click edit, down near the bottom make sure "Enable seperate FQDN and ip address for web etc...) is UNCHECKED.

the first FQDN, sip.domain.com port 443(TLS), the other 2 for webconf and av just change the port numbers. so when you request your 2 certs the only names will be the pool FQDN and sip.domain and your other sip domains. on your router/gateway open the 3 ports you selected from Outbound -> Inbound. for your external DNS sip.domain -> external IP address going to your firewall/gateway.

note that your edge server is not on the domain so you will need to edit your hosts file and add your frontend pool/server internal ip address and FQDN server name.

When you get "invalid" for the certificate what cert is it? the internal CA or GoDaddy?

hey tim,

i have been occupied with other things lately, so my apologogies for my late reply.

The invalid certificate is the GoDaddy certificate. Not sure what went wrong there. the firewall ports are open.

You  are saying that i need to change the topology, but i am not sure if i follow. In the topology builder i already said that i am using one ip address and configured three different ports. I have the feeling this is correct already ?

when followin the wizard for requesting the godaddy certificate i am getting the following values:

THe following will be automatically populated for the subject name and the subject altername name:
sip.domain.com
webconf.domain.com

when i do next i can check the other domains including the orginal domain, so
domain.com
domain.nl
domein.eu
domein2.com

when i do next i get 'COnfigure additional subnect alternate names'
i dont fill in anything here...

and then i finish the wizard. is this the correct way

 

 

hey tim,

i have been occupied with other things lately, so my apologogies for my late reply.

The invalid certificate is the GoDaddy certificate. Not sure what went wrong there. the firewall ports are open.

You  are saying that i need to change the topology, but i am not sure if i follow. In the topology builder i already said that i am using one ip address and configured three different ports. I have the feeling this is correct already ?

when followin the wizard for requesting the godaddy certificate i am getting the following values:

THe following will be automatically populated for the subject name and the subject altername name:
sip.domain.com
webconf.domain.com

when i do next i can check the other domains including the orginal domain, so
domain.com
domain.nl
domein.eu
domein2.com

when i do next i get 'COnfigure additional subnect alternate names'
i dont fill in anything here...

and then i finish the wizard. is this the correct way

 

 

Yes that is correct, you do not need to add anything into the "configure additional". after your certificateS are configured the services should start. I had an issue last week with the edge service not starting, found that it was a subnet mask issue. the mask i entered dident fall into the range of ips i selected.

Hey, i reassigned a new certificate and now the Lync Server Access Edge service i starting now, so that problem is solved.

However i am still unable to login.

 

If i take a clean installed windows 7 machine, not member of any domain, in the same subnet als the edge  and i install the lync client i get the error message:

There was  problem verifying the certificate from the server.

any idea what that is? might that have something to do with the godaddy certificate?

 

I used godaddy in my lab and havent had any issues, but its possible that it doesnt have the root..  You can use any off the SSL providers cert checkers to verify that you have the cert installed correctly on the server..

You can use http://www.digicert.com/help/ to check your cert (example access.domain.com:5061).  

If you download the utility you can use that to check the cert on any machine/port you can connet to.

Hello,

You can find information on https://support.microsoft.com/en-us/kb/2877261

Best Regards