Lync Server 2010 Standard SSL Deployment Question

Posted on 2011-05-10
Last Modified: 2012-05-11
Working on deploying a Lync 2010 Standard server, and would like to keep all of the roles dedicated to just one box.  While this is a supported configuration from Microsoft, I am having issues connecting to the system externally.  My issue is that the internal AD domain is a ".net" extension, and the external domain is a .com, and unfortunately, we do not own the public .net domain name.  This is causing an issue when it comes to our SSL certificate, because I am having to use a private internal CA to generate the .net SSL cert, and then using GoDaddy to give us the .com cert.  Is this going to be possible to use both certs on the one system, and have clients connect correctly?  Right now, internal connections work normally, but externally, users get "unable to verify server certificate" message from the Lync Client.

When I went through the Lync SSL wizard, I did assign the internally created cert to the server default section, and the internal web server section, and the GoDaddy cert to the external web server.  If I hit from the external side, I get a "403 - Forbidden: Access is denied" message, but it does show the correct SSL cert.  So at this point, I am not sure if I have something configured wrong, or if I am going about this the wrong way.  Part of me is thinking that I am going to have to deploy a dedicated edge server because of the separate domains, but I am hoping to avoid that.

Currently, we have ports 80, 443, 8080, 4443, and 5061 forwarded through the firewall to the lync server.  I was also unable to definitively determine which ports were needed through the firewall for Lync 2010, so if anyone can shed some light on that side, that would be helpful as well.

Please ask for any other information you may need!
Question by:ThaVWMan
    LVL 33

    Accepted Solution

    1- you will have to use at least 2 servers (edge and front end).
    2- this will be doable, use one certificate that has .com and use split DNS infrastructure.
    LVL 12

    Assisted Solution

    You don't have to use an Edge server if you understand that port-forwarding traffic to the Front End server is less-secure and will not provide you any of the external Lync features except for basic external user login for IM/Presence.  All other features (Federation, PIC) or modalities (audio, video, desktop sharing, etc) will not function externally without an Edge Server.

    Also changing the external Web Service certificates does nothing in terms of allowing the clients to login externally.  You'll need to have a single, public certificate issued to the Standard Edition server which contains all FQDNs in use in the environment, (e.g. and
    LVL 9

    Author Comment


    Yes, I knew that I didnt have to have two different servers, at least not if I could get the correct SSL cert.  But that was the problem all along, I dont have a good way of getting an SSL cert with the subject alt names that cover both my .net internal domain and .com external domain.  And at this point we are only planning on using Lync for the IM/Presence features, so not having the edge server was not a huge deal for now.

    But, since we cannot over come the SSL issue, we are spinning up an Edge box.  I just wanted to verify there was no other options!

    Featured Post

    Courses: Start Training Online With Pros, Today

    Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

    Join & Write a Comment

    Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
    Back in July, I blogged about how Microsoft's new server pricing model, combined with the end of the Small Business Server package, would result in significant cost increases for many small businesses (see SBS End of Life: Microsoft Punishes Small B…
    This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
    The goal of the tutorial is to teach the user how to instant message and make a video call in Skype.

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now