[Last Call] Learn how to a build a cloud-first strategyRegister Now


Lync Server 2010 Standard SSL Deployment Question

Posted on 2011-05-10
Medium Priority
Last Modified: 2012-05-11
Working on deploying a Lync 2010 Standard server, and would like to keep all of the roles dedicated to just one box.  While this is a supported configuration from Microsoft, I am having issues connecting to the system externally.  My issue is that the internal AD domain is a ".net" extension, and the external domain is a .com, and unfortunately, we do not own the public .net domain name.  This is causing an issue when it comes to our SSL certificate, because I am having to use a private internal CA to generate the .net SSL cert, and then using GoDaddy to give us the .com cert.  Is this going to be possible to use both certs on the one system, and have clients connect correctly?  Right now, internal connections work normally, but externally, users get "unable to verify server certificate" message from the Lync Client.

When I went through the Lync SSL wizard, I did assign the internally created cert to the server default section, and the internal web server section, and the GoDaddy cert to the external web server.  If I hit https://server.domain.com:4443 from the external side, I get a "403 - Forbidden: Access is denied" message, but it does show the correct SSL cert.  So at this point, I am not sure if I have something configured wrong, or if I am going about this the wrong way.  Part of me is thinking that I am going to have to deploy a dedicated edge server because of the separate domains, but I am hoping to avoid that.

Currently, we have ports 80, 443, 8080, 4443, and 5061 forwarded through the firewall to the lync server.  I was also unable to definitively determine which ports were needed through the firewall for Lync 2010, so if anyone can shed some light on that side, that would be helpful as well.

Please ask for any other information you may need!
Question by:ThaVWMan
LVL 33

Accepted Solution

Busbar earned 1000 total points
ID: 35735539
1- you will have to use at least 2 servers (edge and front end).
2- this will be doable, use one certificate that has .com and use split DNS infrastructure.
LVL 12

Assisted Solution

Jeff_Schertz earned 1000 total points
ID: 35736868
You don't have to use an Edge server if you understand that port-forwarding traffic to the Front End server is less-secure and will not provide you any of the external Lync features except for basic external user login for IM/Presence.  All other features (Federation, PIC) or modalities (audio, video, desktop sharing, etc) will not function externally without an Edge Server.

Also changing the external Web Service certificates does nothing in terms of allowing the clients to login externally.  You'll need to have a single, public certificate issued to the Standard Edition server which contains all FQDNs in use in the environment, (e.g. server.domain.net and sip.domain.com).

Author Comment

ID: 35742495

Yes, I knew that I didnt have to have two different servers, at least not if I could get the correct SSL cert.  But that was the problem all along, I dont have a good way of getting an SSL cert with the subject alt names that cover both my .net internal domain and .com external domain.  And at this point we are only planning on using Lync for the IM/Presence features, so not having the edge server was not a huge deal for now.

But, since we cannot over come the SSL issue, we are spinning up an Edge box.  I just wanted to verify there was no other options!

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question