Solved

Lync 2010 Certificates

Posted on 2011-09-06
13
688 Views
Last Modified: 2012-05-12
Okay, so I'm deploying a Lync system in my network.  I have a Lync Standard Server installed with an Edge server I am deploying.  As of now I have a public cert on the Standard Server and am to the point where I need to get a cert for the Edge server, but I need is some clarification.  I know not all the services need a public certificate, but do I need a public certificate installed on both the Standard server and the Edge server?
0
Comment
Question by:Computech
  • 7
  • 5
13 Comments
 
LVL 14

Expert Comment

by:robincm
ID: 36490916
0
 
LVL 8

Expert Comment

by:djjackfrwmml
ID: 36491639
Standard server needs an internal cert, the edge server is in the DMZ and needs an internal as well as a public cert.  Will you also be deploying a reverse proxy.....  If so this needs both as well.
0
 

Author Comment

by:Computech
ID: 36491785
What about the meet.contoso.com, and the dialin.contoso.com urls?  Don't they need to accessible from the outside?  That is hosted on the Standard server, while everything else is hosted on the edge server.
0
 
LVL 8

Expert Comment

by:djjackfrwmml
ID: 36491807
If everything was setup correctly in the topology builder, when you request both the internal cert (Step three in configuration of the FE server) and external cert (Step 3 when you are requesting in from the Edge server) the correct info will be populated automatically.

these show up as SANs I believe
0
 

Author Comment

by:Computech
ID: 36491935
Here is what I did.  I setup the Standard server with a public cert as from what I understood dialin and meet needed to be externally accessed.  Then after the Standard server was setup and configured, I setup the Edge server, then realizing that it needs a public cert, and that it was a little ridiculous to have two servers with their own public certs, I've been investigating what I'm missing.  Did I configure my Standard server wrong?  As I understand it, meet.contoso.com and dialin.contoso.com are both used by the Standard server so that people externally can dial in to a meeting and join a meeting, but then for Federation, Audio/Visual, and other Lync services I setup lync.contoso.com and an external cert on the Edge server for those services.  It doesn't make sense of why meet and dialin aren't pushed on to the Edge server as that is the point of having an Edge server.
0
 
LVL 8

Expert Comment

by:djjackfrwmml
ID: 36498333
OK there are a couple things here:

1.  Is the Edge server in the DMZ and are you using a Reverse Proxy?
2.  Did you just order the certs or did you use the Deployment wizard in Lync (step 3 in deployment)to set it all up?  Lync is very cert specific and if it was done incorrect that could lead to all sorts of messed up.
3.  Usually meet.domain.com and dialin.domain.com (your simple urls) are configured in the topology builder and then when the Edge server is rolled out Step 3 of the deployment wizard asks for inteneral and external certs.  the internal is the same cert you used for your Standard server.  the external is from a company like Verisign
4.  Did you use an internal CA for the Standard server or did you use an external for that too?
5.  As far as those urls going through EDGE....they do.  The interface with EDGE for routing into the front end server.

here is a link to a VERY helpful diagram

Also might I suggest a book Lync Serv er 2010 unleashed.  It is very helpful for this kind of stuff.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 

Author Comment

by:Computech
ID: 36499060
1. No, my Edge server is on the LAN, but will eventually move it there.  No, I don't have a Reverse Proxy at this time.

2.  I used the deployment wizard to generate the .req files and get the cert installed on the Standard server.

3.  I used one public cert for all the domain names, internal and external on the Standard server, and was planning on doing the same on the Edge server, if that is what I need to do.

4.  I don't have an internal CA installed on my network, so no internal CA as I thought that having one cert for the whole server would take care of it all.

5.  So, if I'm understanding this portion, then the dialin and meet don't need to be external?

I used a public cert as I have multiple SIP domains specified, my internal domain and two external domains.  I have a Lync 2010 book, but it doesn't really explain how to setup Lync when I have an internal domain and an external domain.
0
 
LVL 8

Expert Comment

by:djjackfrwmml
ID: 36499116
OK.  As far as the certs. You can use an external CA for everything, it is just costlier.  If you did the req files through Lync you should be ok there.

As far as one internal and one external do you mean that your AD domain is like domain.local and your external facing domain is domain.com.  Also consider what your email is (my guess is .com) and in that case your SIP address will be domain.com and the certs will all be .com as well.  Then you will do DNS routing going to the Edge server, which should be in a DMZ with one NIC external to the DMZ using the .com cert and the internal NIC facing internally using the internal cert .local.

Does that help at all?
0
 

Author Comment

by:Computech
ID: 36503740
Okay, so let me recap to make sure I'm understanding everything correctly.  So, even though I have the SIP domains of contoso.local (which is internal), contoso.ws and contoso.biz (which are external), I should be okay to have just an internal cert for the Standard server as the meet and dialin don't need to be accessible externally?  Then the Edge server is the only one that needs a public cert to handle its services, but I can use an internal cert on all the internal names to save money on the cert.

Does that sound about right?
0
 

Author Comment

by:Computech
ID: 36577136
Okay, so additional question.  So, is a reverse proxy necessary?  If so, is this where the meet and dialin urls go to?  And is this why the Standard Server doesn't need a public certificate?
0
 
LVL 8

Expert Comment

by:djjackfrwmml
ID: 36581880
If you used the cert requestor that is part of the Deployment (Step 3) to generate the cert requests, you should be ok with those.  I cannot tell you for certain what all the cert includes, however i do know that the Cert req file generated by the Edge server will have the correct info on it.

As far as the proxy the short answer is yes.  You can read where people didn't deploy it, but I think that since microsoft does not support that structure, you have to get the system to function in a way it wasn't intended and , in my opinion, it leaves you more vulnerable, then yeah I would do it.  The meet and dialin urls point there.  The standard server does not need a public cert becuase the external user does not interface with the server directly, they get passed into the FE from the Edge server which does have an external cert.

This may help: http://technet.microsoft.com/en-us/library/gg398920.aspx
0
 

Accepted Solution

by:
Computech earned 0 total points
ID: 37347736
We were able to get Lync going by eliminating the Proxy Server.  This meant that we had to get public certs for both the Edge Server and the Standard Server.  Meet and Dialin, do have to be on the certificate for the Standard Server as they are pointed to the Standard Server through a NAT policy.
0
 

Author Closing Comment

by:Computech
ID: 37362826
Lync is a mess of a product and definitely needs more work to even be friendly to the System Admins.  It is possible to install Lync without a Microsoft ISA server acting as the proxy.  It is a little more messy, but it saves you the trouble of having another server.  You do have to make some minor changes to your Standard Server, but beyond that, we worth the cost savings if you already have a good firewall.
0

Featured Post

Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
Article by: Ahmedn1
Introduction Some developers today tend to use Skypekit in their applications to make it more interactive with the user. Skype API is very awesome indeed but the problem is it is only available in C++, Java and Python. I can't understand why Micr…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now