Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2998
  • Last Modified:

How to fix certificate error when remotely accessing Lync 2013 Front End server?

I set up Lync 2013 Front End Server using Matt Landis’ how-to here: http://windowspbx.blogspot.com/2012/07/step-by-step-installing-lync-server.html.  I followed the steps exactly, substituting information specific to my deployment as necessary.  The Lync conference client works locally using user@domain.local.  I have a self-assigned SAN certificate for domain.local. I’ve added a SIP domain for domain.net and verified that one of the alternative names on the certificate is lync.domain.net.

I added lync.domain.net to the domain DNS control panel.

I’ve also set up the following port forwards in the router:
--5016 (externally and internally) to internal IP of Lync FE server
--8080 (externally) to 80 (internally) to the internal IP of the Lync FE server
--4443 (externally) to 443 (internally) to the internal IP of the Lync FE server

I decided to try to access Lync remotely.  I manually configured the connection settings as follows:
--Internal server name: lync.domain.local
--External domain name: lync.domain.net
--username: user@domain.local

The Lynch 2013 client returns the following error: There was a problem verifying the certificate from the server.

I then gave it a shot using www.testexchangeconnectivity.com and it failed at the following step:

Certificate trust is being validated.
       Certificate trust validation failed.
              Test Steps
              The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=lync.domain.local, OU=IT, O=COMPANY, L=CITY, S=IL, C=US.
       A certificate chain couldn't be constructed for the certificate.
              Additional Details
       The certificate chain couldn't be built. You may be missing required intermediate certificates.
Elapsed Time: 24 ms.




(Once I’ve got the conference client working remotely, I intend to add the phone service component to be able to make and receive phone calls from Lync-equipped workstations.)

Primary question:
--How I go about resolving the certificate error?

Secondary questions:
--Can I make Lync work remotely with a self-signed certificate?
--Do I need an Edge server?  (I’m hoping I can get by without one, but if need be, it can be added.)
--Am I overlooking anything?  If so, what?

Thanks!
0
SINC_dmack
Asked:
SINC_dmack
  • 4
  • 3
1 Solution
 
Jian An LimCommented:
the idea of a internal DC's root cert will be import all the machines.

2nd, is when you import your certificate, you need to import it properly with the chain.


2.
self sign is not supported as it takes even harder to deploy your certificate to all machines.

3. you need an edge server only if you want to let users from external the network access the service.
0
 
SINC_dmackAuthor Commented:
Thanks for the reply.  How do I go about importing my certificate properly within the chain?  Is there an intermediate certificate that I need to import?

I do want to have external users access the Lync services.  But if my internal users can access those services, shouldn't external access be as simple as having external DNS configured properly and having the right ports forwarded in my router?  I kind of figured an Edge server would be necessary if there was a pool of Lync servers behind it, not if there was just one Front End server.
0
 
Jian An LimCommented:
just realise you are using internal root Ca so the online tools will not work.

let's work out this way,
usually internal domain will not use a internet routable address , lync.domain.local
and the internet routable address is for external
this also make sure that federation between other company will work.


for internal access only  lync, the front end server wil accept more ports like 5061, 5062 and etc, where edge server streamline everything into https only. thats the difference

http://technet.microsoft.com/en-us/library/gg398833.aspx

i will strongly suggest to use a 3rd party cert.
the cheapest one i found is like 9 dollars and a wilcard is like 30 dollars per year (although security freak will say no to wilcard)
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
SINC_dmackAuthor Commented:
Hi limjianan,

I'll plan to install a 3rd-party certificate.  Can I use a single-site cert (IE lync.company.com) or will I need a SAN cert with additional FQDNs?

The article you linked to lists a bunch of ports in the 5061-5087 and 8057-8080 range that are used by a Lync FE server.  Will I need to forward all (or most) of those ports to the Lync FE server through my router, or will Lync work with just 5061 and 443?

Thanks!
0
 
Jian An LimCommented:
if you use a Edge, you only need to port 443 TCP (and for better performance, UDP 3478) in bound and outbound

Read
http://technet.microsoft.com/en-us/library/gg425882.aspx



certificate  you will need SAN cert name

REAd
http://technet.microsoft.com/en-us/library/gg413010.aspx
0
 
SINC_dmackAuthor Commented:
Sorry for the delay in responding. I haven't had time to get the certificate purchased, but will update this thread once I do.  Thanks!
0
 
SINC_dmackAuthor Commented:
We ended up scrapping Lync and going with Skype.  Points to be awarded to limjianan as his response would have likely been the correct solution.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now