Solved

How to fix certificate error when remotely accessing Lync 2013 Front End server?

Posted on 2013-10-25
7
2,746 Views
Last Modified: 2015-04-06
I set up Lync 2013 Front End Server using Matt Landis’ how-to here: http://windowspbx.blogspot.com/2012/07/step-by-step-installing-lync-server.html.  I followed the steps exactly, substituting information specific to my deployment as necessary.  The Lync conference client works locally using user@domain.local.  I have a self-assigned SAN certificate for domain.local. I’ve added a SIP domain for domain.net and verified that one of the alternative names on the certificate is lync.domain.net.

I added lync.domain.net to the domain DNS control panel.

I’ve also set up the following port forwards in the router:
--5016 (externally and internally) to internal IP of Lync FE server
--8080 (externally) to 80 (internally) to the internal IP of the Lync FE server
--4443 (externally) to 443 (internally) to the internal IP of the Lync FE server

I decided to try to access Lync remotely.  I manually configured the connection settings as follows:
--Internal server name: lync.domain.local
--External domain name: lync.domain.net
--username: user@domain.local

The Lynch 2013 client returns the following error: There was a problem verifying the certificate from the server.

I then gave it a shot using www.testexchangeconnectivity.com and it failed at the following step:

Certificate trust is being validated.
       Certificate trust validation failed.
              Test Steps
              The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=lync.domain.local, OU=IT, O=COMPANY, L=CITY, S=IL, C=US.
       A certificate chain couldn't be constructed for the certificate.
              Additional Details
       The certificate chain couldn't be built. You may be missing required intermediate certificates.
Elapsed Time: 24 ms.




(Once I’ve got the conference client working remotely, I intend to add the phone service component to be able to make and receive phone calls from Lync-equipped workstations.)

Primary question:
--How I go about resolving the certificate error?

Secondary questions:
--Can I make Lync work remotely with a self-signed certificate?
--Do I need an Edge server?  (I’m hoping I can get by without one, but if need be, it can be added.)
--Am I overlooking anything?  If so, what?

Thanks!
0
Comment
Question by:SINC_dmack
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 39602502
the idea of a internal DC's root cert will be import all the machines.

2nd, is when you import your certificate, you need to import it properly with the chain.


2.
self sign is not supported as it takes even harder to deploy your certificate to all machines.

3. you need an edge server only if you want to let users from external the network access the service.
0
 

Author Comment

by:SINC_dmack
ID: 39605715
Thanks for the reply.  How do I go about importing my certificate properly within the chain?  Is there an intermediate certificate that I need to import?

I do want to have external users access the Lync services.  But if my internal users can access those services, shouldn't external access be as simple as having external DNS configured properly and having the right ports forwarded in my router?  I kind of figured an Edge server would be necessary if there was a pool of Lync servers behind it, not if there was just one Front End server.
0
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 39626776
just realise you are using internal root Ca so the online tools will not work.

let's work out this way,
usually internal domain will not use a internet routable address , lync.domain.local
and the internet routable address is for external
this also make sure that federation between other company will work.


for internal access only  lync, the front end server wil accept more ports like 5061, 5062 and etc, where edge server streamline everything into https only. thats the difference

http://technet.microsoft.com/en-us/library/gg398833.aspx

i will strongly suggest to use a 3rd party cert.
the cheapest one i found is like 9 dollars and a wilcard is like 30 dollars per year (although security freak will say no to wilcard)
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:SINC_dmack
ID: 39631302
Hi limjianan,

I'll plan to install a 3rd-party certificate.  Can I use a single-site cert (IE lync.company.com) or will I need a SAN cert with additional FQDNs?

The article you linked to lists a bunch of ports in the 5061-5087 and 8057-8080 range that are used by a Lync FE server.  Will I need to forward all (or most) of those ports to the Lync FE server through my router, or will Lync work with just 5061 and 443?

Thanks!
0
 
LVL 37

Accepted Solution

by:
Jian An Lim earned 500 total points
ID: 39632874
if you use a Edge, you only need to port 443 TCP (and for better performance, UDP 3478) in bound and outbound

Read
http://technet.microsoft.com/en-us/library/gg425882.aspx



certificate  you will need SAN cert name

REAd
http://technet.microsoft.com/en-us/library/gg413010.aspx
0
 

Author Comment

by:SINC_dmack
ID: 39689047
Sorry for the delay in responding. I haven't had time to get the certificate purchased, but will update this thread once I do.  Thanks!
0
 

Author Comment

by:SINC_dmack
ID: 40709258
We ended up scrapping Lync and going with Skype.  Points to be awarded to limjianan as his response would have likely been the correct solution.
0

Featured Post

Get MongoDB database support online, now!

At Percona’s web store you can order your MongoDB database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card. Handle your MongoDB database support now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Messaging apps are amazing tools with the power to do a lot of good, but the truth is the process of collaborating with coworkers requires relationships established through meaningful communication - the kind of communication that only happens face-…
Skype is a P2P (Peer to Peer) instant messaging and VOIP (Voice over IP) service – as well as a whole lot more.
The viewer will learn how to simulate a series of sales calls dependent on a single skill level and learn how to simulate a series of sales calls dependent on two skill levels. Simulating Independent Sales Calls: Enter .75 into cell C2 – “skill leve…
The goal of the tutorial is to teach the user how to instant message and make a video call in Skype.
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question