Solved

How to fix certificate error when remotely accessing Lync 2013 Front End server?

Posted on 2013-10-25
7
2,105 Views
Last Modified: 2015-04-06
I set up Lync 2013 Front End Server using Matt Landis’ how-to here: http://windowspbx.blogspot.com/2012/07/step-by-step-installing-lync-server.html.  I followed the steps exactly, substituting information specific to my deployment as necessary.  The Lync conference client works locally using user@domain.local.  I have a self-assigned SAN certificate for domain.local. I’ve added a SIP domain for domain.net and verified that one of the alternative names on the certificate is lync.domain.net.

I added lync.domain.net to the domain DNS control panel.

I’ve also set up the following port forwards in the router:
--5016 (externally and internally) to internal IP of Lync FE server
--8080 (externally) to 80 (internally) to the internal IP of the Lync FE server
--4443 (externally) to 443 (internally) to the internal IP of the Lync FE server

I decided to try to access Lync remotely.  I manually configured the connection settings as follows:
--Internal server name: lync.domain.local
--External domain name: lync.domain.net
--username: user@domain.local

The Lynch 2013 client returns the following error: There was a problem verifying the certificate from the server.

I then gave it a shot using www.testexchangeconnectivity.com and it failed at the following step:

Certificate trust is being validated.
       Certificate trust validation failed.
              Test Steps
              The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=lync.domain.local, OU=IT, O=COMPANY, L=CITY, S=IL, C=US.
       A certificate chain couldn't be constructed for the certificate.
              Additional Details
       The certificate chain couldn't be built. You may be missing required intermediate certificates.
Elapsed Time: 24 ms.




(Once I’ve got the conference client working remotely, I intend to add the phone service component to be able to make and receive phone calls from Lync-equipped workstations.)

Primary question:
--How I go about resolving the certificate error?

Secondary questions:
--Can I make Lync work remotely with a self-signed certificate?
--Do I need an Edge server?  (I’m hoping I can get by without one, but if need be, it can be added.)
--Am I overlooking anything?  If so, what?

Thanks!
0
Comment
Question by:SINC_dmack
  • 4
  • 3
7 Comments
 
LVL 36

Expert Comment

by:Jian An Lim
Comment Utility
the idea of a internal DC's root cert will be import all the machines.

2nd, is when you import your certificate, you need to import it properly with the chain.


2.
self sign is not supported as it takes even harder to deploy your certificate to all machines.

3. you need an edge server only if you want to let users from external the network access the service.
0
 

Author Comment

by:SINC_dmack
Comment Utility
Thanks for the reply.  How do I go about importing my certificate properly within the chain?  Is there an intermediate certificate that I need to import?

I do want to have external users access the Lync services.  But if my internal users can access those services, shouldn't external access be as simple as having external DNS configured properly and having the right ports forwarded in my router?  I kind of figured an Edge server would be necessary if there was a pool of Lync servers behind it, not if there was just one Front End server.
0
 
LVL 36

Expert Comment

by:Jian An Lim
Comment Utility
just realise you are using internal root Ca so the online tools will not work.

let's work out this way,
usually internal domain will not use a internet routable address , lync.domain.local
and the internet routable address is for external
this also make sure that federation between other company will work.


for internal access only  lync, the front end server wil accept more ports like 5061, 5062 and etc, where edge server streamline everything into https only. thats the difference

http://technet.microsoft.com/en-us/library/gg398833.aspx

i will strongly suggest to use a 3rd party cert.
the cheapest one i found is like 9 dollars and a wilcard is like 30 dollars per year (although security freak will say no to wilcard)
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:SINC_dmack
Comment Utility
Hi limjianan,

I'll plan to install a 3rd-party certificate.  Can I use a single-site cert (IE lync.company.com) or will I need a SAN cert with additional FQDNs?

The article you linked to lists a bunch of ports in the 5061-5087 and 8057-8080 range that are used by a Lync FE server.  Will I need to forward all (or most) of those ports to the Lync FE server through my router, or will Lync work with just 5061 and 443?

Thanks!
0
 
LVL 36

Accepted Solution

by:
Jian An Lim earned 500 total points
Comment Utility
if you use a Edge, you only need to port 443 TCP (and for better performance, UDP 3478) in bound and outbound

Read
http://technet.microsoft.com/en-us/library/gg425882.aspx



certificate  you will need SAN cert name

REAd
http://technet.microsoft.com/en-us/library/gg413010.aspx
0
 

Author Comment

by:SINC_dmack
Comment Utility
Sorry for the delay in responding. I haven't had time to get the certificate purchased, but will update this thread once I do.  Thanks!
0
 

Author Comment

by:SINC_dmack
Comment Utility
We ended up scrapping Lync and going with Skype.  Points to be awarded to limjianan as his response would have likely been the correct solution.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

We were having a lot of "Heartbeat Alerts" in our SCOM environment, now "Heartbeat" in a SCOM environment for those of you who might not be familiar with SCOM is a packet of data sent from the agent to the management server on a regular basis, basic…
The System Center Operations Manager 2012, known as SCOM, is a part of the Microsoft system center product that provides the user with infrastructure monitoring and application performance monitoring. SCOM monitors:   Windows or UNIX/LinuxNetwo…
Viewers will learn how to maximize accessibility options in an Excel workbook for users with accessibility issues.
The viewer will learn how to simulate a series of coin tosses with the rand() function and learn how to make these “tosses” depend on a predetermined probability. Flipping Coins in Excel: Enter =RAND() into cell A2: Recalculate the random variable…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now