Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to fix certificate error when remotely accessing Lync 2013 Front End server?

Posted on 2013-10-25
7
Medium Priority
?
2,896 Views
Last Modified: 2015-04-06
I set up Lync 2013 Front End Server using Matt Landis’ how-to here: http://windowspbx.blogspot.com/2012/07/step-by-step-installing-lync-server.html.  I followed the steps exactly, substituting information specific to my deployment as necessary.  The Lync conference client works locally using user@domain.local.  I have a self-assigned SAN certificate for domain.local. I’ve added a SIP domain for domain.net and verified that one of the alternative names on the certificate is lync.domain.net.

I added lync.domain.net to the domain DNS control panel.

I’ve also set up the following port forwards in the router:
--5016 (externally and internally) to internal IP of Lync FE server
--8080 (externally) to 80 (internally) to the internal IP of the Lync FE server
--4443 (externally) to 443 (internally) to the internal IP of the Lync FE server

I decided to try to access Lync remotely.  I manually configured the connection settings as follows:
--Internal server name: lync.domain.local
--External domain name: lync.domain.net
--username: user@domain.local

The Lynch 2013 client returns the following error: There was a problem verifying the certificate from the server.

I then gave it a shot using www.testexchangeconnectivity.com and it failed at the following step:

Certificate trust is being validated.
       Certificate trust validation failed.
              Test Steps
              The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=lync.domain.local, OU=IT, O=COMPANY, L=CITY, S=IL, C=US.
       A certificate chain couldn't be constructed for the certificate.
              Additional Details
       The certificate chain couldn't be built. You may be missing required intermediate certificates.
Elapsed Time: 24 ms.




(Once I’ve got the conference client working remotely, I intend to add the phone service component to be able to make and receive phone calls from Lync-equipped workstations.)

Primary question:
--How I go about resolving the certificate error?

Secondary questions:
--Can I make Lync work remotely with a self-signed certificate?
--Do I need an Edge server?  (I’m hoping I can get by without one, but if need be, it can be added.)
--Am I overlooking anything?  If so, what?

Thanks!
0
Comment
Question by:SINC_dmack
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 39602502
the idea of a internal DC's root cert will be import all the machines.

2nd, is when you import your certificate, you need to import it properly with the chain.


2.
self sign is not supported as it takes even harder to deploy your certificate to all machines.

3. you need an edge server only if you want to let users from external the network access the service.
0
 

Author Comment

by:SINC_dmack
ID: 39605715
Thanks for the reply.  How do I go about importing my certificate properly within the chain?  Is there an intermediate certificate that I need to import?

I do want to have external users access the Lync services.  But if my internal users can access those services, shouldn't external access be as simple as having external DNS configured properly and having the right ports forwarded in my router?  I kind of figured an Edge server would be necessary if there was a pool of Lync servers behind it, not if there was just one Front End server.
0
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 39626776
just realise you are using internal root Ca so the online tools will not work.

let's work out this way,
usually internal domain will not use a internet routable address , lync.domain.local
and the internet routable address is for external
this also make sure that federation between other company will work.


for internal access only  lync, the front end server wil accept more ports like 5061, 5062 and etc, where edge server streamline everything into https only. thats the difference

http://technet.microsoft.com/en-us/library/gg398833.aspx

i will strongly suggest to use a 3rd party cert.
the cheapest one i found is like 9 dollars and a wilcard is like 30 dollars per year (although security freak will say no to wilcard)
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:SINC_dmack
ID: 39631302
Hi limjianan,

I'll plan to install a 3rd-party certificate.  Can I use a single-site cert (IE lync.company.com) or will I need a SAN cert with additional FQDNs?

The article you linked to lists a bunch of ports in the 5061-5087 and 8057-8080 range that are used by a Lync FE server.  Will I need to forward all (or most) of those ports to the Lync FE server through my router, or will Lync work with just 5061 and 443?

Thanks!
0
 
LVL 37

Accepted Solution

by:
Jian An Lim earned 2000 total points
ID: 39632874
if you use a Edge, you only need to port 443 TCP (and for better performance, UDP 3478) in bound and outbound

Read
http://technet.microsoft.com/en-us/library/gg425882.aspx



certificate  you will need SAN cert name

REAd
http://technet.microsoft.com/en-us/library/gg413010.aspx
0
 

Author Comment

by:SINC_dmack
ID: 39689047
Sorry for the delay in responding. I haven't had time to get the certificate purchased, but will update this thread once I do.  Thanks!
0
 

Author Comment

by:SINC_dmack
ID: 40709258
We ended up scrapping Lync and going with Skype.  Points to be awarded to limjianan as his response would have likely been the correct solution.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Messaging apps are amazing tools with the power to do a lot of good, but the truth is the process of collaborating with coworkers requires relationships established through meaningful communication - the kind of communication that only happens face-…
Technology opened people to different means of presenting information, but PowerPoint remains to be above competition. Know why PPT still works today.
The view will learn how to download and install SIMTOOLS and FORMLIST into Excel, how to use SIMTOOLS to generate a Monte Carlo simulation of 30 sales calls, and how to calculate the conditional probability based on the results of the Monte Carlo …
The viewer will learn how to use the =DISCRINV command to create a discrete random variable, use this command to model a set of probabilities and outcomes in a Monte Carlo simulation, and learn how to find the standard deviation of a set of probabil…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question