Solved

How to fix certificate error when remotely accessing Lync 2013 Front End server?

Posted on 2013-10-25
7
2,595 Views
Last Modified: 2015-04-06
I set up Lync 2013 Front End Server using Matt Landis’ how-to here: http://windowspbx.blogspot.com/2012/07/step-by-step-installing-lync-server.html.  I followed the steps exactly, substituting information specific to my deployment as necessary.  The Lync conference client works locally using user@domain.local.  I have a self-assigned SAN certificate for domain.local. I’ve added a SIP domain for domain.net and verified that one of the alternative names on the certificate is lync.domain.net.

I added lync.domain.net to the domain DNS control panel.

I’ve also set up the following port forwards in the router:
--5016 (externally and internally) to internal IP of Lync FE server
--8080 (externally) to 80 (internally) to the internal IP of the Lync FE server
--4443 (externally) to 443 (internally) to the internal IP of the Lync FE server

I decided to try to access Lync remotely.  I manually configured the connection settings as follows:
--Internal server name: lync.domain.local
--External domain name: lync.domain.net
--username: user@domain.local

The Lynch 2013 client returns the following error: There was a problem verifying the certificate from the server.

I then gave it a shot using www.testexchangeconnectivity.com and it failed at the following step:

Certificate trust is being validated.
       Certificate trust validation failed.
              Test Steps
              The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=lync.domain.local, OU=IT, O=COMPANY, L=CITY, S=IL, C=US.
       A certificate chain couldn't be constructed for the certificate.
              Additional Details
       The certificate chain couldn't be built. You may be missing required intermediate certificates.
Elapsed Time: 24 ms.




(Once I’ve got the conference client working remotely, I intend to add the phone service component to be able to make and receive phone calls from Lync-equipped workstations.)

Primary question:
--How I go about resolving the certificate error?

Secondary questions:
--Can I make Lync work remotely with a self-signed certificate?
--Do I need an Edge server?  (I’m hoping I can get by without one, but if need be, it can be added.)
--Am I overlooking anything?  If so, what?

Thanks!
0
Comment
Question by:SINC_dmack
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 39602502
the idea of a internal DC's root cert will be import all the machines.

2nd, is when you import your certificate, you need to import it properly with the chain.


2.
self sign is not supported as it takes even harder to deploy your certificate to all machines.

3. you need an edge server only if you want to let users from external the network access the service.
0
 

Author Comment

by:SINC_dmack
ID: 39605715
Thanks for the reply.  How do I go about importing my certificate properly within the chain?  Is there an intermediate certificate that I need to import?

I do want to have external users access the Lync services.  But if my internal users can access those services, shouldn't external access be as simple as having external DNS configured properly and having the right ports forwarded in my router?  I kind of figured an Edge server would be necessary if there was a pool of Lync servers behind it, not if there was just one Front End server.
0
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 39626776
just realise you are using internal root Ca so the online tools will not work.

let's work out this way,
usually internal domain will not use a internet routable address , lync.domain.local
and the internet routable address is for external
this also make sure that federation between other company will work.


for internal access only  lync, the front end server wil accept more ports like 5061, 5062 and etc, where edge server streamline everything into https only. thats the difference

http://technet.microsoft.com/en-us/library/gg398833.aspx

i will strongly suggest to use a 3rd party cert.
the cheapest one i found is like 9 dollars and a wilcard is like 30 dollars per year (although security freak will say no to wilcard)
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 

Author Comment

by:SINC_dmack
ID: 39631302
Hi limjianan,

I'll plan to install a 3rd-party certificate.  Can I use a single-site cert (IE lync.company.com) or will I need a SAN cert with additional FQDNs?

The article you linked to lists a bunch of ports in the 5061-5087 and 8057-8080 range that are used by a Lync FE server.  Will I need to forward all (or most) of those ports to the Lync FE server through my router, or will Lync work with just 5061 and 443?

Thanks!
0
 
LVL 37

Accepted Solution

by:
Jian An Lim earned 500 total points
ID: 39632874
if you use a Edge, you only need to port 443 TCP (and for better performance, UDP 3478) in bound and outbound

Read
http://technet.microsoft.com/en-us/library/gg425882.aspx



certificate  you will need SAN cert name

REAd
http://technet.microsoft.com/en-us/library/gg413010.aspx
0
 

Author Comment

by:SINC_dmack
ID: 39689047
Sorry for the delay in responding. I haven't had time to get the certificate purchased, but will update this thread once I do.  Thanks!
0
 

Author Comment

by:SINC_dmack
ID: 40709258
We ended up scrapping Lync and going with Skype.  Points to be awarded to limjianan as his response would have likely been the correct solution.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The System Center Operations Manager 2012, known as SCOM, is a part of the Microsoft system center product that provides the user with infrastructure monitoring and application performance monitoring. SCOM monitors:   Windows or UNIX/LinuxNetwo…
Messaging apps are amazing tools with the power to do a lot of good, but the truth is the process of collaborating with coworkers requires relationships established through meaningful communication - the kind of communication that only happens face-…
The viewer will learn how to use the =DISCRINV command to create a discrete random variable, use this command to model a set of probabilities and outcomes in a Monte Carlo simulation, and learn how to find the standard deviation of a set of probabil…
The goal of the tutorial is to teach the user how to instant message and make a video call in Skype.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question