Lync 2013 - Users Outside Domain Certificate Requirement?

Our main IT person installed Lync on a Hyper-V instance, entirely standalone and away from our domain controller and Exchange server (which is also virtualized). Inside the building, within the domain, it works just fine; however when we attempt to log in to Lync from outside on computers and mobile phones not joined to the domain, we receive an error: "Can't sign in to Lync: There was a problem verifying the certificate from the server."

Our IT person claims this is because we need to install some certificates on these outside machines, as the computers joined to the domain get the trusted root certificate from the domain controller. I am thinking this is unnecessary, however could not find anything online regarding this requirement, which leaves me to believe that he set up the certificates incorrectly.

Are my doubts founded or unfounded, and is this indeed a requirement for machines outside the domain that need to access Lync?

Guidance would be appreciated. Thank you.
Parrotfish2005Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Lync uses mTLS so if you aren't using certs from a public CA then yes, you must establish trust. Of course Lync also needs a DC among other things, so what you describe sounds, at best, incomplete.
0
Parrotfish2005Author Commented:
Just to give everyone the complete picture, here's how everything was setup:

Server A (Domain Controller)
Exchange 2013 set up in VM

Server B (BDC)
BDC set up in VM
Lync Server set up in VM

We have a wildcard SSL certificate from GoDaddy, which I believe fulfills the Public CA requirement -- in hindsight should that have been used instead of having to set up the CA role on the DC?
0
Gareth GudgerCommented:
Correct. Anything non-domain joined will not trust your domain CA. Also, anything outside the network will not be able to reach your internal CA. I would recommend using a 3rd party certificate.

Otherwise your alternative is to install the root CA on every device. 3rd party CA is easier and less of a headache.
0
Parrotfish2005Author Commented:
Apologies, ended up calling Microsoft support. Problem resolved, thanks.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Parrotfish2005Author Commented:
Paid for support call, problem resolved.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Applications

From novice to tech pro — start learning today.