Lync 2013 Multi-tenant

We have one single Win 2012 native AD environment with Exchange 2013, and Lync 2013. The exchange we use 4 domains and it works perfectly. We want to use multiple SIP domains in single standard frontend server with Edge and Reverse proxy.

Steps i did to add multiple sip domains:
1. Add the new SIP domain to the Topology.
2. Create DNS records for simple URLs both internal and external
3. SAN UCC certificates to support Auto configuration and simple URLs (both internal and external)
4. Run Enable-CSComputer on each Pool.
5. Export the configuration and import it to Edge server
6, configure IIS ARR Reverse proxy for multiple sip domains

Did i missed anything?

What are the SAN requirement for each sip domains

namespace xyz.com hosts AD and Exchange and Lync sip primary domain.

I want to add following sip domain in lync 2013.
abc.com
bcd.com
cde.com
def.com

What is the requirement for additional SAN names? Can i use wild card certificate is that supported?

Please help
LVL 12
Ganesh Kumar ASr Infrastructure SpecialistAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
A complete list of the resources for setting up Lync Multi-tenant is available @
http://social.technet.microsoft.com/wiki/contents/articles/7325.microsoft-lync-server-multitenant-pack-for-partner-hosting-resources.aspx

you need to be using the enterprise edition and download the pack from MVLSC
https://www.microsoft.com/Licensing/servicecenter/Registration.aspx
0
Ganesh Kumar ASr Infrastructure SpecialistAuthor Commented:
I read all these articles before, i am looking for specific certificate consideration using SAN names. We have budget to use the lync standard edition. Hence i want to know if i should use wild card certificate instead of buying plenty of san names in certificate. Is there any way we can reduce the SAN names in certificate for the group company. We can use common name to authenticate with shared default AD netbios names with sip address for logging on the client.

I read the : https://technet.microsoft.com/en-us/library/hh202161(v=ocs.15).aspx and https://technet.microsoft.com/en-us/library/gg398920(v=ocs.15).aspx 

It appears that wildcard certificate is supported. But i want to know if this is recommended.

can i use only lyncdiscover.abc.com, lyncdiscover.bcd.com, lyncdiscover.cde.com and lyncdiscover.def.com

and sip.abc.com, sip.bcd.com, sip.cde.com, sip.def.com and dialin.abc.com, dialin.bcd.com, dialin.cde.com and dialin.def.com and meet urls like above. Does this way works?
0
ChrisCommented:
i have been told to avoid the wildcard certs, lync preferes the named SAN route.

How separate do you need the multi tenant to be as you could consolidate your simple urls but i would guess completely separate.
If you put it on a HLB then you could use that to present and re encrypt the traffic making it easy have one lot of certificates on there and only 1 cert on the internal servers
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Ganesh Kumar ASr Infrastructure SpecialistAuthor Commented:
so will this works?

If i buy normal UCC san certificates with SAN names as follows.
abc.com
bcd.com
cde.com
def.com
lyncdiscover.abc.com,
lyncdiscover.bcd.com,
lyncdiscover.ctificde.com
lyncdiscover.def.com
sip.abc.com,
sip.bcd.com,
sip.cde.com,
sip.def.com
meet.abc.com,
meet.bcd.com,
meet.cde.com
meet.def.com
dialin.abc.com
owa.abc.com
lsweb.abc.com
admin.abc.com
0
Ganesh Kumar ASr Infrastructure SpecialistAuthor Commented:
The issue is resolved by adding multiple san names for each domain especially meet and dialin and lyncdiscover URLs in public certificate. It is only one single certificate.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ganesh Kumar ASr Infrastructure SpecialistAuthor Commented:
Practically adding multiple SAN names worked, i was having doubts on dialin and meet urls and will it work. But it worked perfectly.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Chat / IM

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.