LYNC 2013 public certificate

Hi,

I need to get public certificates for on premise lync 2013 installation primarily for lync online and skype federation.
I want to double check things because I don't want to spend more than strictly necessary.

There is standard front-end server, mediation server (connected to telephony provider sip trunk), edge server and reverse proxy server (IIS AAR).
Configured is a single sip domain, which is the same as e-mail domain (domain.com) and different from AD domain (domain.local)
Installation is currently use for internal and external access from PCs and mobile devices, enterprise voice, IM, meetings, external companies federation,
On reverse proxy external interface is used the same certificate as on front-end server, which contains also some domain.local SANs.

I need to know which certificates I need to change and if on those certificates are needed domain.local SANs.
RapidSSL certificates will work for skype and lync online federation?

Thank you!
LVL 27
davorinAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jakob DigranesSenior ConsultantCommented:
RapidSSL should work, as they have Equifax or GeoTRUST roots .

You need following CN and SANs in your external certificates

Edge Server:
sip.domain.com (For access edge service. Could also call name it access.domain.com --- )
webconf.domain.com (For Web Conferencing service. Could also call name it conf.domain.com --- )

Reverse Proxy:
meet.domain.com (Meeting URL to start meetings, can be whatever FQDN you choose in Topology Builder)
dialin.domain.com (For dialin to conferencing, can be whatever FQDN you choose in Topology Builder))
lyncdiscover.domain.com (For mobile clients. Must be lyncdiscover.domain.com)
rp.domain.com (Lync external web services, can be whatever FQDN you choose in Topology Builder))

You can use one certificate with all domains and install on both Edge and REverse Procy, or you can install 2 certificates, one for Edge and one for Reverse Proxy

You cannot have any .local names in public certificates, as of 26th October 2015. You wouldn't need it either
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
davorinAuthor Commented:
Thank you for your answer and sorry for long delay.
Do I really need a public certificate on reverse proxy? Does it have  any role in federation at all?
Everywhere is mentioned that it's role is just for external users access. And this is small installation (less that 40 users), so deploying own created certificates on all devices, as we are doing it now, is not a problem.

Current edge certificate has access.domain.com as SN, and sip.domain.com, av.domain.com, access.domain.com, webconf.domain.com SANs.
0
davorinAuthor Commented:
I'm answering my question:
For skype federation is needed public certificate only on edge server.
Proxy server does not need it.
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Jakob DigranesSenior ConsultantCommented:
But you need public certificate on reverse proxy to get mobile access to Lync for iPhones and Androids + external meeting (meet.yourdomain.com) and webconference
0
davorinAuthor Commented:
Not strictly necessary :)
Mobile access works also with certificate issued at private CA, but the certificate and whole chain must be installed on mobile device. This is also true with federation, if the partner is prepared to install private certificates on their edge server - which Ms will never do.
My goal was to get lync online and skype federation working with minimal (certificate) costs and for this suffice certificate on edge server.
Jacob_di, I want to thank you for your answer. It was highly informative and describing Ms recommended configuration. That's why I was accepting your answer as primary solution. I was adding my comment just for additional explanation, if somebody else will have similar needs.
0
davorinAuthor Commented:
Closing question
0
Jakob DigranesSenior ConsultantCommented:
Great -- thanks :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.