Lync 2013 Public SSL Certificate Renewal

I've searched EE and have found related articles but none answering the question I have.

I'm running in to an issue with a new client that has Lync 2013. The public certificate is expiring soon (like in 4 days) and the current public certificate has the internal server name as one of the SANs. Since this is no longer allowed, I've been looking for the easiest way to get around this. I'd prefer to avoid renaming domains or creating a split-dns zone.

I've found articles on blogs (I'll add the links below) that say that having an internal enterprise CA will allow us to set everything up without doing either of the things mentioned above as the internal certificate can have the internal server name. We do currently have an internal CA and already have a certificate from that CA assigned to the Lync internal web services.

My question is, what do we have to do to configure the internal CA certificate in a way that will allow us to remove the internal server name from the public cert and have Lync still accept the new public cert?

The client currently has 2 servers, an outside edge server and a front end server. Both are running Windows 2008 R2 SP1. I've attached pictures of the current state of the certificates on both servers.

The following articles have helped me understand this much, but I need more guidance due to my lack of knowledge of Lync servers. (specifically, Holger's 2nd reply)

Any help is greatly appreciated. Thank you!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Because web services and mobility are provided by front-end servers and not edge servers, if you have external clients at all, you really can't avoid split DNS if your domain name can't be included on a public cert. Its the nature of the architecture.
Amit KumarCommented:
You don't need to add any internal DNS to public certificate, just create certificate with public DNS in public Certificate and create internal certificate with internal DNS which will be signed by your internal CA.

If you have only one public Certificate so you will have to add below SANs:
AV does not need any certificate.
TechBostonAuthor Commented:
Ok, thanks for the replies. Right now we these SANs in the current public cert:


Items in bold are what I've replaced. You're saying add only the .ORG entries to the public cert and the .LOCAL entries to the internal cert, correct? I can do that, but how do I import the internal certificate in to Lync so that it doesn't require the .LOCAL entries in the public cert like it is now? Does Lync see the internal server name in the internal certificate and automatically say "Oh, there it is, I guess I don't need that entry in the public certificate so I'll accept this public certificate."?
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

Amit KumarCommented:
Hope your internal Cert is not getting expired, because as per screenshot you already have internal certs.

you will have to create certificate request for public cert using Lync deployment tool and once certificate get signed then import through Lync deployment tool.
TechBostonAuthor Commented:
You're right, the internal certs are all currently valid and will be for a while. But I want to make sure that I didn't need to request the internal cert again if I will be adding the internal server name to it, and then reassigning/reimporting it in to Lync as well. Or is that not even necessary?

Is all I have to do is create a new CSR and renew/get the new UCC SSL cert (without the internal names) and apply it to Lync? I assumed that Lync would give me an error because the internal server name is not in the public certificate and it should be.
Jeff GloverSr. Systems AdministratorCommented:
Lync will not give you an error without the internal names. If you are using an external cert now, then you have external access and mobility. Your FE servers do not get the public Cert, only internal certs, hopefully signed by your internal CA. Your Edge server(s) gets the public UC cert. Then you export it out and import it into your Reverse Proxy.
TechBostonAuthor Commented:
Thank you very much for you help. We were able to create the split-dns zone with our public name (.org) and configure the appropriate pointer records there. The certificate has been installed and applied. According to the certificates section in the Lync Server Deployment Tool (on both Edge and FE servers), all is well. However, external users aren't able to join a meeting as they get redirected to and the browser shows the old expired certificate and does not open the page.

I restarted all of the Lync services after applying the new certificate but didn't reboot the servers. Is rebooting the servers necessary? Otherwise, where should I be looking? Thanks.
Jeff GloverSr. Systems AdministratorCommented:
Do you have a reverse proxy server, like a TMG server or a server running IIS ARR? That is the normal configuration for Lync. You publish Meet, Dial-in, and LyncDiscover through that. That is where the certificate for meetings is normally at.
TechBostonAuthor Commented:
Yes, we do have a reverse proxy server. Since this was in place before I got here, I assume the Front End server is also the proxy server as it has IIS installed and there are sites for Lync Internal and Lync External. I've added attachments of that, let me know if I'm wrong in thinking this is the reverse proxy.

When I look at then bindings on the External site listed in IIS and highlight HTTPS and click Edit..., it has the correct certificate listed. The old one is still listed as well. I never deleted the expired one from the system, don't know if that might be related. I also never specified the new certificate in the binding settings so I assume it automatically changed from the expired one to the new one when I was imported.
Jeff GloverSr. Systems AdministratorCommented:
OK. First an explanation on how Lync does this. All Lync Front End servers will have IIS installed. It is by default so internal customers can talk to it. There will be 2 websites in IIS. An Internal website listening on 80 and 443 and an external website listening on 8080 and 4443. The SSL sites both should have the Front End pool Certificate installed. Normally, this is generated by an Internal CA but if you do not have one, it at least needs to have the name of the pool in the Certificate. It also needs all the other names in it. SIP, Lyncdiscover, meet, dialin, etc... Now the Front End server should NEVER talk directly to anyone outside your network (except over VPN if used) For Lync Client Traffic and Federation, you use a Lync Edge server or Pool. this server needs an external certificate in it for SIP, AV and Web conferencing. It will also have a certificate from your internal CA for the Edgepool (should). The setup of the certificates is done in the Lync Deployment Wizard. Lastly, you need a Reverse Proxy that has the external certificate for your lyncdiscover, dialin, meet, and your lync web services. this is used by the Reverse Proxy. This reverse proxy will intercept the SSL traffic on port 443 and proxy it to your Front End Pool or server on port 4443. The Clients, normally mobile or Dialin, only see the certificate on the Reverse Proxy. Check the Certificate on your  reverse proxy and you will probably see the old certificate there.
TechBostonAuthor Commented:
Makes sense, thank you very much for all of the info. Would you happen to know of a way to find what the reverse proxy server is?
Jeff GloverSr. Systems AdministratorCommented:
The only way I can think of would be to look at your external DNS. See what IP address points to. This should be one of your Public IP addresses. If you have a Network Infrastructure team, ask them where that Ip address is redirected to. This should give you the IP address of your internal Reverse Proxy server (unless the Reverse Proxy is actually connected directly to the Internet. shudder....) Since it seems that this is a client and not your network, maybe somewhere in their archives, someone did what they should have and documented the Lync 2013 install.
TechBostonAuthor Commented:
So I got the public IP, traced what internal IP that's pointing to and it's pointing a server essentially called Lync-TMG / The notes for this entry in our network map say that this is the external interface. I assume this means that we're using Microsoft ForeFront TMG as the reverse proxy, and not just IIS like I had thought. However, I'm not able to ping the internal server name and when I ping from inside, the Front End server replies.

Microsoft FF TMG isn't installed on the Front End server from what I see in Start->Programs or the control panel.

Thank you for your continued help on this!
Jeff GloverSr. Systems AdministratorCommented:
It is not surprising that you cannot ping the internal interface of the TMG server. Unless you know how to setup TMG filters correctly, it will not respond to ICMP. When you say TMG is not installed on the Front End server, are you saying you expected it on the lync server or you checked the Lync-TMG server and it is not installed? Can you RDP to the TMG server? If someone followed best practices, it should be a standalone and not part of the domain so you would need a local account to logon.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TechBostonAuthor Commented:
Making progress here. While I can't ping it, I do see the TMG server in VMWare and I was able to log in to it. I checked the certificate store using MMC and saw that only the expired cert was there. I imported the same cert I exported from the Edge server (which has also already been imported on the FE server). Now the new cert is there, I think I just need to change the certificate being used in TMG. I've opened the ForeFront TMG management console but I've never used this before. Any pointers on changing the current cert there?
TechBostonAuthor Commented:
This is all set! From doing some research, I went in to the Firewall Policy section of TMG, clicked on the Lync Web Services entry on the list and checked the properties of the web listener for Lync Web Services. From there, I went in to the Certificates tab and selected the new one (which was now showing since I imported it earlier). I saved, backed up, and applied the changes. Tested external access and all is working as it should now!

Thank you all, especially lvjeff for all of your assistance in helping me understand how this works and how to resolve it, you are the man/woman!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Chat / IM

From novice to tech pro — start learning today.