Avatar of RFVDB
 asked on

Skype for Business 2015 Standard Deployment - Certificate Installation with .local domain

I'm in the process of deploying my first Skype for Business 2015.

The previous administrator configured the local domain with all of the servers using a .local domain.
In deploying the server and on the "Define New Front End Pool" I'm using the Standard Edition Server as this is a small deployment and I only want to use one server. I'm under the understanding that the Enterprise edition can't be installed on one server and has to be configured with at least one other server as the SQL server, right?

Anyhow, in defining the initial FQDN I had initially used an external .com domain and ran through the wizard and attempted to deploy the topology, but ran into an error. Googling this error confirmed that when using the standard edition of Skype for Business 2015 you had to use the servers actual FQDN, which is skypesvr.domain.local. In doing that it also set the internal web service URL to that domain, not allowing that to be changed.

I want to use an external 3rd Party SSL Cert however third party SSL providers don't allow the use of .local domains anymore.

So is my only choice to use an internal CA in this case? Will that work properly and seamlessly with external clients?

Or I read that with an enterprise deployment that you can use another FQDN other than the server name, which would circumvent this problem however I would have to use more than 1 server and would have to use the Standard Edition of SQL right?

I'm trying to keep this as simple as possible. Thanks!
Windows Server 2012Chat / IMMicrosoft Server Apps

Avatar of undefined
Last Comment

8/22/2022 - Mon
Cliff Galiher

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

Ahhh, very nice. OK cool - I'll try that.

On the internal .local cert, I'm assuming that I'll HAVE to setup a local CA on a server, this is a small environment with about 10 servers, do you think I need to dedicate a server for the CA (I've never setup an internal CA) or can I bundle it on a server acting as a backup DC.

Will the CA need to be up at all times so people can validate the cert?

Thanks again!
Cliff Galiher

If you are going to be running things like SfB, or any network with more than just anew machines, you do want a CA for mTLS. As for dedicating a server, not strictly necessary, but security planning for ANY service is important and really too broad to summarize in an EE response.

Regarding installing an internal CA, is there any preference to installing a standalone or enterprise CA? since I'll only be using it for the Skype for Business 2015 server?
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Cliff Galiher

I almost (almost) always go enterprise for futureproofing. But again, there are planning considerations to be had.

Hi, thanks for all the input thus far. S4B is a new subject for me so I appreciate the help.

I followed your instructions and selected the "Server Default" and "Web services internal" and selected the internal CA for the default dns names that came up. Some of these FQDNs overlapped with the "Web Services External" certificate installation which was odd to me. Anyhow, for all of the external FQDNs, I requested an external SSL cert and that successfully installed.

I finished the setup of my Front End Server. I then found out that I needed an Edge Server. So I set that up and got the dashboard lit up green with the Topology.  However, when using S4B client externally, it comes up with a Certificate warning and its trying to use internalservername.localdomain.local cert rather than the external cert for externalservername.externaldomain.com. It then says "Can't sign in to Lync" " There was a problem verifying the certificate from the server". Obviously because the internal CA is not trusted.

However, the whole point of the external SSL certs was so they would be used externally. Very confusing - but they're not.

Also, when accessing my admin control panel externally i type in skypeadmin.domain.com and it redirects to internalservername.localdomain.local, instead of staying with the external URL?? Something's not right.

Any input on this URL/SSL stuff would be appreciated.
Cliff Galiher

Sounds like you are doing NAT port forwarding instead of configuring a reverse proxy to the external web services ports as required. SfB knows a client is external and sends the right certificate and settings because the reverse proxy sends traffic properly to external site ports on the FE server(s). If that is improperly configured, external access fails. And do you really want to expose admin access externally?? That's terrible from a security standpoint.
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.


So a Reverse Proxy is REQUIRED for the most basic S4B setup for external clients to connect smoothly? Can I run the Proxy on the Edge Server or do I need to put it on its own dedicated server (vm)?

I followed this link in setting up the Edge. Once done with setting up the Edge the writer stated that he was able to remotely login with his Skype for Business on-premises accounts - No mention of a Reverse Proxy: http://www.moh10ly.com/blog/VoIP/skype4business/skype-for-business-edge-server-deployment-and-hybrid-integration-with-skype-for-business-online

What external DNS names would need to be pointed to the Reverse Proxy Server as opposed to the Edge server? Let me know if I'm treading into a another subject and I'll open another thread.

Understood on the external admin access, how do I turn that off?

Thanks again, very much appreciated.
Cliff Galiher

The article you linked to doesn't walk you through setting up a front-end server either. And yet an edge server without a FE would be pretty non-functional! No the article is focused on one component, but that doesn't mean the other components are not required.

TechNet has all the documentation you require, and if you have specific questions, we are happy to help. But if I'm going to end up trying to walk you through an entire deployment... as it is starting to seem...you really should pay a contractor to do that work. I am not in the habit of stealing from their rightfully earned knowledge and income.

I had messed something up on the install of the Edge server (missed a step from the article) and once I fixed that external clients were able to connect without the certificate error. So all is good now.

I'll ask any other questions in a different thread. Thanks for your help thus far.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.