Skype for Business 2015 Standard Deployment - Certificate Installation with .local domain

I'm in the process of deploying my first Skype for Business 2015.

The previous administrator configured the local domain with all of the servers using a .local domain.
In deploying the server and on the "Define New Front End Pool" I'm using the Standard Edition Server as this is a small deployment and I only want to use one server. I'm under the understanding that the Enterprise edition can't be installed on one server and has to be configured with at least one other server as the SQL server, right?

Anyhow, in defining the initial FQDN I had initially used an external .com domain and ran through the wizard and attempted to deploy the topology, but ran into an error. Googling this error confirmed that when using the standard edition of Skype for Business 2015 you had to use the servers actual FQDN, which is skypesvr.domain.local. In doing that it also set the internal web service URL to that domain, not allowing that to be changed.

I want to use an external 3rd Party SSL Cert however third party SSL providers don't allow the use of .local domains anymore.

So is my only choice to use an internal CA in this case? Will that work properly and seamlessly with external clients?

Or I read that with an enterprise deployment that you can use another FQDN other than the server name, which would circumvent this problem however I would have to use more than 1 server and would have to use the Standard Edition of SQL right?

I'm trying to keep this as simple as possible. Thanks!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
When you run the certificate wizard, there are separate certificatea for external  and internal. While the wizard will let you assign the same cert to both, you can also assign an internal CA cert for internal and a public CA for external clients. That's what I'd do in this instance. The external cert doesn't need to have the .local name and clients find it via autodiscover DNA records. So as long as the DNS name matches the cert, all works well. The server name doesn't need to match.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
RFVDBAuthor Commented:
Ahhh, very nice. OK cool - I'll try that.

On the internal .local cert, I'm assuming that I'll HAVE to setup a local CA on a server, this is a small environment with about 10 servers, do you think I need to dedicate a server for the CA (I've never setup an internal CA) or can I bundle it on a server acting as a backup DC.

Will the CA need to be up at all times so people can validate the cert?

Thanks again!
Cliff GaliherCommented:
If you are going to be running things like SfB, or any network with more than just anew machines, you do want a CA for mTLS. As for dedicating a server, not strictly necessary, but security planning for ANY service is important and really too broad to summarize in an EE response.
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

RFVDBAuthor Commented:
Regarding installing an internal CA, is there any preference to installing a standalone or enterprise CA? since I'll only be using it for the Skype for Business 2015 server?
Cliff GaliherCommented:
I almost (almost) always go enterprise for futureproofing. But again, there are planning considerations to be had.
RFVDBAuthor Commented:
Hi, thanks for all the input thus far. S4B is a new subject for me so I appreciate the help.

I followed your instructions and selected the "Server Default" and "Web services internal" and selected the internal CA for the default dns names that came up. Some of these FQDNs overlapped with the "Web Services External" certificate installation which was odd to me. Anyhow, for all of the external FQDNs, I requested an external SSL cert and that successfully installed.

I finished the setup of my Front End Server. I then found out that I needed an Edge Server. So I set that up and got the dashboard lit up green with the Topology.  However, when using S4B client externally, it comes up with a Certificate warning and its trying to use internalservername.localdomain.local cert rather than the external cert for It then says "Can't sign in to Lync" " There was a problem verifying the certificate from the server". Obviously because the internal CA is not trusted.

However, the whole point of the external SSL certs was so they would be used externally. Very confusing - but they're not.

Also, when accessing my admin control panel externally i type in and it redirects to internalservername.localdomain.local, instead of staying with the external URL?? Something's not right.

Any input on this URL/SSL stuff would be appreciated.
Cliff GaliherCommented:
Sounds like you are doing NAT port forwarding instead of configuring a reverse proxy to the external web services ports as required. SfB knows a client is external and sends the right certificate and settings because the reverse proxy sends traffic properly to external site ports on the FE server(s). If that is improperly configured, external access fails. And do you really want to expose admin access externally?? That's terrible from a security standpoint.
RFVDBAuthor Commented:

So a Reverse Proxy is REQUIRED for the most basic S4B setup for external clients to connect smoothly? Can I run the Proxy on the Edge Server or do I need to put it on its own dedicated server (vm)?

I followed this link in setting up the Edge. Once done with setting up the Edge the writer stated that he was able to remotely login with his Skype for Business on-premises accounts - No mention of a Reverse Proxy:

What external DNS names would need to be pointed to the Reverse Proxy Server as opposed to the Edge server? Let me know if I'm treading into a another subject and I'll open another thread.

Understood on the external admin access, how do I turn that off?

Thanks again, very much appreciated.
Cliff GaliherCommented:
The article you linked to doesn't walk you through setting up a front-end server either. And yet an edge server without a FE would be pretty non-functional! No the article is focused on one component, but that doesn't mean the other components are not required.

TechNet has all the documentation you require, and if you have specific questions, we are happy to help. But if I'm going to end up trying to walk you through an entire deployment... as it is starting to really should pay a contractor to do that work. I am not in the habit of stealing from their rightfully earned knowledge and income.
RFVDBAuthor Commented:
I had messed something up on the install of the Edge server (missed a step from the article) and once I fixed that external clients were able to connect without the certificate error. So all is good now.

I'll ask any other questions in a different thread. Thanks for your help thus far.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.