PKI and Certificates in Lync Server 2010

Handling of certificates has greatly improved in Lync Server when compared to OCS.

Firstly, let us look at what certificates are used for in Lync Server.

  • TLS connections between client and server
  • MTLS connections between servers
  • Federation using automatic DNS discovery of partners
  • Remote user access for instant messaging (IM)
  • External user access to audio/video (A/V) sessions, application sharing, and conferencing

Some Lync roles require certificates issued by Certificate Providers, while many roles can use certificates issued from an internal CA.

Microsoft has verified a number of Certificate Providers who issue (sell) public certificates that are UC compatible; the current list is available here

Certificates for Internal Servers


Certificates for Standard Edition Server

Certificate

Subject name/ Common name

Subject alternative name

Example

Comments

Default

FQDN of the pool

FQDN of the pool and the FQDN of the server

SN=se01.contoso.com; SAN=se01.contoso.com

On Standard Edition server, the server FQDN is the same as the pool FQDN.

The wizard detects any SIP domains you specified during setup and automatically adds them to the SAN.

Web internal

FQDN of the server

Each of the following:

  • Internal web FQDN
  • simple URLs

SN=se01.contoso.com; SAN=se01.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com; SAN=admin.contoso.com

Internal web FQDN cannot be overwritten in Topology Builder.

Web external

FQDN of the server

Each of the following:

  • External web FQDN
  • simple URLs

SN=se01.contoso.com; SAN=webcon01.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com

If you have multiple Meet simple URLs, you must include all of them as SAN.

Certificates for Front End Server in a Front End Pool

Certificate

Subject name/ Common name

Subject alternative name

Example

Comments

Default

FQDN of the pool

FQDN of the pool and FQDN of the server.

SN=eepool.contoso.com; SAN=eepool.contoso.com; SAN=ee01.contoso.com

The wizard detects any SIP domains you specified during setup and automatically adds them to the Subject Alternative Name.

Web Internal

FQDN of the server

Each of the following:

  • Internal web FQDN
  • simple URLs

SN=ee01.contoso.com; SAN=ee01.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com; SAN=admin.contoso.com

Internal web FQDN cannot be overwritten in Topology Builder.

Web external

FQDN of the server

Each of the following:

  • External web FQDN
  • simple URLs

SN=ee01.contoso.com; SAN=webcon01.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com

If you have multiple Meet simple URLs, you must include all of them as SAN.

Certificates for Director

Certificate

Subject name/ Common name

Subject alternative name

Example

Default

FQDN of the Director pool

FQDN of the Director/ Director pool

SN=dir-pool.contoso.com; SAN=dir-pool.contoso.com; SAN=dir01.contoso.com

Web Internal

FQDN of the server

Each of the following:

  • Internal web FQDN
  • simple URLs

SN=dir01.contoso.com; SAN=dir01.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com; SAN=admin.contoso.com

Web external

FQDN of the server

Each of the following:

  • External web FQDN
  • simple URLs

The Director external web FQDN must be different from the Front End pool or Front End Server.

SN=dir01.contoso.com; SAN=directorwebcon01.contoso.com SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com

Certificates for External Servers


Certificates for Edge

Certificate

Subject name/ Common name

Subject alternative name

Example

Default

FQDN of the Access Edge

FQDN of the Access Edge

FQDN of Web Conferencing Edge

SN=access.contoso.com; SAN=access.contoso.com; SAN=webcon.contoso.com; SAN=sip.contoso.com; SAN=sip.fabrikam.com

Internal Interface

FQDN of the Access Edge internal

None

SN=lsedge.contoso.com


 

Certificates for Reverse Proxy


Certificate

Subject name/ Common name

Subject alternative name

Example

Default

FQDN of the pool

FQDN of the pool

simple URLs

SN=webext.contoso.com; SAN=webext.contoso.com; SAN=meet.contoso.com; SAN=dialin.contoso.com


 

Wildcard certificates are support but with a number of caveats and limitations. These limitations are not explicitly documented but Jeff Schertz has pulled together the available information and shows that in reality, wildcard certificates are of little benefit. However, this article has a very good explanation of how certificates requests are handled in Lync 2010, and explains in detail the Request-CsCertificate Powershell cmdlet.

To view assigned certificates in Lync 2010 requires a little work, which is documented on Inside OCS, basically you either have to run the installation wizard or use Powershell Get-CsCertificate | fl –property *.

The Powershell cmdlets available to manage certificates in Lync are:

Cmdlet

Description

Get-CsCertificate

Returns information about certificates on the local computers that have been configured for use with Microsoft Lync Server 2010.

Import-CsCertificate

Imports a certificate for use with Microsoft Lync Server 2010. If a certificate is not acquired by using the Request-CsCertificate cmdlet, then that certificate must be imported before it can be assigned to a Lync Server 2010 server role.

Remove-CsCertificate

Removes a certificate previously marked as being available for use by Microsoft Lync Server 2010.

Request-CsCertificate

Provides a way to request certificates for use with servers running Microsoft Lync Server 2010 and server roles. Also provides a way to check the status of existing certificate requests and, if needed, to cancel any (or all) of those requests.

Set-CsCertificate

Enables you to assign a certificate to a Microsoft Lync Server 2010 server or server role.

Test-CsCertificateConfiguration

Returns information about the Microsoft Lync Server 2010 certificates being used on the local computer.


 

4 comments:

  1. Nice Article,

    I just have a question on deploying certificates for a standard server.

    Our internal domain is a .local domain so the FQDN is lync1.wbc.local our external domain names are then added as SANs which is all fine.

    However our certificate authority (GoDaddy) won't issue a UCC certificate for a with a .local fqdn as the common name, any ideas how we can change the common name to one of the official FQDNs and move the .local to one of the SAN addresses?

    Many Thanks

    Matt

    ReplyDelete
    Replies
    1. Hi Matt,

      Did you ever find a way around this issue? We use go daddy too and face the same problem.

      Delete
  2. Hello,

    Same question, the pool name is pool.domain.local. Is it mandatory to put front end FQSN in SN certificate ?

    ReplyDelete