Lync Certificate Planning and Assignments


Published on

this free white paper describes the detailed configuration for Lync Edge and Reverse Proxy certificate. How to save money if you make use of hybrid certificate (wildcard and SAN) in once.
It provide you with detailed information about all possible topology setups and server components involved

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Lync Certificate Planning and Assignments

  1. 1. © 2013 - Thomas Pött, Microsoft MVP LYNCLync Certificate Planning and Assignments(Edge,ReverseProxy,Director,Frontend,Mediation,WAC)Copyright© and written 2013 by Thomas Pött, MVP Lync/ Unified CommunicationBlog: Thomas.Poett@live.de1 About the Author:Thomas Pött, Microsoft MVP LYNC and MCITP LyncExtensive experience in business and market development. Specialized in intercultural and businessrelationship in Asia. Successful in providing leadership on new topics and complex global projects that requireinterfacing with internal/external teams and ecosystems. Early adaptor of visionary technologies.• 20+ year career within different companies in the areas software development, telecommunication, IT,mobility and hosted/cloud services.• Strong technical and business background – was member of Microsoft´s German Inner Circle.• Organized, logical, rationale thinker and problem solver with superb communication and collaborationskills.• Business Management skill in strategic and organized developing German SME subsidiaries in AsiaSpecialties: Management:Start up companies, Business Relation Management, Partner Relation Management, Enterprise BusinessSales Skills, strong team leader and motivator, perfect Asian business and human behavior understandings,excellent financial cash flow managementTechnical:Microsoft Office 365, Public and Private Cloud Computing, specialized in Hybrid Cloud integration, UnifiedCommunication (LYNC, OCS, Exchange), Security (PKI, ForeFront), Active Directory, German efficiency inconsultingI’m living in Bad Wiessee, Germany near Munich and work for ACP IT Solutions AG. Beside the technicalinterests, I enjoy paragliding and para-motor.This article will part of my new book I’m working on, since Lync Enterprise Voice is a more and more complexenvironment, where it’s difficult to get the right information.Any suggestion what areas of EV are from interest, I would be glad to be inspired.
  2. 2. © 2013 - Thomas Pött, Microsoft MVP LYNCThe following article is optimized for Lync 2013, but in general valid for Lync 2010 or OCS 2007NOTE:First I need to highlight to you is a topic, I’m always ask for support. Lync Server and Client make use ofCertificates, therefor the technical principals of certificate deployments are necessary to understand. Ifon your Clients or Servers an Internet Explorer Setting with a Proxy Server is activated, make sure youhave the correct design. The CRL (Certificate Revocation List) check is mostly HTTP based (in ADEnvironments also possible via FILE or LDAP), if you have setup an internal Proxy, which cannot redirectthe request into your LAN, you will run into major issues!I wrote another article in 2012 which maybe from interest for you too:Forefront TMG – Directors, Front End and Standard Edition for Lync
  3. 3. © 2013 - Thomas Pött, Microsoft MVP LYNC2 GENERALLync Certificate Planning must be separated into three different areas:1. INTERNAL Deployment(all internally deployed Lync Servers, e.g. Frontend, Directors, Mediation,..)- Including the internal NIC of the EDGE Server2. EXTERNAL Deployment2.1. Edge Server2.2. Reverse ProxyIndirectly there is a fourth area, this is if you have Pool Server configuration, due the Virtual Serviceconfigured on the Load Balancer. But I will explain this in detail within another blog later.All Lync Server have one requirement in common, this is the way how they accept authentication basedon TLS. Accepting the trust, Lync Server need a matching between the certificates common name and itFQDN. The server or client, initiating the communication with the certificate holder use DNS lookup torefer to this server FQDN. If this reference does not match the common name of the certificate, theauthentication will fail.The common name, notated as CN in X.500 terminology, is what is referenced and must match the DNSrecord for the server’s FQDN. For details about the specific format explains why a dedicated wildcard certificate would not work in Lync Server, because the commonname must match exactly to the FQDN of the A record defined for the referenced server or pool. TheDNS A record and the certificate subject name/common name (SN/CN) is also referenced to the trustedserver list in Active Directory service Global or Configuration settings.Reference: Microsoft Technet Certificate GuideImportant: You cannot use a wildcard CN/SN (for example, * when you configurecertificates for Office Communications Server 2007 R2 and Office Communications Server 2007(now Lync). If you do so, they will not operate as expected and the problem is very difficult todiagnose. You can use wildcard entries in the subject alternative name, but the common name isspecific. Specific issues include the inability to start services because the trusted services inActive Directory Domain Services (AD DS) and the SN and CN do not match, mutualauthentication fails, and so on.
  4. 4. © 2013 - Thomas Pött, Microsoft MVP LYNCNote at last:And, as mentioned earlier, public CAs and your internal CA can create wildcard SN/CN certificates, butthey are neither reliable nor supported. It is recommended that you do this right the first time and avoidthe potential for serious issues in the future by not trying to use a certificate that uses a wildcard SN/CN,such as *, to define the three Edge Server services.
  5. 5. © 2013 - Thomas Pött, Microsoft MVP LYNC3 Server Components(Certificates are requited)3.1 INTERNAL Deployment:Standard Edition Front End Pool ServerThis server is the consolidated “all-in-one” Server and requires an internal certificate.Enterprise Edition Front End PoolsThis server is the High-Available Lync Core Component. Beside the local servers themselves, they alsoprovide the consolidated access names and are attached with a Load Balancer. The certificate mustcontain the Pool and Server name. In certain circumstance it makes sense haven a generic certificate,which contains all Pool Server Names and the Pool Name (SAN certificate).Director PoolsThis server is the “Authentication and Redirection” server. In lager deployment, with multiple site, youneed the Director to offload authentication traffic and redirect the user to the homed pool.Mediation PoolsThis server is responsible for Media ConversionPersistent Chat PoolsThis server handles the “Group Chats”Trusted Application ServerAll Server, which need to be trusted by Lync have to be publish that Lync is aware of them. If Acertificate is required if the trusted server will us TLS.PSTN Gateway
  6. 6. © 2013 - Thomas Pött, Microsoft MVP LYNCThe PSTN Gateway object, might be a Lync Gateway, Gateway card or an SIP Trunk. With the PSTNGateway, this depends on how the setup must or can be done. If you make use of a TLS connection, an ISDN card, you will need a certificate stored on the PSTN gateway.Office Web Apps ServerThe WAC/ OWA server requires a certificate, this is OAuth ready.NOTE:As described in the section for Front End Pool Server, generally it has to be part of the planning howcertificates are requested if a Load Balancer is involved. A Load Balancer can be setup in different way(in-band or out-band), this will discussed in a separate blog. But you need to remember, the LoadBalancer is the central point for the IP connection, therefor it needs the FQDN of the POOL in itscertificate presenting to the connecting client. Depending on how the Load Balancer is established, youwill than understand why the Pool Member Server needs beside the Pool FQDN also its local FQDN in itslocal certificate!3.2 EXTERNAL Deployment:Edge PoolsThe Edge Server is the main component used to communicate from and with outside of theorganization. (Responsible for PIC, XMPP, Federation, remote access and Web Conferencing)Edge Pools have one specialty, for best practice and security reason, they make us of 2 NICs, an internaland external.Note:Edge Server need to have 2x NIC with different subnet, need the primary internal DNS Suffix set, must notbe a domain member and will need to certificate, and internal CA issued certificate for the internaldirected interface and an official, public certificate (where I will take more later about). Additionally,remember to set the default gateway on the external facing NIC and all internal subnet must be assigneda static route based on the internal facing NIC.Reverse ProxyThis optional component only needs an external certificate and it’s responsible for Web-Based Services,e.g. Address Book or Dailin Conferencing page.
  7. 7. © 2013 - Thomas Pött, Microsoft MVP LYNC4 TopologiesTopology represents your entire corporate Lync Server deployment and all involved Lync Systems, withone exception, the Reverse Proxy. Since we want to define the necessary certificates, it is necessary tofully understand the topology and server function which then represents the service making use of.4.1 Internet facing SystemsBefore we actually start with the topologies, we need a clarification what the external facing system willdo, what they are responsible for and what not.Else which kind of usability scenarios do we have? Remote Users Federated User Public Instant Messaging Connectivity Users Mobile UsersAnd the type of communication: IM Presence Audio/ Video/ App Sharing Web Conferencing A/V Conferencing4.1.1 Edge Server:The Edge Server, the Internet facing system responsible for enabling users to communicate withexternal partners, connect remotely and establish connectivity with Public IM Services, like Live orSkype.Also the Audio/ Video and App Sharing runs through the Edge server if a Meeting is in place.One newer component, called XMPP (Extensible Messaging and Presence Protocol), is established inEdge Server since Lync 2013, it is used for partner federation e.g. Google Talk.Edge Server is not responsible for any other service as the described services in this section.4.1.2 Reverse Proxy:Reverse Proxy as an optional, not Lync Server Topology component, becomes responsible for severalareas and will publish internal resources.It can be separated into two areas, the remote user connectivity and generally spoke “meeting’s”.
  8. 8. © 2013 - Thomas Pött, Microsoft MVP LYNCRemote User:Remote user need to connect to Lync server internal service, called “Web Service”, they are responsiblefor Address Book Synchronization, Distribution List Expansion, Device Updates, Mobility Services.Meetings:Access to Meetings, Conference Join Locations (PSTN Dial-In Numbers), Access to personal Dial-In andPIN information, Download Meeting Content.4.2 Topology and certificate assignmentIn sum we will have one primary and two secondary SIP Domains in our example topologies defined.The third deployment would be a very complex scenario, where we have multiple geographicallydeployed Edge Server/ Reverse Proxy scenario.I’m not having a look into Enterprise Voice, it is not required since we want to understand the certificatedesign.Our deployed domains are:Active Directory Domain: INTERNAL.ADSIP PRIMARY DOMAIN: DOMAIN.COMSIP Secondary Domain: DOMAIN-A.COM and DOMAIN-B.COMIn general, what we have to remember for Lync Topology designs and the related certificates is:1. On Edge Server, Wildcard Certificates are not allowed2. On Edge Server we need matching CN and 1stSAN entry of access FQDN, e.g. SIP.DOMAIN.COM3. On Edge Server we need SAN entries for AV and WebConferencing4. On Reverse Proxy, we need a matching CN with the associated Director Pool external WebService FQDN5. On Reverse Proxy, all external Web Service FQDN must be in SAN6. On Reverse Proxy all other FQDN can be consolidated in a Wildcard entry
  9. 9. © 2013 - Thomas Pött, Microsoft MVP LYNC4.2.1 SIMPLE TOPOLOGYThe “SIMPLE TOPOLOGY” is the most common deployment for smaller customers. High availability ismostly not required by Lync due to virtualization. For those customers, VM Host availability andsnapshots are sufficient enough.The simple deployment includes the full feature set of Lync in direction to the internet. This includeslogin possibility for all Lync Clients, incl. App Store and Mobile clients. Federation is also handled.LAN DMZ INTERNETOffice Web AppsPKI internalLync Front EndLync EdgeReverse ProxyPublic CACommon Name:edge.internal.adCommon Name:sip.internal.adSAN*:fe01.internal.adsip.(alldomains)lyncdiscoverinternal.(alldomains)dialin.domain.commeet.domain.comCommon Name:wac01.internal.adCommon Name:sip.domain.comSAN:sip.domain.comsip.domain-a.comsip.domain-b.comwebconf.domain.comCommon***.domain-b.comListener01:To Lync Front EndListener02:To OfficeWeb AppsSIMPLE TOPOLOGY*) if you what establish multiple domain based simple URL, allof them must beincluded in the SAN.You also have the opportunity creating the same wildcard+SAN mixture certificate.
  10. 10. © 2013 - Thomas Pött, Microsoft MVP LYNC4.2.2 COMPLEX TOPOLOGYThe “COMPLEX TOPOLOGY” is the most common deployment for lager, multi pool customers. Highavailability is required for Lync and due to multi pool deployments, login traffic must be handled byDirector Servers.This deployment includes the full feature set of Lync in direction to the internet. This includes loginpossibility for all Lync Clients, incl. App Store and Mobile clients. Federation is also handled.LAN DMZ INTERNETOffice Web AppsPKI internalLync Front EndPool02Lync Edge PoolReverse ProxyPublic CACommon Name:edge.internal.adSAN:edge.internal.adedge11.internal.adedge12.internal.adCommon Name:pool02.internal.adSAN*:pool02.internal.adfe21.internal.adfe22.internal.adweb02ext.domain.comdialin.domain.commeet.domain.comCommon Name:wac01.internal.adCommon Name:sip.domain.comSAN:sip.domain.comsip.domain-a.comsip.domain-b.comav.domain.comwebconf.domain.comCommon***.domain-b.comListener01:To Lync FE Pool01Listener04:To OfficeWeb AppsCOMPLEX TOPOLOGYLync DirectorPoolLync Front EndPool01Common Name:pool01.internal.adSAN*:pool01.internal.adfe11.internal.adfe12.internal.adweb01ext.domain.comdialin.domain.commeet.domain.comCommon Name:sip.internal.adSAN*:sip.domain.comdir11.internal.addir12.internal.adwebdirext.domain.commeet.domain.comdialin.domain.comlyncdiscoverinternal.(alldomains)Listener02:To Lync FE Pool02Listener03:To Director Pool,simple URL,mobility and itsWebServiceSIP.alldomains+ Simple URL+ Mobility+ WebService*) if you want to establish multiple domain basedsimple URL, allof them must be included in the SAN.You also have the opportunity creating the samewildcard + SAN mixture certificate.Wildcard is supported for simple URL only
  11. 11. © 2013 - Thomas Pött, Microsoft MVP LYNC4.2.3 GEOGRAPHICALLY deployed COMPLEX TOPOLOGYThe “GEOGRPHICALLY COMPLEX TOPOLOGY” is the most complex deployment for internationalcustomers. High availability is required for Lync this is also extended into a multi-region Edge Accessscenario.This deployment includes the fully feature set of Lync in direction to the internet. This includes loginpossibility for all Lync Clients, incl. App Store and Mobile clients. Federation is also handled.The main component for geographically distributed deployments is the GEO-Load Balancer. It handlesthe Internet based distribution for Edge Access.Since I’m talking about Certificates, it is important to understand the Certificates distribution.
  12. 12. © 2013 - Thomas Pött, Microsoft MVP LYNCDMZLync Edge PoolGERMANYReverse ProxyGERMANYCommon Name:sip.domain.comSAN:sip.domain.comsip.domain-a.comsip.domain-b.comav.domain.comwebconf.domain.comListener01:To Lync FE Pool01Listener04:To OfficeWeb AppsListener02:To Lync FE Pool02Listener03:To Director Pool,simple URL,mobility and itsWebServiceLAN DMZ INTERNETOffice Web AppsPKI internalLync Edge PoolUSAReverse ProxyUSAPublic CACommon Name:wac01.internal.adCommon Name:sip.domain.comSAN:sip.domain.comsip.domain-a.comsip.domain-b.comav.domain.comwebconf.domain.comCommon***.domain-b.comListener01:To Lync FE Pool01Listener04:To OfficeWeb AppsGEORGRAPHICALLY deployedCOMPLEX TOPOLOGYLync DirectorPool USALync Front EndPool01Common Name:pool01.internal.adSAN*:pool01.internal.adfe11.internal.adfe12.internal.adweb01ext.domain.comdialin.domain.commeet.domain.comCommon Name:sip.internal.adSAN*:sip.domain.comdir11.internal.addir12.internal.adwebdirUSext.domain.commeet.domain.comdialin.domain.comlyncdiscoverinternal.(alldomains)Listener02:To Lync FE Pool02Listener03:To Director Pool,simple URL,mobility and itsWebServiceSIP.alldomains+ Simple URL+ Mobility+ WebService*) if you want to establish multiple domain basedsimple URL, allof them must be included in the SAN.You also have the opportunity creating the samewildcard + SAN mixture certificate.Wildcard is supported for simple URL onlyLync Front EndPool02Common Name:pool02.internal.adSAN*:pool02.internal.adfe21.internal.adfe22.internal.adweb02ext.domain.comdialin.domain.commeet.domain.comLync DirectorPool GERMANYCommon Name:sip.internal.adSAN*:sip.domain.comdir11.internal.addir12.internal.adwebdirGERext.domain.commeet.domain.comdialin.domain.comlyncdiscoverinternal.(alldomains)SIP.alldomains+ Simple URL+ Mobility+ WebServiceOffice Web AppsCommon Name:wac01.internal.adDatacenter USDatacenter GERMANYCommon***.domain-b.come.g. KEMP GEO LOADMASTERDeployed in three region, US, GERMANY and SINGAPORE.DNS Queries will be redirected to any of this GEO LOADMASTER. Based on the Clients location, the nearest LYNCEDGE Server Site will be chosen.Internally, you have two choises:1.) user two independen DNS ServerZones2.) usea GEO Load Balancer foryour internaldeploymentCommon Name:edgeUSA.internal.adSAN:edgeUSA.internal.adedge11.internal.adedge12.internal.adCommon
  13. 13. © 2013 - Thomas Pött, Microsoft MVP LYNC5 Certificate Template TableMaking it easier for you, I prefilled in the Template with this configuration example:We have 3 SIP domains in our deployment 1x Enterprise Pool, plus 1x Standard Edition Server in abranch. I also have 1x Director installed.5.1 EDGE SERVERType Configuration CommentCommon Name Primary SIP domainSAN First SAN entry must repeat theprimary SIP domainSAN Web Conferencing only for the namedprimary SIP domain neededSAN XMPP Federation (if installed) ofprimary SIP domainSAN Second SIP domainSAN Third SIP domainTable 1 Edge Server external Certificate5.2 REVERSE PROXY SERVERType Configuration CommentCommon Name Just a Common NameSAN External URL of Director Server. Mustbe primary SIP domainSAN External URL of Enterprise Pool Server.Must be primary SIP domainSAN External URL of Standard Server. Mustbe primary SIP domainSAN *.DOMAIN-A.comSAN *.DOMAIN-B.comTable 2 Reverse Proxy Server external Certificate5.3 HYBRID CERTIFICATE (SUMMARY)Type Configuration CommentCommon Name Primary SIP domain
  14. 14. © 2013 - Thomas Pött, Microsoft MVP LYNCSAN sip.domain.comSAN wc.domain.comSAN xmpp.domain.comSAN sip.DOMAIN-A.comSAN sip.DOMAIN-B.comSAN extdir01.domain.comSAN extweb01.domain.comSAN extweb02.domain.comSAN * This is the Wildcard part for ReversProxy of DOMAIN-A.comSAN * This is the Wildcard part for ReversProxy of DOMAIN-B.comTable 3 Consolidated, public Certificate6 Certificate Request GenerationHow do I request the Wildcard+SAN certificate?The following demonstration explains hybrid certificate request in Lync. This has to be done on the EdgeServer itself. You have to login to the Edge Server and start the Bootstripper, than you chose the“Request, Install and Assign Certificates”.In this example, I’m using three domains:PRIMAY SIP Domain: cie.acp.deSECONDARY SIP Domains: and
  15. 15. © 2013 - Thomas Pött, Microsoft MVP LYNCSince this will be our Hybrid Certificate, there is still one point we haven’t spoken about. How do werequest this certificate? If you for example initiate the request with DigiCert, you need to buy three (3)wildcard certificates first, than you process with DigiCert manually via email.So remember you might take one/ two days longer in placing the order.
  16. 16. © 2013 - Thomas Pött, Microsoft MVP LYNCWe need to prepare a CSR file for external, manual requests:
  17. 17. © 2013 - Thomas Pött, Microsoft MVP LYNCThe friendly name can is only for better identification of the certificate in the store:
  18. 18. © 2013 - Thomas Pött, Microsoft MVP LYNCThe first defined SNS are provided by Lync automatically:Next, you need to include the addressed SIP domains configured in Lync Topology builder:As discussed, here we come to the point, where we need to add additional SAN entries asexplained and defined the table earlier:
  19. 19. © 2013 - Thomas Pött, Microsoft MVP LYNCVerify the correct CN and SAN entries:
  20. 20. © 2013 - Thomas Pött, Microsoft MVP LYNCFinally you defined the Certificate Request. This is your CSR file. Provide this information toyour Certificate supplier.Note:Remember, the Certificate File you will receive will NOT contain the PRIVATE KEY. The PrivateKey will be generate once you apply this certificate on the Edge Server where you generatedthe statement !
  21. 21. © 2013 - Thomas Pött, Microsoft MVP LYNCOnly after its process is fully done, you have the Private Key and the Certificate is ready to beexported and imported on the other servers, e.g. Edge and Reverse Proxy
  22. 22. © 2013 - Thomas Pött, Microsoft MVP LYNC7 Best PracticeBeside the certificate design and planning process, there are some more point to remember.I have listed all important areas you must consider during your design and planning process. Network Interface Cards:You have to use two NIC, one for internal and one for external communication. The default gateway hasto be set on the external facing NIC, while you must use “persistent static routes” to all you internalnetworks. The DNS should be pointing to the internal DNS Server, if you are choosing an external DNS ora DNS in a DMZ, make you can resolve the internal Lync Server, if you can’t, you need to provide a hostsfile. Edge Server and Reverse Proxy combinationAs stated earlier, the full feature set in Lync is only available if you make user of Edge Server, ReverseProxy and all required external DNS entries (incl SRV Records). If the RevProxy is not deployed, you willmiss the following features, e.g. address book download, location information, device update, Lync WebApp and NON-DOMAIN Client login)The non-domain client login requires an authenticated access the Certificate Provisioning Service.!Also the App Store and Mobile Clients can’t login without the publish autodiscovery services.This is the same with access to Exchange Web Services (EWS). Director Server ServiceThe Director Server is an optional component, responsible for offload user authentication and poolredirection. IT also provide an additional layer of protection for external client connections. Revers Proxy ListenerKeep the Web Listener as limited as possible. Us only one (1) Listener per internal destination servereach. Make sure the Listener can work with the Hybrid Certificate to minimize costs.
  23. 23. © 2013 - Thomas Pött, Microsoft MVP LYNCReferences:Request and Configure a Certificate for Your Reverse HTTP Proxy (Technet)Certificate Summary - Single Consolidated Edge with Private IP Addresses Using NAT (Technet)Certificate Summary - Single Consolidated Edge with Public IP Addresses (Technet)Certificate Summary - Scaled Consolidated Edge, DNS Load Balancing with Private IP Addresses UsingNAT (Technet)Certificate Summary - Scaled Consolidated Edge, DNS Load Balancing with Public IP Addresses (Technet)Certificate Summary - Scaled Consolidated Edge with Hardware Load Balancers (Technet)