Edge server external certificate CN

For certification in edge external, some instructions said that CN is accessedge.contoso.com, and SAN includes accessedge.contoso.com and sip.contoso.com
But in other instructions, it only needs sip.contoso.com as CN and SAN.
I am confused, what is the purpose of accessedge.contoso.com ?

Accessedge.contoso.com represents whatever name you choose for your external access edge role. Sip.contoso.com will always be present as a SAN in the certificate as well. So, you can take this route and have those two SANs in the certificate,
or you can set the access edge FQDN to sip.contoso.com to save a SAN in your certificate.
Really, the only purpose of having accessedge.contoso.com is to have a better naming convention that just reusing sip.contoso.com, or perhaps if you have multiple pools and want separate access edge names for each.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications

Similar Messages

Lync Edge Server External Private Certificate

Hey GURUS!
Please help me out:
I'm having issues accessing Lync from external network.
Mobile clients login fine, but computer clients fail to login.
My current deployment consists in a single 2013 front-end and a single 2013 edge server.
All servers have certificates from my internal CA.
All servers have the root CA certificate installed in the trusted root certificate authority.
I have 2 sip domains, and the edge certificate has both sip domains.
However, when I test from test connectivity.microsoft.com, I get an error regarding the certificate chain.
I can't understand why lync requires a intermediate certificate, if I don't have any published in my organisation.
The certificate path goes: Root CA -> Certificate.
Also, the lync discover test runs with no errors what so ever.
This error on the edge didn't occur when I had lync 2010 running.
Does anyone know how to solve this?
Thanks!
Andrey Santana
edit: i forgot to upload the screenshot

Thiago,
The certificates from the Front End / Reverse Proxy are also from the internal CA and I don't get the error, it actually runs successfully.
Andrey
How did you test the certificates from the Front End and Reverse Proxy Server?
The public website connectivity.microsoft.com need a public certificate.
But if you use private certificate in lab, it could work as long as you install the Root CA certificate on client computer.
Lisa Zheng
TechNet Community Support

Wildcard Certifikate - Edge server/External web

Hello,
In our company we have deployed Lync 2013 CU4 with topology,
Edge server - One for all roles a/v
Front End - Standard with all roles
All certs are form our internal CA, and it works for my domain users. But for all external users or skype we need external cert. We have one wildcard cert for our domain.
So question is can we user wildcard cert for our Edge server, and exteranal serwis of front end.
Front end i think can use that is on tech net: http://technet.microsoft.com/en-us/library/gg398094.aspx

Good morning,
Using a wildcard certificate on Lync Edge server is not supported, and indeed will cause you problems.
It also sounds like you are passing your Lync web services directly to your front end server. This is not recommended, and you should use a reverse proxy for this purpose. You would then place an external (public) certificate on that reverse proxy. So there's
no need for a public cert on the front end in this scenario.
You may consolidate the certificate requirements for reverse proxy and Edge onto a single multi-san certificate, and use that same certificate on both servers.
OR
If you use two separate certificates then it is supported to use a wildcard public certificate on the reverse proxy (web services), but your Edge certificate must be a separate multi-san certificate.
Kind regards
Ben
Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems or queries.
For Fun: Gecko-Studio | For Work:
Nexus Open Systems

Lync Edge Server 2013 Certificate Issue seems unresolvable

I've implemented a single internal Standard Edition Front End server with a single consolidated Edge server and Reverse Proxy server/appliance located in a perimeter network.
On the internal IP of the Edge server I use a certificate form a internal CA ( which is trusted by the edge server), the "internal" certificate issued by the internal Ca is used only between the edge server and the frontend server. An external certificate
with cn sip.ipabo.nl and alt.subj sip.ipabo.nl and webconf.ipabo.nl. from Globalsign is used on the external IP’s . Services have their own ip adresses and are natted by a router. Ive tested that all ports can be reached from the internet. But still no connection
possible from external clients. The ms. connectivity analyser says: "The The certificate couldn't be validated because SSL negotiation wasn't successful". Connections from mobile clients through reverse proxy are no problem also internal clients
have no issue ( they both don’t use the edge but proxy ). So i assume there's someting wrong with the certificate implementation on the Edge server, however ive tested it with the RUCT from Curtis Johnstone, and the certificate seems to be OK. Also in the
Lync Server Deployment Wizard the certificates seem to be OK. In the computers personal certificate store the are only the two necessary certificates ( internal and external) also intermediate certificates are installed. Routing ( default gateway on external
interface ) is working fine. So I think I'm out of options, any ideas?
Tnx,
Guido

Please check the DNS records for sip.ipabo.nl and webconf.ipabo.nl are created on external DNS server.
Please check you can telnet Lync Edge Access service FQDN on 443 port.
Check the automatic configuration for remote access is configured correctly or you can try to sign in manually.
Follow the steps in blog blow to test your Edge Server:
http://blogs.technet.com/b/nexthop/archive/2011/12/07/useful-tips-for-testing-your-lync-edge-server.aspx
Lisa Zheng
TechNet Community Support

Lync 2013 edge server request certificates

I am deploying Lync 2013 edge server, how to get the certificate request file[certificate
signing request (CSR)] on setp 3: Reques,install or Assign Certficates.
i need your help!
Thanks!

Agree with Jason.
On the Certificate Request File page, type the full path and file name to which the request is to be saved.
After you get Certificate Request File, you need to submit this file to your CA (by email or other method supported by your organization for your enterprise CA) and, when you receive the response file, copy the new certificate to this computer so that it
is available for import.
Check how to set up certificates for the internal edge interface at
http://technet.microsoft.com/en-us/library/gg412750.aspx.
Check how to set up certificates for the external edge interface
http://technet.microsoft.com/en-us/library/gg398409.aspx.
Lisa Zheng
TechNet Community Support

Can you use a self signed certificate on an external Edge Server interface?

Hi,
I have a small lab deployment for evaluation purposes. The Lync FE server works great for internal users. I have now added an Edge server. For the internal interface, I have a self signed certificate from our internal CA. (no problem there) For the external
interface, I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user and installed it for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed
cert is valid (root and intermediate have been checked for validity).
At first, when logging in from the Lync 2013 client on the external users machine, I would get an error from Lync about the cert being untrusted. I have now fixed that error by adding it as trusted. At this point, there are no errors or warnings in the Event
Viewer (in the application or system logs) However, I receive the following error from the Lync client, "Were having trouble connecting to the server... blah, blah".
Here is my question. Does the Microsoft Lync 2013 client and/or the "testconnectivity.microsoft.com" tool specifically prevent or forbid the use of self signed certificates on the external interface of an Edge server? They seem too.
I can tell if the certificate is my problem or something else. Any ideas on how to trouble shoot this?
Thx

Drago,
Thanks for all your help. I got it working.
My problem with the Lync client error, "Were having trouble connecting to the server... blah, blah", was NOT a certificate error. It was a problem with my Lync Server Topology. (My sip default domain needed to match my user login domain.)
Let me update everyone about self-signed certificates:
YES, you can self-sign a certificate on your external edge server. It is a pain, but possible.
I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed cert is valid (root and
intermediate have been checked for validity).
Here are my notes:
Create/enable your own external Certificate Authority (CA) running on a server with internet access.
On the Lync Edge Server, run the "Lync Server 2013 - Development Wizard".
Click "Install or Update Lync Server System". (Lync will automatically determine its deployment state)
You should have already completed: Step1 and Step 2.
Run or Run Again "Step 3: Request, Install or Assign Certificates".
Install the "Edge internal" certificate.
Click "Request" button to run the "Certificate Request" wizard.
You use can "Send the request immediately to an online certificate authority" option to connect to your internal CA, and create the certificate.
Once the certificate has been created, use "Import Certificate" to import it.
Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request...
In the Lync deployment wizard - Certificate Wizard, "Assign the newly imported "edge internal" certificate.
Install the "Edge External" certificate (public Internet).
Click the "Request" button to run the "Certificate Request" wizard.
Press "next"
Select "Prepare the request now, but send it later (offline certificate request).
Supply the "Certificate Request File" name and location. (You will need the file later. It should have the file extension ".req").
Click next on the "Specify Alternate Certificate Template". (which means you are using the default options)
Give it a Friendly Name. Bit Length = 2048. I selected "Mark the certificate's private key as exportable" option.
Fill in the organization info.
Fill in the Geographical Information.
The wizard should automatically fill-in the "Subject name:" and "subject alternative name:' fields.
Select your "Configured SIP domains"
"Configure Additional Subject Alternative Names" if you want. Otherwise, next.
Verify the "certificate Request Summary". Click next.
Run the wizard script to "Complete". The wizard will create a file containing the certificate request with the file extension ".req". (Let's assume the file name is "myCert.req")
Move your myCert.req file to your external CA. Have your CA issue the cert (based on myCert.req) and export the new cert to a file. I save it as a P7B certificate. (Let's call it "ExternalCert.p7b")
In the Lync Deployment wizard - Certificate Wizard, click on "Import Certificate" for ExternalCert.p7b.
Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request... (assign it a friendly name. Let's say "EXTERNAL-EDGE")
For the "External Edge certificate (public Internet), click "Assign".
The "Certificate Assignment" wizard will run.
Click next.
From the list, select your cert "EXTERNAL-EDGE".
Finish the wizard to "complete".
You are finished on the server.
Move the "ExternalCert.p7b" file to the machine running the lync client. Install the cert via the "Certificate Import Wizard".
When installing it to a particular Certificate Store, select the "Place all certificates in the following store" option.
Browse
Select "Trusted Root Certification Authorities"
Finish the wizard.

SAN certificate for external access for edge server and reverse proxy

Hello
I have a question related to the certificate planning for LYNC 2013 EDGE SERVER .
For external access and mobile user's , Iwant to enable all the feature for external user's .
im planning to purchase san certificate ,
my first question do I need only one SAN for both my edge server and the reverse proxy ?
my second question about the name's that shoud be added to the certificate ?
sip.mydomain.com
av.mydomain.com
webconf.mydomain.com
what else I should add ? I want to add the names for all feature access.
Kind Regards
MK

Your Front End Pool should only contain front end servers, does it also contain your edge and back end? If so, this is a misconfiguration.
If you're planning to implement high availability, you'll want a different internal web services FQDN name than your pool name (unless you load balance the entire pool with a hardware load balancer).
You'll want your external web services FQDN to be different from your pool name if you want to use the mobile client on the internal network. Once you've come up with a new and otherwise unused FQDN for this purpose, you'll want that as additional
SAN on your cert.
Since you're not using this for the internal certificate, you can also pull admin.mydomain.com and LYNC2013-FE.mydomain.com off of the cert as those are needed internally only.
Lyncdiscoverinternal you can leave on if you need your internal mobile clients to not throw certificate errors because they don't trust your internal certificate authority, but this name would then need to be pointed to a reverse proxy or something that
can present the third party certificate.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications
This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Edge 2013 External Wildcard Certificate

Hi,
I know this has been covered a number of times but I'd like something that's been posted more recently.
We use Lync 2013 with a wildcard certificate on our edge external interface. Everything works as expected and that's on version 5.0.8308.556
I've recently deployed Lync 2013 at a customer site and when applying the certificate I'm unable to sign on externally or contact federated partners. They're running 5.0.8308.577
When testing from Lync connectivity tester I get the following:
Attempting to resolve the host name blah.co.uk in DNS.
The host name resolved successfully.
Additional Details
Testing TCP port 443 on host blah.co.uk to ensure it's listening and open.
The port was opened successfully.
Additional Details
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Additional Details
Elapsed Time: 758 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server blah.co.uk on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
Additional Details
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Test Steps
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.blah.co.uk, OU=Domain Control Validated.
One or more certificate chains were constructed successfully.
Additional Details
Analyzing the certificate chains for compatibility problems with versions of Windows.
Potential compatibility problems were identified with some versions of Windows.
Additional Details
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Elapsed Time: 4 ms.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 10/25/2013 2:46:03 PM, NotAfter = 10/25/2016 1:42:28 PM
Elapsed Time: 0 ms.
Testing remote connectivity for user [email protected] to the Microsoft Lync server.
Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
<label for="testSelectWizard_ctl12_ctl06_ctl03_tmmArrow">Tell
me more about this issue and how to resolve it</label>
Additional Details
Couldn't sign in. Error: Error Message: Unknown error (0x80131500).
Error Type: TlsFailureException.
Elapsed Time: 1649 ms.
Any help would be much appreciated!
Thanks

Hi,
Wildcard certificate doesn’t support for Edge server (both external and internal interface). It is supported to use a public certificate for Edge external interface, for Edge internal interface typically use a private certificate issued by an internal certification
authority.
More details about certificate requirements for external user access:
http://technet.microsoft.com/en-us/library/gg398920.aspx
You can refer to the link below of “Wildcard Certificate Support”:
http://technet.microsoft.com/en-us/library/hh202161.aspx
Here is a similar case my help you:
http://social.technet.microsoft.com/Forums/lync/en-US/6bd237eb-2e96-437b-b559-54cf95230417/lync-server-2013-edge-unknown-error-0x80131500-tlsfailureexception?forum=lyncdeploy
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support

Lync 2013 client can't connect externally to edge server

So I have my edge server set up in the DMZ. 3 ips bound to an interface for external connectivity.
sip.domain.org (A record)
webconf.domain.org (A record)
av.domain.org (A record)
_sip.tls.domain.org:443 pointing to the same IP as sip.domain.org
External Lync Clients should be using this srv record to auto-connect, correct?
I have purchased a thawte ssl cert and bound it correctly to the external interface. Internal interface is a PKI internal CA cert. Sometimes when doing a testconnectivity from MS, it comes up stating " The certificate couldn't be validated because
SSL negotiation wasn't successful", when other times I run the test and it states that it validates the cert correctly, analyzing the cert - no problems found, etc, all looks good and then fails at "couldn't sign in Error Unknown (0x80131500)
Error type: TLSFailureException.
Not sure where to start looking or why it shows the cert is good sometimes and others not.
Also when I launch the Lync Server Admin Console, Under Topology, my edge server is showing Replication with a red X. Don't know what to look for either.

Hi jackl2001,
By default, no policies are configured to support external user access, including remote user access, federated user access, even if you have already enabled external user access
support for your organization. To control the use of external user access, you must configure one or more policies, specifying the type of external user access supported for each policy.
Click on the link below for more details.
Managing federation and external access to Lync Server 2013
http://technet.microsoft.com/en-us/library/gg520966.aspx
Best regards,
Eric

Lync Edge External Certificate request.

Hi,
We have a Lync 2010 Server deployed in our Organization, We have requirement to add 2 additional SIP domain to our Organization.
We have successfully configured the 2 Additional SIP domains with necessary requirement its working internally.
Where as the 2 new Additional SIP domain users not able to communicate Externally.
We found in Edge External certificate we required to add 2 SAN names which is of 2 Additional SIP domain.
My Query is what is the procedure to generate certificate with additional SAN names.
I have tried in Edge console its automatically includes 3 sip.domain.com which results in more SAN entries in Certificates.
My company worried on Cost for Public Certificate which has more SAN names included.
How to overcome this.
Note: My existing Lync External certificate have 2 SAN names.

After doing Lync for several years - my evolution included my embracing the fact that Lync is going to need a lot of SAN's and the cost of certs is going to something that is part of doing Lync. If you're going to have multiple SIP domains, it's the
cost of doing business that you;ll have corresponding cert additions.
I beseech you to NOT heed the recommendation above that included cross domain SRV records. Your Windows users will get prompted and it makes for a bad impression for Lync. Keep your SRV records pointed to a matching DNS zone. You WILL
get support calls on it and security will only be getting tighter against practices such as this in the future.
And yes, do the meet/dialin URL's that have the long URL format.
We use the HTTP lyncdiscover.domain1.com and lyncdiscover.domain2.com over port 80 - it works great. I don't see any issue with as it only directs your client to the desired external web services (SSL connection). It works great.
if my post is helpful - please click on the green arrow. (please excuse, in advance, any perceived sarcasm/humor - as I often forget it does not translate through text) :)

Lync Edge Server Certificate Issue

I've implemented a single internal Standard Edition
Front End server with a single consolidated Edge server and Reverse Proxy server/appliance located in a perimeter network.
On the internal IP of the Edge server I use a certificate form a internal CA ( which is trusted by the edge server), the "internal" certificate issued by the internal Ca is used only between the edge server and the frontend server. An external certificate
with cn sip.ipabo.nl and alt.subj sip.ipabo.nl and webconf.ipabo.nl. from Globalsign is used on the external IP’s . Services have their own ip adresses and are natted by a router. Ive tested that all ports can be reached from the internet. But still no connection
possible from external clients. The ms. connectivity analyser says: "The The certificate couldn't be validated because SSL negotiation wasn't successful". Connections from mobile clients through reverse proxy are no problem also internal clients
have no issue ( they both don’t use the edge but proxy ). So i assume there's someting wrong with the certificate implementation on the Edge server, however ive tested it with the RUCT from Curtis Johnstone, and the certificate seems to be OK. Also in the
Lync Server Deployment Wizard the certificates seem to be OK. In the computers personal certificate store the are only the two necessary certificates ( internal and external) also intermediate certificates are installed. Routing ( default gateway on external
interface ) is working fine. So I think I'm out of options, any ideas?
Tnx,
Guido

Ok I found It:
It was a simple setting in the Control panel, or in the management shell:
In Set-Accessedgeconfiguration
AllowOutsideUsers was set to False. this should be true.
I found it by Using OCSlogging on the Edgeserver, looking at SIP.
So I don't understand how all the certificate and server unavailable warnings make any sense.
The next issue will be exchange integration :)
Thanks for your help everybody

Adobe Connect prevents external users from connecting via Edge Server

Errors thrown in the logs:
Bad network data; terminating connection : bad chunk version 24 on input stream 07726718
Bad network data; terminating connection : (Adaptor: _defaultRoot_, VHost: Unknown, IP: 110.141.64.253, App: , Protocol: rtmp) : 18
Bad network data; terminating connection : (Adaptor: _defaultRoot_, VHost: Unknown, IP: 110.141.64.253, App: , Protocol: rtmp) : 03
Any advice would be greatly appreciated!
Regards
Ole Kristensen

Hi,
Please check all the services are started on Lync Edge server.
Please double check the ports for both Edge server internal and external interface with the help of the link below:
http://technet.microsoft.com/en-us/library/gg425891.aspx
You can test your remote connectivity with the help of the link below:
https://testconnectivity.microsoft.com/
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support

How many external certificates server does ACS 5.2 support?

Hi,
Just wondering how many external certificates server does ACS 5.2 support?
I failed to find the number in user guide.
Thanks,
-Alejin

Hi,
There is no known limit number of CAs.
You go to
Users and Identity Stores >
... >
Certificate Authorities
And you can create for sure more than 100 CAs.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Can't assign certificate in Lync Edge Server

Hello, everyone
I've installed Lync Server, internally it works fine, but while i'm deploying edge server, i have a certificate problem. On request assign certificate step, I've issued by online certificate authority, after request i see following error:
The certificate has been issued by the online certification authority and is installed to the local certificate store, however it is not valid. Make sure that the Root certificate, and necessary certificate chain is installed on this server.
I've downloaded root certificate from CA and imported to trusted root certificate of edge server. I think root certificate is valid, because non domain members which imported root certificate, sign in Lync successfully.
I also sent offline certificate request (http://technet.microsoft.com/en-us/library/gg412750.aspx), importing certificate was successful. But there are no certificates in assign
certificate wizard. I checked personal certificates using mmc, there were certificates i have requested.
How can I solve this problem? Please help me!
Regards and thanks for any help :)
Enkhee

Hi,
You need to access htt://CAserver/certsrv to download the certificate chain in the edge server. Open MMC and install the Certificate chain with the following steps(To import the CA certification chain for the internal interface ):
http://technet.microsoft.com/en-us/library/gg412750.aspx
Check whether the Certificate chain is installed successfully in the
Trusted Root Certification Authorities.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Edge server certificate

Hello,
We have added another SIP domain to our lync server, oldsip.com and newsip.com. newsip.com is set to default. oldsip.com will be retained for a while and eventually removed.
When i try to generate certificate on the edge server, the sip.oldsip.com and webconf.oldsip.com are still retained by default and in the next step allows me choose either oldsip.com or newsip.com.
i don't want to include any host entries for oldsip.com, how do i do that?

Hi,
You can request the certificate through Lync management shell.
Following article may help you ;
http://technet.microsoft.com/en-us/library/gg425723.aspx
Thanks
Saleesh
If answer is helpful, please hit the green arrow on the left, or mark as answer. Blog : http://blogs.technet.com/b/saleesh_nv/

Edge server external certificate CN

Similar Messages

Maybe you are looking for