Wildcard Certifikate - Edge server/External web

Hello,
In our company we have deployed Lync 2013 CU4 with topology,
Edge server - One for all roles a/v
Front End - Standard with all roles
All certs are form our internal CA, and it works for my domain users. But for all external users or skype we need external cert. We have one wildcard cert for our domain.
So question is can we user wildcard cert for our Edge server, and exteranal serwis of front end.
Front end i think can use that is on tech net: http://technet.microsoft.com/en-us/library/gg398094.aspx

Good morning,
Using a wildcard certificate on Lync Edge server is not supported, and indeed will cause you problems.
It also sounds like you are passing your Lync web services directly to your front end server. This is not recommended, and you should use a reverse proxy for this purpose. You would then place an external (public) certificate on that reverse proxy. So there's
no need for a public cert on the front end in this scenario.
You may consolidate the certificate requirements for reverse proxy and Edge onto a single multi-san certificate, and use that same certificate on both servers.
OR
If you use two separate certificates then it is supported to use a wildcard public certificate on the reverse proxy (web services), but your Edge certificate must be a separate multi-san certificate.
Kind regards
Ben
Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems or queries.
For Fun: Gecko-Studio | For Work:
Nexus Open Systems

Similar Messages

  • Lync Edge Server External Private Certificate

    Hey GURUS!
    Please help me out:
    I'm having issues accessing Lync from external network.
    Mobile clients login fine, but computer clients fail to login.
    My current deployment consists in a single 2013 front-end and a single 2013 edge server.
    All servers have certificates from my internal CA.
    All servers have the root CA certificate installed in the trusted root certificate authority.
    I have 2 sip domains, and the edge certificate has both sip domains.
    However, when I test from test connectivity.microsoft.com, I get an error regarding the certificate chain.
    I can't understand why lync requires a intermediate certificate, if I don't have any published in my organisation.
    The certificate path goes: Root CA -> Certificate.
    Also, the lync discover test runs with no errors what so ever.
    This error on the edge didn't occur when I had lync 2010 running.
    Does anyone know how to solve this?
    Thanks!
    Andrey Santana
    edit: i forgot to upload the screenshot

    Thiago,
    The certificates from the Front End / Reverse Proxy are also from the internal CA and I don't get the error, it actually runs successfully.
    Andrey
    How did you test the certificates from the Front End and Reverse Proxy Server?
    The public website connectivity.microsoft.com need a public certificate.
    But if you use private certificate in lab, it could work as long as you install the Root CA certificate on client computer.
    Lisa Zheng
    TechNet Community Support

  • Edge server external certificate CN

    For certification in edge external, some instructions said that CN is accessedge.contoso.com, and SAN includes accessedge.contoso.com and sip.contoso.com
    But in other instructions, it only needs sip.contoso.com as CN and SAN.
    I am confused, what is the purpose of accessedge.contoso.com ?

    Accessedge.contoso.com represents whatever name you choose for your external access edge role.  Sip.contoso.com will always be present as a SAN in the certificate as well.  So, you can take this route and have those two SANs in the certificate,
    or you can set the access edge FQDN to sip.contoso.com to save a SAN in your certificate.
    Really, the only purpose of having accessedge.contoso.com is to have a better naming convention that just reusing sip.contoso.com, or perhaps if you have multiple pools and want separate access edge names for each.
    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
    SWC Unified Communications

  • Edge 2013 External Wildcard Certificate

    Hi,
    I know this has been covered a number of times but I'd like something that's been posted more recently.
    We use Lync 2013 with a wildcard certificate on our edge external interface.  Everything works as expected and that's on version 5.0.8308.556
    I've recently deployed Lync 2013 at a customer site and when applying the certificate I'm unable to sign on externally or contact federated partners.  They're running 5.0.8308.577
    When testing from Lync connectivity tester I get the following:
    Attempting to resolve the host name blah.co.uk in DNS.
    The host name resolved successfully.
    Additional Details
    Testing TCP port 443 on host blah.co.uk to ensure it's listening and open.
    The port was opened successfully.
    Additional Details
    Testing the SSL certificate to make sure it's valid.
    The certificate passed all validation requirements.
    Additional Details
    Elapsed Time: 758 ms.
    Test Steps
    The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server blah.co.uk on port 443.
    The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
    Additional Details
    Validating the certificate name.
    The certificate name was validated successfully.
    Additional Details
    Certificate trust is being validated.
    The certificate is trusted and all certificates are present in the chain.
    Test Steps
    The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.blah.co.uk, OU=Domain Control Validated.
    One or more certificate chains were constructed successfully.
    Additional Details
    Analyzing the certificate chains for compatibility problems with versions of Windows.
    Potential compatibility problems were identified with some versions of Windows.
    Additional Details
    The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
    Elapsed Time: 4 ms.
    Testing the certificate date to confirm the certificate is valid.
    Date validation passed. The certificate hasn't expired.
    Additional Details
    The certificate is valid. NotBefore = 10/25/2013 2:46:03 PM, NotAfter = 10/25/2016 1:42:28 PM
    Elapsed Time: 0 ms.
    Testing remote connectivity for user [email protected] to the Microsoft Lync server.
    Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
     <label for="testSelectWizard_ctl12_ctl06_ctl03_tmmArrow">Tell
    me more about this issue and how to resolve it</label>
    Additional Details
    Couldn't sign in. Error: Error Message: Unknown error (0x80131500).
    Error Type: TlsFailureException.
    Elapsed Time: 1649 ms.
    Any help would be much appreciated!
    Thanks

    Hi,
    Wildcard certificate doesn’t support for Edge server (both external and internal interface). It is supported to use a public certificate for Edge external interface, for Edge internal interface typically use a private certificate issued by an internal certification
    authority.
    More details about certificate requirements for external user access:
    http://technet.microsoft.com/en-us/library/gg398920.aspx
    You can refer to the link below of “Wildcard Certificate Support”:
    http://technet.microsoft.com/en-us/library/hh202161.aspx
    Here is a similar case my help you:
    http://social.technet.microsoft.com/Forums/lync/en-US/6bd237eb-2e96-437b-b559-54cf95230417/lync-server-2013-edge-unknown-error-0x80131500-tlsfailureexception?forum=lyncdeploy
    Best Regards,
    Eason Huang
    Eason Huang
    TechNet Community Support

  • SAN certificate for external access for edge server and reverse proxy

    Hello
    I have a question related to the certificate planning for LYNC 2013 EDGE SERVER .
    For external access and mobile user's , Iwant to enable all the feature for external user's .
    im planning to purchase san certificate ,
    my first question do I need only one SAN for both my edge server and the reverse proxy ?
    my second question about the name's that shoud be added to the certificate ?
    sip.mydomain.com
    av.mydomain.com
    webconf.mydomain.com
    what else I should add ? I want to add the names for all feature access.
    Kind Regards
    MK

    Your Front End Pool should only contain front end servers, does it also contain your edge and back end? If so, this is a misconfiguration.
    If you're planning to implement high availability, you'll want a different internal web services FQDN name than your pool name (unless you load balance the entire pool with a hardware load balancer).
    You'll want your external web services FQDN to be different from your pool name if you want to use the mobile client on the internal network.  Once you've come up with a new and otherwise unused FQDN for this purpose, you'll want that as additional
    SAN on your cert.
    Since you're not using this for the internal certificate, you can also pull admin.mydomain.com and LYNC2013-FE.mydomain.com off of the cert as those are needed internally only. 
    Lyncdiscoverinternal you can leave on if you need your internal mobile clients to not throw certificate errors because they don't trust your internal certificate authority, but this name would then need to be pointed to a reverse proxy or something that
    can present the third party certificate.
    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
    SWC Unified Communications
    This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

  • Web Dynpro application calling external web server using HTTPS giving error

    Hello,
    I don't know whether this is the right question in this forum but my ABAP web-dynpro applicaiton is expected to call another HTTP application on external web server through HTTPS. Presently it is calling through plain HTTP but we want to have HTTPS.
    Here are the steps that we followed based on the link from help.sap.com
    1] Received the certificate files from external web server
    2] Created SSL Anonymous client
    3] Imported the certificate files under this client and added into the certificate list
    4] Re-started ICM
    5] Created RFC Destination of type HTTP to connect to external server with SSL option and basic authentication. This RFC destination was working under plain HTTP.
    When tried with Test connection it gave error "ICM_HTTP_CONNECTION_FAILED".
    Any idea what might be missing. Thanks in advance.
    Regards
    Rajeev

    Used proper certificate after which the error went away

  • Adobe Connect prevents external users from connecting via Edge Server

    Errors thrown in the logs:
    Bad network data; terminating connection : bad chunk version 24 on input stream 07726718
    Bad network data; terminating connection : (Adaptor: _defaultRoot_, VHost: Unknown, IP: 110.141.64.253, App: , Protocol: rtmp) : 18
    Bad network data; terminating connection : (Adaptor: _defaultRoot_, VHost: Unknown, IP: 110.141.64.253, App: , Protocol: rtmp) : 03
    Any advice would be greatly appreciated!
    Regards
    Ole Kristensen

    Hi,
    Please check all the services are started on Lync Edge server.
    Please double check the ports for both Edge server internal and external interface with the help of the link below:
    http://technet.microsoft.com/en-us/library/gg425891.aspx
    You can test your remote connectivity with the help of the link below:
    https://testconnectivity.microsoft.com/
    Best Regards,
    Eason Huang
    Eason Huang
    TechNet Community Support

  • Can you use a self signed certificate on an external Edge Server interface?

    Hi,
    I have a small lab deployment for evaluation purposes. The Lync FE server works great for internal users. I have now added an Edge server. For the internal interface, I have a self signed certificate from our internal CA. (no problem there) For the external
    interface, I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user and installed it for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed
    cert is valid (root and intermediate have been checked for validity).
    At first, when logging in from the Lync 2013 client on the external users machine, I would get an error from Lync about the cert being untrusted. I have now fixed that error by adding it as trusted. At this point, there are no errors or warnings in the Event
    Viewer (in the application or system logs) However, I receive the following error from the Lync client, "Were having trouble connecting to the server... blah, blah".
    Here is my question. Does the Microsoft Lync 2013 client and/or the "testconnectivity.microsoft.com" tool specifically prevent or forbid the use of self signed certificates on the external interface of an Edge server? They seem too.
    I can tell if the certificate is my problem or something else. Any ideas on how to trouble shoot this?
    Thx

    Drago,
    Thanks for all your help. I got it working.
    My problem with the Lync client error, "Were having trouble connecting to the server... blah, blah", was NOT a certificate error. It was a problem with my Lync Server Topology. (My sip default domain needed to match my user login domain.)
    Let me update everyone about self-signed certificates:
    YES, you can self-sign a certificate on your external edge server. It is a pain, but possible.
    I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed cert is valid (root and
    intermediate have been checked for validity).
    Here are my notes:
    Create/enable your own external Certificate Authority (CA) running on a server with internet access. 
    On the Lync Edge Server, run the "Lync Server 2013 - Development Wizard".
    Click "Install or Update Lync Server System". (Lync will automatically determine its deployment state)
    You should have already completed: Step1 and Step 2.
    Run or Run Again "Step 3: Request, Install or Assign Certificates".
    Install the "Edge internal" certificate.
    Click "Request" button to run the "Certificate Request" wizard.
    You use can "Send the request immediately to an online certificate authority" option to connect to your internal CA, and create the certificate.
    Once the certificate has been created, use "Import Certificate" to import it.
    Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request...
    In the Lync deployment wizard - Certificate Wizard, "Assign the newly imported "edge internal" certificate.
    Install the "Edge External" certificate (public Internet).
    Click the "Request" button to run the "Certificate Request" wizard.
    Press "next"
    Select "Prepare the request now, but send it later (offline certificate request).
    Supply the "Certificate Request File" name and location. (You will need the file later. It should have the file extension ".req").
    Click next on the "Specify Alternate Certificate Template". (which means you are using the default options)
    Give it a Friendly Name. Bit Length = 2048. I selected "Mark the certificate's private key as exportable" option.
    Fill in the organization info.
    Fill in the Geographical Information.
    The wizard should automatically fill-in the "Subject name:" and "subject alternative name:' fields.
    Select your "Configured SIP domains"
    "Configure Additional Subject Alternative Names" if you want. Otherwise, next.
    Verify the "certificate Request Summary". Click next.
    Run the wizard script to "Complete". The wizard will create a file containing the certificate request with the file extension ".req". (Let's assume the file name is "myCert.req")
     Move your myCert.req file to your external CA. Have your CA issue the cert (based on myCert.req) and export the new cert to a file. I save it as a P7B certificate. (Let's call it "ExternalCert.p7b")
    In the Lync Deployment wizard - Certificate Wizard, click on "Import Certificate" for ExternalCert.p7b.
    Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request... (assign it a friendly name. Let's say "EXTERNAL-EDGE")
    For the "External Edge certificate (public Internet), click "Assign".
    The "Certificate Assignment" wizard will run.
    Click next.
    From the list, select your cert "EXTERNAL-EDGE".
    Finish the wizard to "complete".
    You are finished on the server.
    Move the "ExternalCert.p7b" file to the machine running the lync client. Install the cert via the "Certificate Import Wizard".
    When installing it to a particular Certificate Store, select the "Place all certificates in the following store" option.
    Browse
    Select "Trusted Root Certification Authorities"
    Finish the wizard.

  • WLC with ISE as radius and also external web server

    Hi friends,
    I am biulding a wireless network with 5508 WLC and trying to use ISE as radius server and also to redirect the web-login to it.
    I was trying to understand that to achieve the external web-login, do i need to use the raduius-nac option under advanced on the guest wireless where i am trying this out. and if not, where do i actually use it?
    So far what i have understood that i do need to have preauth ACL on the Layer 3 security, but the issue is there is no hit reaching the ISE.
    any suggestions would be higly appreciated guys!
    Regards,
    Mohit

    Hi mohit,
    Please make sure the below steps for guest auth thru ISE,
    1)Add the WLC in your ISE as netork devices.
    2)In Guest SSID you need to choose the pre authentication acl.That acl should allow the below traffic
        a. any to ISE
        b.ISE to any
        c.any to dns server
        d.dns to any
    3)The external redirect url will be 
    https://ip address:8443/guestportal/Login.action
    4)AAA server for that SSId would be your ISE ip with port number 1812.
    5)In advanced tab please choose the AAA override. No need of radius nac.
    6)Create appropriate authorization profile in ISE for guest.Example is below ,

  • Can data be passed to an external web server using the "in-course web browsing" feature in ver. 7?

    Can data be passed to an external web server using the "in-course web browsing" feature in ver. 7? I would like to display a simple web page, and I would like to pass to that web page the answers to all the quiz questions, quiz score, etc. In other words, instead of passing quiz results to a SCORM-compliant LMS like Moodle, I'd like to pass that data to a Drupal Webform using a URL like:
    https://www.example.com/my-drupal-webform?param1=value1&param2=value2...&paramn=valuen
    Is this possible?
    Thanks,
    John

    You have to make sure every step in MOS Document ID 726414.1 that is applicable to your E-Business Suite 12.1.x release is performed. Enabling ASADMIN is just one of the steps. In spite of following all the steps in this Document you continue to get the error when clicking "Generate WSDL", please log a Service Request with Oracle Support.I will check all steps again. Maybe I missed one... Thanks!

  • Diff Patch Level on External web and Source Server

    Hi ,
    Version - 11.5.10.2
    We recently setup our external web server in DMZ on Linux while our source system
    is running on Solaris.
    We followed 238276.1 doc to migration the middle tier to linux. We were asked to check
    both systems should have same Patch level.
    I have doubts here
    o Since we have only one DB Tier, and we copied APPL_TOP from Source solaris and
    convert the files to linux. we installed IAS and 8.0.6 home from Universal installer
    Is it possible to have diff patch level on both instances. as we have only DbTier
    and the only way [ I know ] to check whether we have patch applied or not is
    query to database or using OAM as it would show the same patch.
    o if there is possibility to have diff. patch level then how can we detect this and what is the way to apply patches on one server [ Adadmin ? ]
    o Can you please point me to any DOC which can give clarity how diff. type of patches
    we can have in Apps.
    Regards,
    Jagjeet Singh

    Plan on applying the Linux and Solaris versions of all applications patches to the respective servers.
    How To Apply a Patch in a Multi-Server Environment
    http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=136342.1
    Patches must always be applied in their entirety. If you apply a patch to update
    your filesystem, you must also apply the corresponding database and generation
    portions of the patch if they are included. When updating the filesystem in a
    multi-server environment, you should apply the patch on all servers.
    You can see what patches have been applied to which nodes in OAM on the Applied Patches page. Oracle will not advise you to have patch differences, otherwise supportability comes into question due to partial patch application.

  • Lync 2013 client can't connect externally to edge server

    So I have my edge server set up in the DMZ. 3 ips bound to an interface for external connectivity.
    sip.domain.org (A record)
    webconf.domain.org (A record)
    av.domain.org (A record)
    _sip.tls.domain.org:443 pointing to the same IP as sip.domain.org
    External Lync Clients should be using this srv record to auto-connect, correct?
    I have purchased a thawte ssl cert and bound it correctly to the external interface.  Internal interface is a PKI internal CA cert. Sometimes when doing a testconnectivity from MS, it comes up stating " The certificate couldn't be validated because
    SSL negotiation wasn't successful", when other times I run the test and it states that it validates the cert correctly, analyzing the cert - no problems found, etc, all looks good and then fails at "couldn't sign in Error Unknown (0x80131500) 
    Error type: TLSFailureException.
    Not sure where to start looking or why it shows the cert is good sometimes and others not.
    Also when I launch the Lync Server Admin Console, Under Topology,  my edge server is showing Replication with a red X.  Don't know what to look for either.

    Hi jackl2001,
    By default, no policies are configured to support external user access, including remote user access, federated user access, even if you have already enabled external user access
    support for your organization. To control the use of external user access, you must configure one or more policies, specifying the type of external user access supported for each policy.
    Click on the link below for more details.
    Managing federation and external access to Lync Server 2013
    http://technet.microsoft.com/en-us/library/gg520966.aspx
    Best regards,
    Eric

  • Any reason not to put Lync Edge server on the same server that runs Web Application Proxy?

    We're currently running Lync 2010 standard server, without an edge server or reverse proxy.  I'm working on migrating to lync 2013 standard server, and would like to add the edge functionality in the process.  I have a Server 2012R2 in the dmz,
    with the web application proxy role installed.  I plan to use that to publish the lync web services.  Is there any reason I shouldn't install the lync edge server on the same computer? 

    It just won't work well as everything will want to bind to port 443 (the reverse proxy and the edge services as well).  On top of all that, it's just not supported.  A new virtual server will save you hours upon hours of frustration and leave you
    with a supported configuration. 
    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
    SWC Unified Communications

  • External Web authentication server for Guest access

    I have a guest wireless wlan setup. When guest users attach to our guest wireless they are prompted by the built in web security on the WLC's.
    Cisco talks about how to setup the WLC to route web authentication to an external web server, but they don't say what kind of web server to use or examples.
    I need some help on getting an external web server to do web authentication. With the server we would like to get some basic info from the user. name, email, pupose of using wlan, and some background info they don't see like, computer name, mac address. This is all for tracking purposes.
    Hotels do this type of web authentication for example.
    Any help would be great.

    Hi Patrick,
    I'm having the same problem here. I configured my WLC that redirect the login page to WEB Server, but I don't know how configure the Web Server to back the credentials to WLC. Did you can solve this problem?
    thanks!
    Claudio

  • Solaris 10 11/06 - Cannot access external web sites from server

    Hi,
    I am relatively new with Solaris so I hope this is something simple. I just installed Solaris 10 11/06 with the `Secure By Default` option.
    From the command line I can use dig and nslookup to resolve external web sites fine, but if I try to use the update conection manager (desktop), mozilla browser (desktop), or pkg-get (command line) it fails to resolve the external sites. I have a valid resolv.conf file and I have named installed and running.
    It is on a LAN with other servers that have no problems with external access. I am running as root in all instances, so is there some permissions issue I am missing with this install/release?
    I don't want to open up the install more than I have to.
    Thanks,

    Hi again,
    I figured it out. The nsswitch.conf file was not referencing dns as part of the `hosts` and ipnodes` resolution methods. Once I added this and restarted named it worked.
    group: files
    hosts: files dns
    ipnodes: files dns
    networks: files
    -----------------------

Maybe you are looking for

  • Photoshop Elements 6.0 Not Opening

    Running Windows Vista on a Dell XPS M1530 laptop. Photoshop 6.0, installed by Dell with purchase. Photoshop 6.0 will not open wheh I click the icon. Just minutes before, the program ran fine. I shut it down momentarily and not due to any technical pr

  • Process Chain Review Question: function module/ABAP program/Event

    Hi, 1. Can you tell me a bit more about function modules such as RSPC_CHAIN_ACTIVATE_REMOTE 2. What are function modules in general terms. i.e.  What is their role? 3. How do I see all function module available? 4. When is function module used instea

  • VL74 - Outputing E128 gives error

    On VL74 (output from handling units) E128 output it shown. Certain E128 outputs works fine whilst other do not work as follows :- When using preview the following message is returned :- Preview = Output could not be displayed (it may not be complete)

  • Can't add new users in Server Admin console in Server 10.1.4.

    I've run into an issue with an older OS X Server 10.1.4 running on a G4 platform. It functions as a shared file repository and I need to add new users. However, it would appear that I've developed a problem. When trying to add new users I get the fol

  • My 1 year warranty

    Do i still get my 1 year warranty if i dint buy my iphone from an apple store?