Wildcard Certifikate - Edge server/External web

Similar Messages

• Lync Edge Server External Private Certificate

  Hey GURUS!
  Please help me out:
  I'm having issues accessing Lync from external network.
  Mobile clients login fine, but computer clients fail to login.
  My current deployment consists in a single 2013 front-end and a single 2013 edge server.
  All servers have certificates from my internal CA.
  All servers have the root CA certificate installed in the trusted root certificate authority.
  I have 2 sip domains, and the edge certificate has both sip domains.
  However, when I test from test connectivity.microsoft.com, I get an error regarding the certificate chain.
  I can't understand why lync requires a intermediate certificate, if I don't have any published in my organisation.
  The certificate path goes: Root CA -> Certificate.
  Also, the lync discover test runs with no errors what so ever.
  This error on the edge didn't occur when I had lync 2010 running.
  Does anyone know how to solve this?
  Thanks!
  Andrey Santana
  edit: i forgot to upload the screenshot

  Thiago,
  The certificates from the Front End / Reverse Proxy are also from the internal CA and I don't get the error, it actually runs successfully.
  Andrey
  How did you test the certificates from the Front End and Reverse Proxy Server?
  The public website connectivity.microsoft.com need a public certificate.
  But if you use private certificate in lab, it could work as long as you install the Root CA certificate on client computer.
  Lisa Zheng
  TechNet Community Support

• Edge server external certificate CN

  For certification in edge external, some instructions said that CN is accessedge.contoso.com, and SAN includes accessedge.contoso.com and sip.contoso.com
  But in other instructions, it only needs sip.contoso.com as CN and SAN.
  I am confused, what is the purpose of accessedge.contoso.com ?

  Accessedge.contoso.com represents whatever name you choose for your external access edge role.  Sip.contoso.com will always be present as a SAN in the certificate as well.  So, you can take this route and have those two SANs in the certificate,
  or you can set the access edge FQDN to sip.contoso.com to save a SAN in your certificate.
  Really, the only purpose of having accessedge.contoso.com is to have a better naming convention that just reusing sip.contoso.com, or perhaps if you have multiple pools and want separate access edge names for each.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• Edge 2013 External Wildcard Certificate

  Hi,
  I know this has been covered a number of times but I'd like something that's been posted more recently.
  We use Lync 2013 with a wildcard certificate on our edge external interface.  Everything works as expected and that's on version 5.0.8308.556
  I've recently deployed Lync 2013 at a customer site and when applying the certificate I'm unable to sign on externally or contact federated partners.  They're running 5.0.8308.577
  When testing from Lync connectivity tester I get the following:
  Attempting to resolve the host name blah.co.uk in DNS.
  The host name resolved successfully.
  Additional Details
  Testing TCP port 443 on host blah.co.uk to ensure it's listening and open.
  The port was opened successfully.
  Additional Details
  Testing the SSL certificate to make sure it's valid.
  The certificate passed all validation requirements.
  Additional Details
  Elapsed Time: 758 ms.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server blah.co.uk on port 443.
  The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
  Additional Details
  Validating the certificate name.
  The certificate name was validated successfully.
  Additional Details
  Certificate trust is being validated.
  The certificate is trusted and all certificates are present in the chain.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.blah.co.uk, OU=Domain Control Validated.
  One or more certificate chains were constructed successfully.
  Additional Details
  Analyzing the certificate chains for compatibility problems with versions of Windows.
  Potential compatibility problems were identified with some versions of Windows.
  Additional Details
  The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
  Elapsed Time: 4 ms.
  Testing the certificate date to confirm the certificate is valid.
  Date validation passed. The certificate hasn't expired.
  Additional Details
  The certificate is valid. NotBefore = 10/25/2013 2:46:03 PM, NotAfter = 10/25/2016 1:42:28 PM
  Elapsed Time: 0 ms.
  Testing remote connectivity for user [email protected] to the Microsoft Lync server.
  Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
   <label for="testSelectWizard_ctl12_ctl06_ctl03_tmmArrow">Tell
  me more about this issue and how to resolve it</label>
  Additional Details
  Couldn't sign in. Error: Error Message: Unknown error (0x80131500).
  Error Type: TlsFailureException.
  Elapsed Time: 1649 ms.
  Any help would be much appreciated!
  Thanks

  Hi,
  Wildcard certificate doesn’t support for Edge server (both external and internal interface). It is supported to use a public certificate for Edge external interface, for Edge internal interface typically use a private certificate issued by an internal certification
  authority.
  More details about certificate requirements for external user access:
  http://technet.microsoft.com/en-us/library/gg398920.aspx
  You can refer to the link below of “Wildcard Certificate Support”:
  http://technet.microsoft.com/en-us/library/hh202161.aspx
  Here is a similar case my help you:
  http://social.technet.microsoft.com/Forums/lync/en-US/6bd237eb-2e96-437b-b559-54cf95230417/lync-server-2013-edge-unknown-error-0x80131500-tlsfailureexception?forum=lyncdeploy
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• SAN certificate for external access for edge server and reverse proxy

  Hello
  I have a question related to the certificate planning for LYNC 2013 EDGE SERVER .
  For external access and mobile user's , Iwant to enable all the feature for external user's .
  im planning to purchase san certificate ,
  my first question do I need only one SAN for both my edge server and the reverse proxy ?
  my second question about the name's that shoud be added to the certificate ?
  sip.mydomain.com
  av.mydomain.com
  webconf.mydomain.com
  what else I should add ? I want to add the names for all feature access.
  Kind Regards
  MK

  Your Front End Pool should only contain front end servers, does it also contain your edge and back end? If so, this is a misconfiguration.
  If you're planning to implement high availability, you'll want a different internal web services FQDN name than your pool name (unless you load balance the entire pool with a hardware load balancer).
  You'll want your external web services FQDN to be different from your pool name if you want to use the mobile client on the internal network.  Once you've come up with a new and otherwise unused FQDN for this purpose, you'll want that as additional
  SAN on your cert.
  Since you're not using this for the internal certificate, you can also pull admin.mydomain.com and LYNC2013-FE.mydomain.com off of the cert as those are needed internally only. 
  Lyncdiscoverinternal you can leave on if you need your internal mobile clients to not throw certificate errors because they don't trust your internal certificate authority, but this name would then need to be pointed to a reverse proxy or something that
  can present the third party certificate.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Web Dynpro application calling external web server using HTTPS giving error

  Hello,
  I don't know whether this is the right question in this forum but my ABAP web-dynpro applicaiton is expected to call another HTTP application on external web server through HTTPS. Presently it is calling through plain HTTP but we want to have HTTPS.
  Here are the steps that we followed based on the link from help.sap.com
  1] Received the certificate files from external web server
  2] Created SSL Anonymous client
  3] Imported the certificate files under this client and added into the certificate list
  4] Re-started ICM
  5] Created RFC Destination of type HTTP to connect to external server with SSL option and basic authentication. This RFC destination was working under plain HTTP.
  When tried with Test connection it gave error "ICM_HTTP_CONNECTION_FAILED".
  Any idea what might be missing. Thanks in advance.
  Regards
  Rajeev

  Used proper certificate after which the error went away

• Adobe Connect prevents external users from connecting via Edge Server

  Errors thrown in the logs:
  Bad network data; terminating connection : bad chunk version 24 on input stream 07726718
  Bad network data; terminating connection : (Adaptor: _defaultRoot_, VHost: Unknown, IP: 110.141.64.253, App: , Protocol: rtmp) : 18
  Bad network data; terminating connection : (Adaptor: _defaultRoot_, VHost: Unknown, IP: 110.141.64.253, App: , Protocol: rtmp) : 03
  Any advice would be greatly appreciated!
  Regards
  Ole Kristensen

  Hi,
  Please check all the services are started on Lync Edge server.
  Please double check the ports for both Edge server internal and external interface with the help of the link below:
  http://technet.microsoft.com/en-us/library/gg425891.aspx
  You can test your remote connectivity with the help of the link below:
  https://testconnectivity.microsoft.com/
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Can you use a self signed certificate on an external Edge Server interface?

  Hi,
  I have a small lab deployment for evaluation purposes. The Lync FE server works great for internal users. I have now added an Edge server. For the internal interface, I have a self signed certificate from our internal CA. (no problem there) For the external
  interface, I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user and installed it for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed
  cert is valid (root and intermediate have been checked for validity).
  At first, when logging in from the Lync 2013 client on the external users machine, I would get an error from Lync about the cert being untrusted. I have now fixed that error by adding it as trusted. At this point, there are no errors or warnings in the Event
  Viewer (in the application or system logs) However, I receive the following error from the Lync client, "Were having trouble connecting to the server... blah, blah".
  Here is my question. Does the Microsoft Lync 2013 client and/or the "testconnectivity.microsoft.com" tool specifically prevent or forbid the use of self signed certificates on the external interface of an Edge server? They seem too.
  I can tell if the certificate is my problem or something else. Any ideas on how to trouble shoot this?
  Thx

  Drago,
  Thanks for all your help. I got it working.
  My problem with the Lync client error, "Were having trouble connecting to the server... blah, blah", was NOT a certificate error. It was a problem with my Lync Server Topology. (My sip default domain needed to match my user login domain.)
  Let me update everyone about self-signed certificates:
  YES, you can self-sign a certificate on your external edge server. It is a pain, but possible.
  I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed cert is valid (root and
  intermediate have been checked for validity).
  Here are my notes:
  Create/enable your own external Certificate Authority (CA) running on a server with internet access. 
  On the Lync Edge Server, run the "Lync Server 2013 - Development Wizard".
  Click "Install or Update Lync Server System". (Lync will automatically determine its deployment state)
  You should have already completed: Step1 and Step 2.
  Run or Run Again "Step 3: Request, Install or Assign Certificates".
  Install the "Edge internal" certificate.
  Click "Request" button to run the "Certificate Request" wizard.
  You use can "Send the request immediately to an online certificate authority" option to connect to your internal CA, and create the certificate.
  Once the certificate has been created, use "Import Certificate" to import it.
  Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request...
  In the Lync deployment wizard - Certificate Wizard, "Assign the newly imported "edge internal" certificate.
  Install the "Edge External" certificate (public Internet).
  Click the "Request" button to run the "Certificate Request" wizard.
  Press "next"
  Select "Prepare the request now, but send it later (offline certificate request).
  Supply the "Certificate Request File" name and location. (You will need the file later. It should have the file extension ".req").
  Click next on the "Specify Alternate Certificate Template". (which means you are using the default options)
  Give it a Friendly Name. Bit Length = 2048. I selected "Mark the certificate's private key as exportable" option.
  Fill in the organization info.
  Fill in the Geographical Information.
  The wizard should automatically fill-in the "Subject name:" and "subject alternative name:' fields.
  Select your "Configured SIP domains"
  "Configure Additional Subject Alternative Names" if you want. Otherwise, next.
  Verify the "certificate Request Summary". Click next.
  Run the wizard script to "Complete". The wizard will create a file containing the certificate request with the file extension ".req". (Let's assume the file name is "myCert.req")
   Move your myCert.req file to your external CA. Have your CA issue the cert (based on myCert.req) and export the new cert to a file. I save it as a P7B certificate. (Let's call it "ExternalCert.p7b")
  In the Lync Deployment wizard - Certificate Wizard, click on "Import Certificate" for ExternalCert.p7b.
  Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request... (assign it a friendly name. Let's say "EXTERNAL-EDGE")
  For the "External Edge certificate (public Internet), click "Assign".
  The "Certificate Assignment" wizard will run.
  Click next.
  From the list, select your cert "EXTERNAL-EDGE".
  Finish the wizard to "complete".
  You are finished on the server.
  Move the "ExternalCert.p7b" file to the machine running the lync client. Install the cert via the "Certificate Import Wizard".
  When installing it to a particular Certificate Store, select the "Place all certificates in the following store" option.
  Browse
  Select "Trusted Root Certification Authorities"
  Finish the wizard.

• WLC with ISE as radius and also external web server

  Hi friends,
  I am biulding a wireless network with 5508 WLC and trying to use ISE as radius server and also to redirect the web-login to it.
  I was trying to understand that to achieve the external web-login, do i need to use the raduius-nac option under advanced on the guest wireless where i am trying this out. and if not, where do i actually use it?
  So far what i have understood that i do need to have preauth ACL on the Layer 3 security, but the issue is there is no hit reaching the ISE.
  any suggestions would be higly appreciated guys!
  Regards,
  Mohit

  Hi mohit,
  Please make sure the below steps for guest auth thru ISE,
  1)Add the WLC in your ISE as netork devices.
  2)In Guest SSID you need to choose the pre authentication acl.That acl should allow the below traffic
      a. any to ISE
      b.ISE to any
      c.any to dns server
      d.dns to any
  3)The external redirect url will be 
  https://ip address:8443/guestportal/Login.action
  4)AAA server for that SSId would be your ISE ip with port number 1812.
  5)In advanced tab please choose the AAA override. No need of radius nac.
  6)Create appropriate authorization profile in ISE for guest.Example is below ,

• Can data be passed to an external web server using the "in-course web browsing" feature in ver. 7?

  Can data be passed to an external web server using the "in-course web browsing" feature in ver. 7? I would like to display a simple web page, and I would like to pass to that web page the answers to all the quiz questions, quiz score, etc. In other words, instead of passing quiz results to a SCORM-compliant LMS like Moodle, I'd like to pass that data to a Drupal Webform using a URL like:
  https://www.example.com/my-drupal-webform?param1=value1&param2=value2...&paramn=valuen
  Is this possible?
  Thanks,
  John

  You have to make sure every step in MOS Document ID 726414.1 that is applicable to your E-Business Suite 12.1.x release is performed. Enabling ASADMIN is just one of the steps. In spite of following all the steps in this Document you continue to get the error when clicking "Generate WSDL", please log a Service Request with Oracle Support.I will check all steps again. Maybe I missed one... Thanks!

• Diff Patch Level on External web and Source Server

  Hi ,
  Version - 11.5.10.2
  We recently setup our external web server in DMZ on Linux while our source system
  is running on Solaris.
  We followed 238276.1 doc to migration the middle tier to linux. We were asked to check
  both systems should have same Patch level.
  I have doubts here
  o Since we have only one DB Tier, and we copied APPL_TOP from Source solaris and
  convert the files to linux. we installed IAS and 8.0.6 home from Universal installer
  Is it possible to have diff patch level on both instances. as we have only DbTier
  and the only way [ I know ] to check whether we have patch applied or not is
  query to database or using OAM as it would show the same patch.
  o if there is possibility to have diff. patch level then how can we detect this and what is the way to apply patches on one server [ Adadmin ? ]
  o Can you please point me to any DOC which can give clarity how diff. type of patches
  we can have in Apps.
  Regards,
  Jagjeet Singh

  Plan on applying the Linux and Solaris versions of all applications patches to the respective servers.
  How To Apply a Patch in a Multi-Server Environment
  http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=136342.1
  Patches must always be applied in their entirety. If you apply a patch to update
  your filesystem, you must also apply the corresponding database and generation
  portions of the patch if they are included. When updating the filesystem in a
  multi-server environment, you should apply the patch on all servers.
  You can see what patches have been applied to which nodes in OAM on the Applied Patches page. Oracle will not advise you to have patch differences, otherwise supportability comes into question due to partial patch application.

• Lync 2013 client can't connect externally to edge server

  So I have my edge server set up in the DMZ. 3 ips bound to an interface for external connectivity.
  sip.domain.org (A record)
  webconf.domain.org (A record)
  av.domain.org (A record)
  _sip.tls.domain.org:443 pointing to the same IP as sip.domain.org
  External Lync Clients should be using this srv record to auto-connect, correct?
  I have purchased a thawte ssl cert and bound it correctly to the external interface.  Internal interface is a PKI internal CA cert. Sometimes when doing a testconnectivity from MS, it comes up stating " The certificate couldn't be validated because
  SSL negotiation wasn't successful", when other times I run the test and it states that it validates the cert correctly, analyzing the cert - no problems found, etc, all looks good and then fails at "couldn't sign in Error Unknown (0x80131500) 
  Error type: TLSFailureException.
  Not sure where to start looking or why it shows the cert is good sometimes and others not.
  Also when I launch the Lync Server Admin Console, Under Topology,  my edge server is showing Replication with a red X.  Don't know what to look for either.

  Hi jackl2001,
  By default, no policies are configured to support external user access, including remote user access, federated user access, even if you have already enabled external user access
  support for your organization. To control the use of external user access, you must configure one or more policies, specifying the type of external user access supported for each policy.
  Click on the link below for more details.
  Managing federation and external access to Lync Server 2013
  http://technet.microsoft.com/en-us/library/gg520966.aspx
  Best regards,
  Eric

• Any reason not to put Lync Edge server on the same server that runs Web Application Proxy?

  We're currently running Lync 2010 standard server, without an edge server or reverse proxy.  I'm working on migrating to lync 2013 standard server, and would like to add the edge functionality in the process.  I have a Server 2012R2 in the dmz,
  with the web application proxy role installed.  I plan to use that to publish the lync web services.  Is there any reason I shouldn't install the lync edge server on the same computer? 

  It just won't work well as everything will want to bind to port 443 (the reverse proxy and the edge services as well).  On top of all that, it's just not supported.  A new virtual server will save you hours upon hours of frustration and leave you
  with a supported configuration. 
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• External Web authentication server for Guest access

  I have a guest wireless wlan setup. When guest users attach to our guest wireless they are prompted by the built in web security on the WLC's.
  Cisco talks about how to setup the WLC to route web authentication to an external web server, but they don't say what kind of web server to use or examples.
  I need some help on getting an external web server to do web authentication. With the server we would like to get some basic info from the user. name, email, pupose of using wlan, and some background info they don't see like, computer name, mac address. This is all for tracking purposes.
  Hotels do this type of web authentication for example.
  Any help would be great.

  Hi Patrick,
  I'm having the same problem here. I configured my WLC that redirect the login page to WEB Server, but I don't know how configure the Web Server to back the credentials to WLC. Did you can solve this problem?
  thanks!
  Claudio

• Solaris 10 11/06 - Cannot access external web sites from server

  Hi,
  I am relatively new with Solaris so I hope this is something simple. I just installed Solaris 10 11/06 with the `Secure By Default` option.
  From the command line I can use dig and nslookup to resolve external web sites fine, but if I try to use the update conection manager (desktop), mozilla browser (desktop), or pkg-get (command line) it fails to resolve the external sites. I have a valid resolv.conf file and I have named installed and running.
  It is on a LAN with other servers that have no problems with external access. I am running as root in all instances, so is there some permissions issue I am missing with this install/release?
  I don't want to open up the install more than I have to.
  Thanks,

  Hi again,
  I figured it out. The nsswitch.conf file was not referencing dns as part of the `hosts` and ipnodes` resolution methods. Once I added this and restarted named it worked.
  group: files
  hosts: files dns
  ipnodes: files dns
  networks: files
  -----------------------