Edge 2013 External Wildcard Certificate

Similar Messages

• Lync Edge Server External Private Certificate

  Hey GURUS!
  Please help me out:
  I'm having issues accessing Lync from external network.
  Mobile clients login fine, but computer clients fail to login.
  My current deployment consists in a single 2013 front-end and a single 2013 edge server.
  All servers have certificates from my internal CA.
  All servers have the root CA certificate installed in the trusted root certificate authority.
  I have 2 sip domains, and the edge certificate has both sip domains.
  However, when I test from test connectivity.microsoft.com, I get an error regarding the certificate chain.
  I can't understand why lync requires a intermediate certificate, if I don't have any published in my organisation.
  The certificate path goes: Root CA -> Certificate.
  Also, the lync discover test runs with no errors what so ever.
  This error on the edge didn't occur when I had lync 2010 running.
  Does anyone know how to solve this?
  Thanks!
  Andrey Santana
  edit: i forgot to upload the screenshot

  Thiago,
  The certificates from the Front End / Reverse Proxy are also from the internal CA and I don't get the error, it actually runs successfully.
  Andrey
  How did you test the certificates from the Front End and Reverse Proxy Server?
  The public website connectivity.microsoft.com need a public certificate.
  But if you use private certificate in lab, it could work as long as you install the Root CA certificate on client computer.
  Lisa Zheng
  TechNet Community Support

• ISE 1.3 - wildcard certificate

  How to install an external wildcard certificate for SSL on ISE 1.3 and get it running for a guest portal ?
  Follow this links for guidance:
  Cisco Identity Services Engine Admin Guide, Release 1.3
  http://www.networkworld.com/article/2225032/infrastructure-management/what-are-wildcard-certificates-and-how-do-i-use-them-with-ciscos-ise.html
  https://supportforums.cisco.com/discussion/12305836/installing-wildcard-cert-ise-httpeap
  see Recording of Tech Talk Security: BYOD, Integrated CA, Multi-AD WebSession from November 6, 2014 of Aaron Woland
  and now.....     RESTART your ISE engine !
   ISE need to get restarted to bind the intermediate and the wildcard certificate which will
  send to the client for SSL. The client can now validate the certificates in the chain.
  Currently the restart is not documented by Cisco and there is no warning message to restart the ISE engine.

  Hi,
  You would have to restart the services, there is a note in the Cisco ISE document. Please refer it below:
  If you are using Firefox and Internet Explorer 8 browsers and you change the HTTPS local certificate on a node, existing browser sessions connected to that node do not automatically switch over to the new certificate. You must restart your browser to see the new certificate.
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_cert.html#pgfId-1183856
  Regards,
  Tushar Bangia
  Note : Please do rate post if you find it helpful!!

• Receiving error when signing into Lync 2013 Externally "There was a problem verifying the certificate from the server"

  I have gone through multiple forums and just about everyone states install the Root CA on the machine trying to connect.
  I have installed the Root CA on this machine as it is not on the domain and is not inside the domain. It is installed in the Trusted Root CA folder.
  I run the test connectivity microsoft tester and this is what i receive:
  Testing remote connectivity to Microsoft Lync server through the Lync Access Edge server sip.netrixit.com on port 5061 to verify user [email protected] can connect remotely.
  Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
   <label for="testSelectWizard_ctl12_ctl06_ctl03_tmmArrow">Tell
  me more about this issue and how to resolve it</label>
  Additional Details
  Couldn't sign in. Error: Error Message: Unknown error (0x80131500).
  Error Type: TlsFailureException
  Any insight would be helpful.

  Here is certificate you have your edge server external interface for sip.netrixit.com
  Common name: *.netrixit.com
  SANs: *.netrixit.com, netrixit.com
  Valid from January 30, 2014 to January 30, 2015
  Issuer: Go Daddy Secure Certification Authority
  As per Wildcard certificate support in Lync Server 2013
  http://technet.microsoft.com/en-us/library/hh202161.aspx
  Server roles that are not support for WildCard Certificate 
  Internal server roles (including, but not limited to the Mediation Server, Archiving and Monitoring Server, Survivable Branch Appliance, or Survivable Branch Server)
  External Edge Server interfaces
  Internal Edge Server
  Please change the certificate on edge server external interface 
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer"
  Regards Edwin Anthony Joseph

• Wildcard Certifikate - Edge server/External web

  Hello,
  In our company we have deployed Lync 2013 CU4 with topology,
  Edge server - One for all roles a/v
  Front End - Standard with all roles
  All certs are form our internal CA, and it works for my domain users. But for all external users or skype we need external cert. We have one wildcard cert for our domain.
  So question is can we user wildcard cert for our Edge server, and exteranal serwis of front end.
  Front end i think can use that is on tech net: http://technet.microsoft.com/en-us/library/gg398094.aspx

  Good morning,
  Using a wildcard certificate on Lync Edge server is not supported, and indeed will cause you problems.
  It also sounds like you are passing your Lync web services directly to your front end server. This is not recommended, and you should use a reverse proxy for this purpose. You would then place an external (public) certificate on that reverse proxy. So there's
  no need for a public cert on the front end in this scenario.
  You may consolidate the certificate requirements for reverse proxy and Edge onto a single multi-san certificate, and use that same certificate on both servers.
  OR
  If you use two separate certificates then it is supported to use a wildcard public certificate on the reverse proxy (web services), but your Edge certificate must be a separate multi-san certificate.
  Kind regards
  Ben
  Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems or queries.
  For Fun: Gecko-Studio | For Work:
  Nexus Open Systems

• Lync Edge 2013 Certificate Assign (again!)

  Hi,
  I recently posted a similar topic on the forum (Lync
  Edge 2013 Certificate Assign). The issue was related to certificate assignation. I solved it, but I needed later to change my certification authority, and so change the certificate assigned to the public Edge interface. Trying this, I encountered a new
  (different) problem with my new certificate, so I am back here to try to find a solution.
  As said, I am trying to assign a Certificate to my Lync 2013 Edge Server on the Internet edge.  This certificate is signed by a recognized authority (Comodo).
  Whenever I imported the certificate in the store via the Lync wizard and proceed on to the Assign Certificate step, the Certificate that i have imported does not appear in the List of certificates on the Lync deployment tool interface, so that I cannot assign
  it to the External Edge interface.
  I tried to import it with Digicert (which allow me to solve my previous importation problem, but not this time...) with no more result.  I tried to import it from cer format, or crt format, results are the same.
  I launched the MMC on the computer and add the Computer Certificate Snap-In. If I look at the certificate icon, I see the little key in the icon, so it sounds like I have the private key available.
  Any help would be greatly appreciated!
  Thank you very much for your help.
  EDIT: when running the digicert tool "Test Key", the result is the following : " the private key was successfully tested" and "revocation check for certificate chain failed". Does it give any clue ?

  I had the feeling I did everything fine too...!  This is maybe a silly question, but I try anyway: do you think it be possible that I cannot choose the imported certificate by the Lync Deployment assistant because the assistant does not recognize the
  public name of the computer? I mean, I could add the internal interface certificate because the computer recognized its local name (edge.local.domain). But it seems he doesn't know its Internet FQDN (lync.mydomain.com) which is mentionned in the topology.
  It does not explain why I could previously add the wilcard certificate, so I think my remark is silly, but I am kind of lost....
  Thank you anyway for your messages.
  EDIT: when I try to use powershell to assign manually my certificate, i got an error message telling that the command execution failed because [my certificate thumbprint] is not in the store or not approved. It is true that I had some intermediate certificate
  provided by Comodo, but I installed all of them in the store via mmc>Certificate, both in trusted root CA and intermediate CA. Maybe I miss a location ?

• Problem: Mixed Exchange 2007 / 2013 CAS Servers with wildcard certificates in Europe and non-wildcard Certficate in China

  Hi,
  we have following problem. We have a mixed multi-domain one-forest AD environment. We also have still a mixed exchange 2007 / 2013 environment. We also have different CAS Servers for 2007 SP3 (RU15) and 2013 (CU8) in europe and one 2007 SP3 (RU15) CAS Server
  in China, because of bad connection to Europe. For the Migration to 2013 in Europe we installed a wildcard-certificate *.xyz.com and used the Set-OutlookProvider EXPR -CertPrincipalName msstd:*.xyz.com, so the wildcard certificate is accepted. Everything in
  Europe works fine, inside and outside also between exchange 2007 and 2013 (both CAS Server 2013 and 2007 use the same wildcard certificate). But since the change of the Set-OutlookProvider EXPR we are facing problems with our CAS Server in China, because this
  server has a different non-wildcard certificate and a different domain name (cas-server.xyz-china.com instead xyz.com). Now we have the problem that this Chinese CAS server the Outlook Anywhere does not work anymore and prompts always for the username. As
  I see it is because of the EXPR change. Is it possible to set the the Outlook-Provider EXPR per Cas-Server ? (They also have their own Autodiscover on this front-end server). Because I see that the Outlook-Provider can only be stored forest-wide.
  If not the other solution would be to register the chinese cas server in our xyz.com domain and use the same wildcard certificate on this system right ?
  Any help would be appreciate….

  Yes setting the EXPR value is most likely the cause of your issue.  When you set this value you are telling Outlook to only accept connections from connections that have the cert with the subject name you specify here.
  Unfortunately, based on my experience I believe this is an organization wide setting and cannot be configured on a CAS by CAS basis (If I'm wrong someone please keep me honest :)).  
  So the only option would you have is to change all the URLs to be on *.xyz.com domain.  There's no need to change the domain the server actually resides on.  The other option would be to purchase a UCC Cert with all the names you need and apply
  to all your CAS servers and reset the EXPR value. 
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

• Wildcard certificate for Exchange 2013

  Hello!
  I have a testing network with Exchange 2013SP1 and Windows Server 2012R2 domain controller with CA installed.
  For testing purposes I issued a wildcard certificate for my Exch2013 from my local CA using Web server template and installed it on the Exchange server.
  Now when I open, for example, ecp or owa page I'm getting the error stating my certificate is wrong:
  Q1) Is Windows CA capable of issuing a wildcard certificates?
  Q2) If Q1=yes then what can be the cause of the problem?
  Thank you in advance,
  Michael

  Hi Michael,
  Please click Certificate error in IE to view the details about the error. If the error is related to untrusted certificate, please open Internet Explorer, click Settings > Internet Option > Content option > Certificate. In the
  Certificates dialog box, click the Trusted Root Certification Authorities
  tab and check if your certificate is in the list.
  If the certificate is not in the list, we can install the certificate in Trusted root certificate store by the following KB:
  http://support2.microsoft.com/kb/2006728
  If the error certificate is related to mismatch issue, please confirm if this certificate is assigned with IIS service. If not, please enable it with IIS service and restart IIS service to have a try. To double check about the Exchange certificate, we can
  run the following command to check it:
  Get-ExchangeCertificate | FL
  Regards,
  Winnie Liang
  TechNet Community Support

• Lync Edge 2013 NOT Replicating config data with CMS / NOT up to date

  I have recently installed my Lync 2013 Edge pool (1 edge server).
  all services are UP and public & internal certificates deployed successfully.
  BUT i keep seeing an X sign in the Replication Status field in the "Lync Control Panel->Topology" page.
  even running the "Get-CsManagementStoreReplicationStatus" gives:
      UpToDate           : False
      ReplicaFqdn        : internalEDGEFQDN.domain.com
      LastStatusReport   :
      LastUpdateCreation : 06/08/2013 10:09:41 AM
      ProductVersion     :
  telnet from my front-end to edge over port 4443 works
  all edge services are UP
  browsing [https://internalEDGEFQDN.domain.com:4443/ReplicationWebService] returns a special page
  there is a file called "data.zip" placed on the FileStore destined to my edge replica   \\filestorefqdn\lync2010files\1-CentralMgmt-1\CMSFileStore\xds-master\replicas\internalEDGEFQDN.domain.com\to-replica
  I dont know what might be causing the replciation to NOT get initiated. the edge server needs to be replicated so to be functional.
  thanks in advance,

  Hi,
  Please also run the Invoke-CsManagementStoreReplication cmdlet and allow time for the replication to complete before running the Get-CsManagementStoreReplicationStatus again.
  Would you tell us more details about certificate you used for Lync edge internal and external interface, and front end server? If you assigned a wildcard certificate to front end server, this may cause the replication issue between front end and edge.
  Please check event viewer if there is any relevant error message. In addition, you can refer to the blog you pasted how to check the CMS replication traffic.
  http://ocsguy.com/2011/09/07/troubleshooting-cms-replication/
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
  sure that you completely understand the risk before retrieving any suggestions from the above link.
  Kent Huang
  TechNet Community Support

• Wildcard Certificate

  I'm trying to find out if its possible to use a wildcard certificate on the Lync Edge server's External Interface.   OR maybe a better question would be if i use the wildcard what will break?  Like I've read the auto configuration will not work,
  etc.  Looking to get away from having so many certs....

  Agreed it's not supported. From memory the Edge service's don't start. Having said that yes, you can try it and if it doesn't work - simply Assign the correct certs without issue. You shouldn't have any issues with changing certs.
  If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer"
  Georg Thomas | Lync MVP
  Blog www.lynced.com.au | Twitter
  @georgathomas
  Lync Edge Port Check (Beta)
  This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• RDS 2012 R2 best design possible with wildcard certificate

  Hi!
  I am looking for some guidance for my RDS 2012 R2 design flaw. 
  What I would like to achieve?
  *I would like my users either internal or external to be able to connect to RDWeb via one single webaddress ( remote.mydomain.com)
  What I have in place?
  1x Broker
  1x WebAccess
  1x Gateway (also license server)
  1x SessionHost
  1x Wildcard Certificate
  my internal domain is mydomain.local and external is mydomain.com
  I have tried ( http://msfreaks.wordpress.com/2013/12/23/windows-2012-r2-remote-desktop-services-part-2/) without success.
  Any guidence here will be very helpfull.
  cheers
  Elton

  Hi Elton
  I have a similar configuration working with 2012 R2. However, my config is slightly different, namely:
  2 x RDSH servers
  1 x all other roles (web, gateway etc).
  However, I am using a valid single URL cert on the gateway/web server, which is accessible using remote.domain.com. I did NOT replace the cert on the RDSH servers (using WMI), because you end up with 0x607authentication errors if the certificate is not fully
  valid - corrrect name, trusted, and recovation information available. If you have purchased a  commercial wildcard cert, this should work.
  I did some testing and concluded the following, may be of interest:
  If you are just using the farm for internal connections, you can use an internal CA, and create self signed certs for the gateway, and the RDSH servers. You could use individual
  certificates for the servers, wildcard or SAN certificates. Then you will have no errors when connecting from internal clients. This will not work from external clients however, even if you trust your root or issuing CA  manually on the external client,
  because the revocation information will not be available to clients outside the domain or network, and you will get 0x607 authentication errors.
  If you are connecting from outside your network, you have 3 options:
  Use self signed certs created during the role installation, don't change any RDP certs on RDSH servers. Then manually place the gateway certificate in trusted root authorities on the external
  client.
  Purchase commercial certificates for the gateway, and optionally all of the RDSH servers. This will avoid any warnings. You could either use separate certs, wildcard or SAN. If you replace
  the certificates on the RDSH servers, they must be valid and match the names.
  Purchase just one certificate for the external URL for accessing the gateway, leaving the default self-signed certificates on the RDSH servers. This will mean that there is no warning
  when connecting to RDWeb, but there may be warnings when the connection establishes. I use this option with one free StartSSL certificate.
  To summarise, you can use either commercial or self signed for the RDWeb page. However, if you replace the certificate on the RDSH servers, this MUST be valid commercial for external clients to be able to connect. Otherwise
  just leave it as self signed.
  In my case, I can use remote.domain.com from either outside or inside the network. So, I configure the deployment to use the external URL, and that URL works from inside too. This is because it resolves to the external
  address, so requests go out to the firewall and then back in again. This way you do not have to worry about the internal connections not using a matching URL as on the certs. Or, create an internal DNS record, so that remote.domain.com points to your internal
  address of the RDweb server. This should work as well.

• Using wildcard certificate

  hi, I have a wildcard certificate, *.contoso.com, with no SAN description. I use this certificate for all web server. It's possibile to use this certificate for connect mobile users to lync 2013?
  Thanks
  Bruno
  Bruno Ausiello

  Hi,
  Wildcard entries are supported for the Simple URLs (meet, dialin, etc) but you cannot use them for anything else including the external web services FQDNs. So the wildcard certificate can reduce the cost of certificates placed on reverse proxy servers to
  publish the various external Simple URLs, but still you need a SAN certificate to publish other SANs such as external web services FQDN.
  More details:
  https://technet.microsoft.com/en-us/library/jj205381.aspx
  Best Regards,
  Eason Huang
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Eason Huang
  TechNet Community Support

• Ramifications of assigning a wildcard certificate to the SMTP service (needed for Exchange 2010 Hybrid Configuration - Office 365)

  Hello All:
  I am receiving an error when I run the Manage Hybrid Configuration wizard - ERROR:Updating hybrid configuration failed with error 'Subtask NeedsConfiguration execution failed: Configure Recipient Settings. I have opened a SR, but figured I'd try the forums,
  too. I have a wildcard certificate from GoDaddy (MS says they support wildcards from GoDaddy) & that cert has only the IIS service applied to it on the CAS. I've read in the Exchange Server Deployment Assistant that it should have the SMTP & IIS services
  assigned to it, but my question is - SMTP on the CAS (separate server) or on the Mailbox/Hub Transport (separate server)? And what are the ramifications of assigning the SMTP service to, let's say, the CAS? We have had multiple issues every time the servers
  get updated/changed; I do not want to disrupt services further, as the Manage Hybrid Configuration will be done during business hours.
  If anyone can provide any assistance/clarification, it would be most appreciated.
  Thank you.

  Hi,
  We can enable a Wildcard certificate with SMTP service for Exchange Hybird Deployment. The SMTP service can be assigned to multiple certificates. For some Exchange services such as OWA, Ecp, ActiveSync, Autodiscover service, OOF, it is used with Exchange
  certificate with IIS service. And there is usually only one certificate can be assigned with IIS service.
  Please just make sure your Wildcard certificate can contain all namespaces which are used for all internal URL and External URL configuration in Exchange services. About how to import an existing wildcard certificate on the Exchange 2010 Hybird servers,
  please refer to the Import & Enable Third Party Certificate on Hybrid Servers
  part in the following article:
  http://www.msexchange.org/articles-tutorials/office-365/exchange-online/configuring-exchange-hybrid-deployment-migrating-to-office-365-exchange-online-part9.html
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please
  make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Regards,
  Winnie Liang
  TechNet Community Support

• Install digicert wildcard certificate on 2012 RDSH Servers

  Hi Everyone
  I would like to find out is it possible to install a digicert wildcard certificate on 2012 RDSH Server
  My current RDSH deployment has 2 connection broker and SQL backend, bunch of RDSH 2012 servers in a collection. wildcard certificate is configured in the deployment properties. All servers are part of the domain.
  We already have a RASS servers. So we didn't install RDSH Gateway. External users RDP to the RDSH servers via RASS
  When users connect via RDP it prompt an certificate warning message.
  Please advice
  Thanks

  Hi,
  Thank you for posting in Windows Server Forum.
  Can you please provide the error\warning\event ID you are facing?
  Basic requirements for Remote Desktop certificates:
  1. The certificate is installed into computer’s “Personal” certificate store. 
  2. The certificate has a corresponding private key. 
  3. The "Enhanced Key Usage" extension has a value of either "Server Authentication" or "Remote Desktop Authentication" (1.3.6.1.4.1.311.54.1.2). Certificates with no "Enhanced Key Usage" extension can be used as well. 
  The certificates you deploy need to have a subject name or subject alternate name that matches the name of the server that the user is connecting to.  So for example, for Publishing, the certificate needs to contain the names of all of the RDSH servers
  in the collection.
  More information.
  Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
  http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• Edge 2013 does not discover all Exchange servers in the org

  We have the following co-existence setup:
  Edge 2013 sitting on the DMZ.
  1 CAS 2013
  1 MBX 2013
  1 CAS/HUB 2010
  1 MBX 2010
  After creating a new edge subscription on the edge server and successfully completing it on the 2013 mbx server, when I run get-exchangeserver on the edgeserver I get only the 2010 CAS and the 2013 MBX. 2010 MBX and 2013 CAS are missing.
  All mailflow is working fine, yet if I shutdown the 2010 CAS, incoming mail flow stops, because for the edge server the 2010 CAS is the nexthopdomain, it doesn't find it and gives a 4.4.1 error in the SMTP receive protocol logs.
  I have tried re-creating the subscription several times, I tried forcefullsync, it syncs fine yet it does not discover all the servers.
  The firewall on the edge is disabled and in the internal servers as well, just to be sure that there is no communication error.
  When the edge server receives an email from the internet it sends it to the 2010 CAS/HUB server and then to the 2013 MBX server.
  Also the documentation from technet states the following for Edge and messages arriving from external senders.
  Mailbox server and Client Access server installed on different computers   In this configuration, the Client Access server is bypassed for inbound mail flow.
  Mail flows from the Transport service on the Edge Transport server to the Transport service on the Mailbox server.
  So in my config, the CAS should be bypassed, but yet that's not happening. The "proxy to a CAS server" option on the connectors is not enabled.
  I believe all the above would be resolved, If I could make the Edge server discover all of the servers in the org.
  Ideas?

  Hi Dimitris,
  Base on my knowledge, I think this is a normal behavior on Edge server. Since the computer that has the Edge Transport server role installed doesn't have access to Active Directory.
  We will create an Edge Subscription from mailbox server(Exchange 2013) or hub server(Exchange 2010). So the Edge server will only connect to these servers with transport role.
  According to the Edge Subscriptions document, it said:
  “The Edge Subscription process provisions the credentials used to establish a secure LDAP connection between Exchange 2013 Mailbox servers and a subscribed
  Edge Transport server.”
  Edge Subscriptions
  https://technet.microsoft.com/en-us/library/aa997438(v=exchg.150).aspx
  Best regards,
  Niko Cheng
  TechNet Community Support