Edge Public Certificate for Single Edge Pool + Reverse Proxy

Similar Messages

• Public certificate for lync/exchange

  Hi guys,
  I need to buy public certificate for lync 2013. Shall I include SAN name for my Office web apps(OWA) too ? which currently included in my Exchange SAN certificate.
  anyone has good links on configure lync with existing exchange 2013 ? and also link to configure lync edge in order for external access. our plan to use windows 2012 R2.
  this is 1st time for me to configure lync and I need help. thx

  Hi Developer_75,
  Agree with Thamaraw, You can include all SAN records in to a single certificate.
  And there are some links for your reference.
  Integrating Microsoft Lync Server 2013 and Microsoft Outlook Web App 2013
  Configuring Microsoft Exchange Server 2013 Unified Messaging for Microsoft Lync Server 2013 voice mail
  Configuring the use of high-resolution photos in Microsoft Lync Server 2013
  Lync External Access
  Best regards,
  Eric

• Need suggestion for ISE distributed deployment model in two different data centers along with public certificate for HTTPS

  Hi Experts,
  I am bit confused about ISE distributed deployment model .
  I have two data centers one is DC & other one is as a DR I have  requirement of guest access service implementation using CWA and get public certificate for HTTPS to avoid certificate error on client devices :
  how do i deploy ISE persona for HA in this two data centers
  After reading cisco doc , understood that we can have two PAN ( Primary in DC  & Secondary in DR ) like wise for MnT (Monitoring will be as same as PAN ) however I can have 5 PSN running in secondary i.e. in DR ISE however I have confusion about HA for PSN .. since we have all PSN in secondary , it would not work for HA if it fails
  Can anybody suggest me the best deployment solution for this scenario ?
  Another doubt about public certificate :
   Public Certificate: The ISE domain must be a registered or part of a registered domain name on the Internet. for that I need Domain name being used from customer .
  Please do correct me if I am wrong about certificate understanding :
  since Guest will be the outside users , we can not use certificate from internal CA , we need to get the certificate from service provider and install the same in both the ISE servers
  Can anybody explain the procedure to opt the public certificate for HTTPS from service provider ? And how do i install it in both the ISE servers ?

  Hi there. Let me try answering your questions:
  PSN HA: The PSNs are not configured as "primary" or "secondary" inside your ISE deployment. They are just PSN nodes as far as ISE is concerned. Instead, inside your NADs (In your case WLCs) you can specify which PSN is primary, which one is secondary, etc. You can accomplish this by:
  1. Defining all PSN nodes as AAA radius servers inside the WLC
  2. Then under the SSID > AAA Servers Tab, you can list the AAA servers in the order that you prefer. As a result, the WLC will always use the first server listed until that server fails/gets reloaded, etc. 
  3. As a result, you can have one WLC or SSID prefer PSN server A (located in primary DC) while a second WLC or SSID prefer PSN server B (located in backup DC)
  Last but not the least, you could also place PSNs behind a load balancer and that way the traffic would be equally distributed between multiple PSNs. However, the PSN nodes must be Layer 2 adjacent, which is probably not the case if they are located in two different Data Centers
  Certificates: Yes, you would want to get a public certificate to service the guest portal. Getting a public/well known certificate would ensure that most devices out there would trust the CA that signed your ISE certificate. For instance, VeriSign, GoDaddy, Entrust are some of the ones out there that would work just fine. On the other hand, if you use a certificate that was signed by your internal CA, then things would be fine for your internal endpoints that trust your internal CA but for any outsiders (Guests, contractors, etc) that do not trust and do not know who your internal CA is would get a certificate error when being redirected to the ISE guest portal. This in general is only a "cosmetic" issue and if the users click "continue" and add your CA as a trusted authority, the guest page would load and the session would work. However, most users out there would not feel safe to proceed and you will most likely get a lot of calls to your helpdesk :)
  I hope this helps!
  Thank you for rating helpful posts!

• Using PowerShell to request a public certificate for webconf. What type should I specify

  Using the PowerShell command below to request a certificate for webconf.domain.com on the Edge. There are at least a dozen "types" I can specify. I was thinking WebServicesExternal but maybe AccessEdgeExternal?? Not sure what to use or if it even
  makes a difference.
  Request-CsCertificate -New –Type WebServicesExternal -ComputerFqdn "edgeserver.domain.com" 
  -FriendlyName "Web Conferencing" –Organization etc......-PrivateKeyExportable $True –DomainName webconf.domain.com –output c:\webconf.txt

  Type will be AccessEdgeExternal and command will be as followingRequest-CsCertificate -New -Type AccessEdgeExternal -Output C:\ <certfilename.txt or certfilename.csr> -ClientEku $true -Template <template name>
  Also you can refer below link
  http://technet.microsoft.com/en-us/library/gg398409.aspx
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"

• Public Certificate for ACS

  Can anyone tell me if there are security issues with using a public certificate on ACS to be utilized for PEAP authentication? Trying to make this more manageable for our Windows Mobile devices and what they have for default for root CA's. Thanks

  I would say partial yes to your post. Since, ACs is going to assign certificate, if ACS server is secure, hence the certifcate.

• What is the alternative to TMG/ISA For SSL-Bridging-Capable Reverse Proxy For System Center 2012 R2 IBCM?

  When I look up alternatives to TMG many other answers say something like "Don't worry about it. TMG 2010 is under support until 2020."
  Well, we don't have TMG and can't buy it since it is off the market.  Can it still be legitimately purchased through any resellers?
  We need a reverse proxy that specifically supports SSL-Bridging so that device certificate authentication is not broken when the connection passes through the proxy.
  Which reverse proxies that are currently on the market are known to work successfully with System Center Config Manager Internet-Based Client Management and also with other Microsoft products such as Lync 2010 and RD Gateway 2012 R2?
  Do any Cisco ASA or ACE models support the required functionality for machine certificate authentication?
  We have ISA 2006 licenses available, but I would hate to roll that out and then have to replace it in only 2 years rather than using something that can stay in place long term.  Maybe we could use ISA 2006 temporarily as a stopgap if the next version
  released of Windows Server Web Application Proxy would meet the requirements and can be deployed in production before ISA 2006 is completely EOL.
  I hate that Microsoft keeps discontinuing all the related products to this before they have their replacements ready.

  Hi,
  You are correct, all TMG product sales officially ended in December 2012.
  In addition, an ISA Server and a TS Gateway server can be used together to enhance security for remote connections to internal network resources. However, it
  seems that ISA 2006 cannot support that on Windows Server 2012 R2. For more detailed information:
  Configuring the TS Gateway ISA Server Scenario
  Personally, Web application proxy would be an alternate. In addition, for the question related to Cisco product, you can contact Cisco for assistance.
  Best regards,
  Susie

• Public certificate DV, OV, EV

  Hi,
  I would like to know if there is a difference between the public certificate for Lync Edge and Reverse Proxy between the type of DV (Domain Validation), OV (Organization Validation) and EV (Extended Validation)?
  Can I use any of these types and are supported?

  Hi Mike-WWW,
  Agree with others.
  In addition, please refer to the following KB to choose the Unified Communications certificate partners.
  https://support.microsoft.com/en-us/kb/929395
  Best regards,
  Eric
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Reverse Proxy Setup

  I have a 10.5 server running as a webserver with a single static IP address. I have a second machine running FileMaker Server that is also a webserver. I have two different domain names ( example.com and fmexample.com) that both point to the same static IP.
  I would like all traffic coming to example.com to pull data from the 10.5 Webserver and I would like all traffic coming to fmexample.com to pull data from the FileMaker Server.
  In researching this it seems like adding fmexample.com to the Sites list in 10.5 server and then adding a reverse proxy to the FileMaker server should accomplish what I am trying to do. However, even with the reverse proxy setup both domain names still pull data from the 10.5 server.
  On the 10.5 server in the Sites Menu these are my settings for the fmexample.com site.
  General Tab
  Domain Name: fmexample.com
  IP Address: 10.0.1.10 (IP address of the 10.5 server)
  Proxy Tab
  Enable Reverse Proxy "Checked"
  Proxy Path: /
  Balancer Members:
  Worker URL: http://10.0.1.100:80/ (IP address of the FileMaker Server)
  Route: "Blank"
  Load Factor: 100
  Any help would be appreciated.

  The reverse proxy is in the loop because I have multiple servers sitting behind a single public static IP address. When external calls (users outside of my local network) are made to the public IP for fmexample.com the reverse proxy server sends them to the 10.0.1.100 server on my local network.
  This worked fine for standard web serving. The problem came in with FileMaker's IWP engine. It was reading the incoming host header not as the original domain name (fmexample.com) but as the domain name or IP Address that I was assigning in the reverse proxy (ie fmexample.local, or 10.0.1.100)
  So when IWP would issue a redirect it would return a URL to the external user specifying an internal address. For example if a specify http://10.0.1.100/ as the URL in the reverse proxy IWP would issue a redirect and return a URL that looked like http://10.0.1.100/fmi/iwp....
  That internal address would not work outside of the network.
  By adding adding a DNS record internally that routes all fmexample.com traffic to 10.0.1.100, I was able to set the reverse proxy in essence to point to itself but since the reverse proxy looking at my local DNS server it would route back to the local IP address.
  Since I could now set the reverse proxy to use fmexample.com as the worker URL, IWP now could see a host header of "fmexample.com" and when it issues a redirect to the external user it shows the proper URL (ie http://fmexample.com/fmi/iwp)
  Circumstances Affecting my thought process:
  1) I can't just route all incoming traffic to my public IP to 10.0.1.100 because I have a couple of other domains that route to different servers so I still need the reverse proxy to play traffic cop.
  2) I also didn't have any idea how to modify IWP to force it to return a specific domain and I couldn't find any clear information on how to modify IWP. I decided to leave IWP working as it was designed and come up with a way to feed it the host header that I wanted.
  I admit it does seem a bit convoluted but the important thing is that it works, both internally and externally.
  Message was edited by: Patrick Cranston

• Combining Lync Edge certificate of Reverse Proxy

  I wonder if the creation of a certificate from the combined Lync Edge server names and Reverse Proxy will work?
  Wants to create a certificate for Lync Edge with CN = sip.domain.com and add names required for the Edge and Reverse Proxy as an additional DNS:
  sip.domain.com 
  webconf.domain.com
  webext.domain.com
  meet.domain.com
  dialin.domain.com
  lyncdiscover.domain.com

  Hi,
  Yes, you can use the same certificate for both Edge Server (external interface) and Reverse Proxy, which SAN including all Edge Server and Reverse Proxy needed (such as: webcon.contoso.com, sip.contoso.com, webext.contoso.com, meet.contoso.com, dialin.contoso.com,
  lyncdiscover.contoso.com, and so on).
  More details:
  https://technet.microsoft.com/en-us/library/gg398519.aspx?f=255&MSPPError=-2147217396
  https://technet.microsoft.com/en-us/library/gg429704.aspx
  There is no special SAN for federate with Skype. However, the certificate must be the public SAN certificate.
  Best Regards,
  Eason Huang
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Eason Huang
  TechNet Community Support

• Lync 2013 Certificates for DR Pool

  Hello, I'm kind of new to Lync 2013 so I could use a little guidance.....  
  My question is regarding edge server certificates for my DR site. We have 2 geographic locations, one for Prod, and one for DR in an active/passive arrangement. The pools are paired for resiliency.
  The prod site is up and running, everything is functioning as it should. We recently decided to deploy Lync in DR. The prod site is using sip.x.com in DNS and SRV records for access edge. Knowing that we cannot use the same DNS
  name for the DR pool, I have used sip_DR.x.com. It is recommended to use the same cert for all edge servers. Does that mean I should use the same cert for both pools? If so, should I then add the SAN sip_dr.x.com to my existing UC cert from digicert, and
  import it to all my edge servers in both pools, or should I have a separate cert for DR? Or, would I request a duplicate cert from digicert and generate the request from one of my edge servers in the DR pool?
  Any help you can provide will be greatly appreciated.
  Thank you. 

  The same cert requirement is for all Edge servers in an Edge pool. You can use a new certificate for the DR Edge pool.
  Take a look at Jeff Schertz' blog: http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
  "The exact same certificate must be used on all common interfaces across the pool, regardless of whether DNS load balancing or hardware load balancing is utilized.  This means that the original certificate request must provide the ability to export
  the private key as the exact same certificate and private key pair must be able to be exported from one Edge server into all other Edge servers.  This is required so that in the event of a failover any existing sessions can be moved to another server
  in the pool and the data can still be decrypted by the same certificate that was used to encrypt the session just prior to the failover."
  Please mark posts as answers/helpful if it answers your question.
  Blog
  Lync Validator - Used to assist in the validation and documentation of Lync Server 2013.

• CWMS hostnames are not treated as valid subject alternate names for a public certificate

  Hi,
  I have a problem to get s public certificate for my CWMS Server 2.0
  fqdn for public vip is "meet.company.de"
  But the fqdn hostnames for admin and media vm are "admin.company.corp"
  The public certification authority does not accept our CSR because the Subject Alternate Name xxxx.company.corp ist not valid
  Any ideas how we can proceed? Wildcard certificate is not an option.

  Hello,
  There are couple of things you can try to do:
  1. Change the Certification Authority. At least until November 2015, CAs should accept internal company domains and provide SSL certs for them. Not sure what CA you are trying to use, but I've seen Verisign, GoDaddy, Entrust, etc. providing SSL certs for internal domain names (using SAN certs)
  2. Change the FQDNs of your internal VMs. You would need to ensure you configure "company.de" zone in your internal DNS, create DNS entries for all the internal VMs, Private VIP and Admin and WebEx Site for "company.de" domain, and then perform the hostname change on CWMS for all the VMs and Admin site. You can change the VMs hostnames if you go to CWMS Dashboard > System > View More, and by clicking on each VM you will get an option to change the hostname. If the hostname is defined in DNS and resolves to the same IP address as the original hostname, the entry will be properly updated. (NOTE: don't change the IP addresses if not really needed. If needed, take a look at the instructions here) . Once you modified all the hostnames, you can generate new CSR (SAN) and you will get valid internal VM hostnames and your CA will be able to issue you a certificate.
  3. If you end up using the same domain name on all the VMs and VIPs, you may consider wildcard certs (not sure why the are not the option in your case).
  This is all that you can do when it comes to this issue.
  I hope any of this will help.
  -Dejan

• Federation trouble with some partners after public certificate renewal

  I always seem to find the answer to my problems on this Forum , but this time im stuck and need a little help.
  Problem happened after i renewed public certificate on Lync Edge server. Instantly discovered federated partners dropped from 13 to 3. I get presence unknown with the "undiscovered" partners.
  I also got same problem with 2 out of 5 direct/enhanced federated partners.
   Lync mobile ”Push Notifications” also stopped working.
  I updated the certificate 29.october. Since then discovered partners has increased to 7, Lync Mobile ”Push Notifications” started working after avout 2 weeks, but I’m still missing federation with a couple of important partners, 
  and i still dont have federation working with partners using Lync Online (sipfed.online.lync.com). I do however never lost the federation with MSN contacts.
  Looking through the Edge server Event Viewer , I do see alot of ”LS Protocol Stack” – Event id 14502
  A significant number of connection failures have occurred with remote server sip.sarpsborg.com IP xx.xx.xx.xxx. There have been 289 failures in the last 880 minutes. There have been
  a total of 6516 failures.
  The specific failure types and their counts are identified below.
  Instance count  
  - Failure Type
  6095                
  0x80072746(WSAECONNRESET)
  421                
  0x8007274C(WSAETIMEDOUT)
  This can be due to credential issues, DNS, firewalls or proxies. The specific failure types above should identify the problem.
  When I Run the “Microsoft Remote Connectivity Analyzer” it is all green except for small warning saying.
  Analyzing the certificate chains for compatibility problems with versions of Windows.
  Potential compatibility problems were identified with some versions of Windows.
  Additional Details
  ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root
  Certificates" feature isn't enabled.
  My Certificate is bought from highly respected certificate authority, and it was renewed with the same authority.
  When logging from a client i get these errors.
  ms-diagnostics:
  1047;reason="Failed to complete TLS negotiation with a federated peer server";WinsockFailureCode="10054(WSAECONNRESET)";WinsockFailureDescription="The peer forced closure of the connection";Peer="sip.partnerdomain.com";Port="5061";source="sip.our.domain.no"
  I looks to me like some of my previously federated partners dont like my new certificate, and that they basically need to update their root certificate.
  I’m having a hard time establishing exactly what has gone wrong here.
  Since I now have federation working with 7 partners, Lync Mobile is working with Push notifications and Microsoft Remote Connectitivity Analyser tells me Almost everything is fine.
  Is there anything misconfigured at my installation, or anywhere i can look deeper?
  Or…
  Maybe my public Certificate Authoirty provided me with a certificate that’s ”too new”?
  Or..
  Maybe our federated partners havent updated their Root Server Certificates on their edge server in a while?
  Can anyone help me point me in the right direction where i can look for more information?

  Hi,Jorgen,
  Did you run  Test-CsFederatedPartner and see if it returns successful results?
  Also please check the new certificate is located in the trusted cert store on your Lync server,if not please manually add it under the personal certificates and under trusted root certification authorities,then reboot the Lync server.
  Here is an old thread with similar error message about the same failure type for your reference.
  http://social.technet.microsoft.com/Forums/nl-NL/ocsedge/thread/f2f39c06-cb3a-456d-8578-ee2408116ebb
  If still no luck please turn on Lync server logging and reproduce the issue to get the trace log for more specific information for troubleshooting.
  Regards,
  Sharon
  Sharon Shen
  TechNet Community Support
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.

• Single Reverse Proxy and multiple Office Web App Servers

  Hi all,
  I have recently installed a new office web apps server pool in my new location and configured it in my Lync topology as well. 
  I have a single Reverse Proxy (IIS ARR). Inside my Reverse Proxy I have created a new web farm for my new web apps server. The configuration of old web apps server. I have copied the settings from my old web app's web
  farm in IIS including its Inbound rule regular expression.
  Now when I try to upload a powerpoint as an external guest hoping to hit my new web apps server, my reverse proxy tries to hit my old office web apps server and no traffic is sent from reverse proxy to new web apps. 
  my reverse proxy shows the health of the new farm as healthy.
  should the inbound rules be different for these farms in reverse proxy? 
  Any suggestions are welcomed.
  Thanks,

  Hi,
  In addition to Luca's comment in order to determine if the farm is actually working correctly in the first instance, did you disable or remove the old server farm?
  Can you also confirm that there are no static routes in place on the IIS ARR box?
  Kind regards
  Ben
  Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems or queries.

• Secured connections for reverse proxy 4.0 possible?

  Hi,
  Is there any way to have a secure https to https connection while using Sun proxy server 4.0 as a reverse?
  I did the whole connect:// item with the 'connect://.*' defined in the routing table and just keep getting:
  "trying to GET /testdev/, deny-service reports: denying service of connect://testserver.***.com:481/testdev/"
  I tried defining it to https and get the "unable to find certificate".
  I am not showing the internal destination server ever receives any traffic from the reverse proxy, and the proxy logs seems to show it is blocking it all.
  So far coming in to the proxy server on an ssl https url and attempting to map it to another internal https server always fails.
  Mapping the same incoming https traffic to the same internal http server works fine (that is HTTP).
  So a client can hit our reverse proxy at HTTPS://reverseproxy.../testdev and get sent to an internal HTTP URL just fine.
  Doing the same thing to an internal HTTPS URL fails...
  Thanks much.

  The CONNECT is a method meant only for Proxies
  http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.9
  You might try searching for setting up secure reverse proxy in the docs.
  the method is to map using https->http & http->https in both sides.

• IIS ARR reverse proxy..can someone explain how traffic goes?

  I'm building a reverse proxy server from the ground up, and I'm using IIS ARR. 
  I'm following this awesome guide to do it: 
  http://blogs.technet.com/b/nexthop/archive/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013.aspx
  I'm having a hard time grasping this IIS stuff and I was wondering if someone could explain something.
  Am I supposed to use the external IP of the reverse proxy in external DNS, or the external IP of the edge server?
  Are my simple URLs (I'm using lws, meet, dialin, and lyncdiscover in IIS ARR) supposed to externally resolve to the reverse proxy, and then my accessedge URLS resolving to the external IP of the edge? 
  I'm trying to figure out what to ask to have added to external DNS, and I was thinking that all these requests would come into the Edge, and then the edge would push it up to the reverse proxy for port translation, and then down to the front end, or something. 
  Thanks!
  Brandon
  Edit: I think I might have figured it out... Is the external IP of the reverse proxy the "Lync Web Services External IP"? If that's the case, I got confused in my validator.

  You beat me to it.  Yes, you'd communicate with the edge directly.  The reverse proxy is for Lync Web Services such as your external web services URL, meet, lyncdiscover, dialin, etc.  It's just a method of publishing your front ends
  to the Internet.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications