Lync Edge 2013 Certificate Assign (again!)

Similar Messages

• Lync Edge 2013 Certificate Assign

  Hi,
  I am trying to assign a Certificate to my Lync 2013 Edge Server on the Internet edge.  This certificate is signed by a recognize authority, so it should not be a problem.
  Whenever I have imported the certificate in via the Lync wizard and proceed on to the Assign Certificate step, the Certificate that i have imported does not appear in the List of certificate for me to assign it to the External Edge Certificate.
  I launched the MMC on the computer and add the Computer Certificate Snap-In. Unfortunatelly, if I look at the certificate icon, I do not see the little key in the icon. This sounds like I don't have the private key.
  In addition, I should say that I earned my certificate as a PEM file. I tried to convert it in PFX, DER, but always with the same result. So maybe I made a mistake while converting....
  Any help would be greatly appreciated!
  Thank you very much

  He's probably requested it on a different platform (like Linux w/Apache and then exported it)
  Try this: https://www.sslshopper.com/ssl-converter.html I
  wouldn't upload your private key and cert to the site, because it's not something you want to be sharing, but if you scroll to the bottom there are some options (mainly the second last option to grab certificate and key pem and output to PFX
  file)
  If I'm assuming correctly and your admin is using Linux/Unix then you can run the OpenSSL commands there or you could do it yourself on Windows http://www.openssl.org/related/binaries.html (but
  I'd say the first option is much easier)
  If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer" | Blog
  www.lynced.com.au | Twitter
  @imlynced

• Lync Edge 2013 NOT Replicating config data with CMS / NOT up to date

  I have recently installed my Lync 2013 Edge pool (1 edge server).
  all services are UP and public & internal certificates deployed successfully.
  BUT i keep seeing an X sign in the Replication Status field in the "Lync Control Panel->Topology" page.
  even running the "Get-CsManagementStoreReplicationStatus" gives:
      UpToDate           : False
      ReplicaFqdn        : internalEDGEFQDN.domain.com
      LastStatusReport   :
      LastUpdateCreation : 06/08/2013 10:09:41 AM
      ProductVersion     :
  telnet from my front-end to edge over port 4443 works
  all edge services are UP
  browsing [https://internalEDGEFQDN.domain.com:4443/ReplicationWebService] returns a special page
  there is a file called "data.zip" placed on the FileStore destined to my edge replica   \\filestorefqdn\lync2010files\1-CentralMgmt-1\CMSFileStore\xds-master\replicas\internalEDGEFQDN.domain.com\to-replica
  I dont know what might be causing the replciation to NOT get initiated. the edge server needs to be replicated so to be functional.
  thanks in advance,

  Hi,
  Please also run the Invoke-CsManagementStoreReplication cmdlet and allow time for the replication to complete before running the Get-CsManagementStoreReplicationStatus again.
  Would you tell us more details about certificate you used for Lync edge internal and external interface, and front end server? If you assigned a wildcard certificate to front end server, this may cause the replication issue between front end and edge.
  Please check event viewer if there is any relevant error message. In addition, you can refer to the blog you pasted how to check the CMS replication traffic.
  http://ocsguy.com/2011/09/07/troubleshooting-cms-replication/
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
  sure that you completely understand the risk before retrieving any suggestions from the above link.
  Kent Huang
  TechNet Community Support

• Lync Edge External Certificate request.

  Hi,
  We have a Lync 2010 Server deployed in our Organization, We have requirement to add 2 additional SIP domain to our Organization.
  We have successfully configured the 2 Additional SIP domains with necessary requirement its working internally.
  Where as the 2 new Additional SIP domain users not able to communicate Externally.
  We found in Edge External certificate we required to add 2 SAN names which is of 2 Additional SIP domain.
  My Query is what is the procedure to generate certificate with additional SAN names.
  I have tried in Edge console its automatically includes 3 sip.domain.com which results in more SAN entries in Certificates.
  My company worried on Cost for Public Certificate which has more SAN names included.
  How to overcome this.
  Note: My existing Lync External certificate have 2 SAN names.

  After doing Lync for several years - my evolution included my embracing the fact that Lync is going to need a lot of SAN's and the cost of certs is going to something that is part of doing Lync.  If you're going to have multiple SIP domains, it's the
  cost of doing business that you;ll have corresponding cert additions.
  I beseech you to NOT heed the recommendation above that included cross domain SRV records.  Your Windows users will get prompted and it makes for a bad impression for Lync.  Keep your SRV records pointed to a matching DNS zone.   You WILL
  get support calls on it and security will only be getting tighter against practices such as this in the future.
  And yes, do the meet/dialin URL's that have the long URL format. 
  We use the HTTP lyncdiscover.domain1.com and lyncdiscover.domain2.com over port 80 - it works great.  I don't see any issue with as it only directs your client to the desired external web services (SSL connection).  It works great.  
  if my post is helpful - please click on the green arrow. (please excuse, in advance, any perceived sarcasm/humor - as I often forget it does not translate through text) :)

• Lync Edge 2013 Service Publish With TMG 2010

  Hello Experts,
  I have a question for Lync edge and having issue in desktop sharing and program sharing with federated partners if logged in on internal as well as external (internet) network... setup is like below.
  TMG with 3 leg architecture ; 1 internal IP, 1 DMZ IP and 4 public IP's (1 for sip access, 1 for web conf, 1 for av and last one for web services)
  edge pool with 1 edge server having 2 NIC and 1 Intenal IP and 3 DMZ IP on second NIC ( GW for DMZ  is IP of TMG DMZ NIC card)
  No Firewall.
  so if all NAT rules and firewall rules configured properly on TMG should have any issue for desktop sharing/program sharing with federated partners. However some partners are working fine? Is desktop sharing / program sharing go through edge always for federated
  partners?
  Any information would be very helpful.
  Many Thanks,
  Ankur

  Hello Ankur,
  Desktop Sharing use the AV link to work. I already had some issues with TMG, check this http://technet.microsoft.com/en-us/library/ee796231.aspx
  After deployed ARR to lync , I don't have more problems. Try this.
  “Vote As Helpful” and/or “Mark As Answered” - Thiago Mendes da Silva - MCSE Communication - ITIL v3 Foundation - http://www.ucsteps.com/

• Lync edge internal Certificate

  Hi guys, i have an interesting problem. I'm switching my TMg server for a Palo Alto server, and when i do an external test, it fails and its showing my internal cert not the SAN certificate bound to the external dmz nic, and yes i've reassigned the certs
  multiple times to make sure.
  Any one ever see anything like this. works perfectly on TMG :|

  I have 1 Lync Standard Frontend and 1 Edge, the edge server has 2 NICs, 1 internal and 1 in the DMZ with three IPs and 1 to 1 NAT. It has static routes for the internal network.
  I'm aware there is no SAN requirement for internal. What i cant figure out is why externally tests are seeing the internal certificate.
  Testing remote connectivity for user test@i*.com to the Microsoft Lync server.
  Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
  Additional Details
  Elapsed Time: 16269 ms.
  Test Steps
  Attempting to resolve the host name sip.i*.com in DNS.
  The host name resolved successfully.
  Additional Details
  IP addresses returned: 190.********
  Elapsed Time: 186 ms.
  Testing TCP port 443 on host sip.i*.com to ensure it's listening and open.
  The port was opened successfully.
  Additional Details
  Elapsed Time: 193 ms.
  Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
  Additional Details
  Elapsed Time: 15560 ms.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server sip.i*.com on port 443.
  The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
  Additional Details
  Remote Certificate Subject: CN=cerberus.*.com, Issuer: CN=ICONS-CA, DC=i*, DC=com.
  Elapsed Time: 15501 ms.
  Validating the certificate name.
  Certificate name validation failed.
   <label for="testSelectWizard_ctl12_ctl06_ctl02_ctl01_tmmArrow">Tell
  me more about this issue and how to resolve it</label>

• Lync Edge Server Certificate Issue

  I've implemented a single internal Standard Edition
  Front End server with a single consolidated Edge server and Reverse Proxy server/appliance located in a perimeter network.
  On the internal IP of the Edge server I use a certificate form a internal CA ( which is trusted by the edge server), the "internal" certificate issued by the internal Ca is used only between the edge server and the frontend server. An external certificate
  with cn sip.ipabo.nl and alt.subj sip.ipabo.nl and webconf.ipabo.nl. from Globalsign is used on the external IP’s . Services have their own ip adresses and are natted by a router. Ive tested that all ports can be reached from the internet. But still no connection
  possible from external clients. The ms. connectivity analyser says: "The The certificate couldn't be validated because SSL negotiation wasn't successful". Connections from mobile clients through reverse proxy are no problem also internal clients
  have no issue ( they both don’t use the edge but proxy ). So i assume there's someting wrong with the certificate implementation on the Edge server, however ive tested it with the RUCT from Curtis Johnstone, and the certificate seems to be OK. Also in the
  Lync Server Deployment Wizard the certificates seem to be OK. In the computers personal certificate store the are only the two necessary certificates ( internal and external) also intermediate certificates are installed. Routing ( default gateway on external
  interface ) is working fine. So I think I'm out of options, any ideas? 
  Tnx, 
  Guido

  Ok I found It:
  It was a simple setting in the Control panel, or in the management shell:
  In Set-Accessedgeconfiguration
  AllowOutsideUsers was set to False. this should be true.
  I found it by Using OCSlogging on the Edgeserver, looking at SIP.
  So I don't understand how all the certificate and server unavailable warnings make any sense. 
  The next issue will be exchange integration :)
  Thanks for your help everybody

• Lync 2010 Edge Certificate Assigning issue.

  Hello,
  We are facing issue in assigning Public certificate for Lync 2010 Edge server.
  Where as i able to successfully import the certificate from Deployment wizard, but when assigning the same not able to view the certificate which is successfully imported from same wizard.
  Please suggest to fix this issue.
  FYI: I am able to view the certificate in the Local account certificate container.

  Try importing the certificate using the DigiCert's Certificate Utility: https://www.digicert.com/util/ 
  works for certificates issued by other Certificate Authorities. 
  After the cert is Imported, run the key test from the DigiCert's Certificate Utility. Run Step 3 again (Lync  Server Deployment Wizard) and select "assign" to use the new certificate.
  Please mark posts as answers/helpful if it answers your question.
  Blog
  Lync Validator - Used to assist in the validation and documentation of Lync Server 2013.

• Lync Server 2013 - Edge Certificate Problem

  Hi,
  A few days ago, we have discover that the Edge server of Lync 2013 has failed in replicating the store from Lync Front-End server.
  From the Event Viewer, I get the below event logged.
  And the details
  ============================================================================================
  TLS outgoing connection failures.
  Over the past 2 minutes, Lync Server has experienced TLS outgoing connection failures 20 time(s). The error code of the last failure is 0x80090322(SEC_E_WRONG_PRINCIPAL) while trying to connect
  to the server "lyncedge.xxx.yyy" at address [xxx.xxx.xxx.xxx:5061], and the display name in the peer certificate is "Unavailable".
  Cause: Most often a problem with the peer certificate or perhaps the host name (DNS) record used to reach the peer server. Target principal name is incorrect means that the peer certificate does
  not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is not trusted by the local machine.
  Resolution:
  Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced
  pool then check that all addresses returned by DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting
  the local machine.
  ============================================================================================
  Kindly advice if anyone have come across this issue ?

  Hi,
  I managed to resolve the issue. I have added  a DWORD of ClientAuthTrustedMode with Value 2 below
  HKey_Local_Machine\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
  Once the Lync Edge restarted, the replication kicks in without error.
  Thanks all

• Lync Edge Server 2013 Certificate Issue seems unresolvable

  I've implemented a single internal Standard Edition Front End server with a single consolidated Edge server and Reverse Proxy server/appliance located in a perimeter network.
  On the internal IP of the Edge server I use a certificate form a internal CA ( which is trusted by the edge server), the "internal" certificate issued by the internal Ca is used only between the edge server and the frontend server. An external certificate
  with cn sip.ipabo.nl and alt.subj sip.ipabo.nl and webconf.ipabo.nl. from Globalsign is used on the external IP’s . Services have their own ip adresses and are natted by a router. Ive tested that all ports can be reached from the internet. But still no connection
  possible from external clients. The ms. connectivity analyser says: "The The certificate couldn't be validated because SSL negotiation wasn't successful". Connections from mobile clients through reverse proxy are no problem also internal clients
  have no issue ( they both don’t use the edge but proxy ). So i assume there's someting wrong with the certificate implementation on the Edge server, however ive tested it with the RUCT from Curtis Johnstone, and the certificate seems to be OK. Also in the
  Lync Server Deployment Wizard the certificates seem to be OK. In the computers personal certificate store the are only the two necessary certificates ( internal and external) also intermediate certificates are installed. Routing ( default gateway on external
  interface ) is working fine. So I think I'm out of options, any ideas? 
  Tnx, 
  Guido

  Please check the DNS records for sip.ipabo.nl and webconf.ipabo.nl are created on external DNS server.
  Please check you can telnet Lync Edge Access service FQDN on 443 port.
  Check the automatic configuration for remote access is configured correctly or you can try to sign in manually.
  Follow the steps in blog blow to test your Edge Server:
  http://blogs.technet.com/b/nexthop/archive/2011/12/07/useful-tips-for-testing-your-lync-edge-server.aspx
  Lisa Zheng
  TechNet Community Support

• Lync 2013 Certificate

  Hi
  I have Lync 2013
  I have 2 edge servers
  once my internal certificate expired and I make renew for the internal certificate the RTCSRV certificate stopped , how can I solve this issue
  what is the names should the certificate included ( Edge server certificate)
  MCP MCSA MCSE MCT MCTS CCNA

  Absolutely! This is a very common issue with deployments where you have more than one Edge server. The certificate request is usually generated from one of the Edge servers and the resultant certificate is imported on to the other Edge servers. But the
  certificate isn't visible in the certificate Assign wizard as it is missing the private key. The important step here is to export the certificate with the private key before you import it on the other Edge servers.
  Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you have asked, please mark the thread as answered to aid others when they are looking for solutions to similar problems or queries.
  The opinions expressed here are solely my own and do not express the views or opinions of my employer.

• Lync 2013 certificate requirements for multiple SIP domains

  Hi All,
  I am engaged with a client in respect of a Lync 2013 implementation initially as a conferencing platform with a view to enabling EV functions (inc. PSTN conferencing) in the future. They initially need to support 30 SIP domains and eventually
  around 100 SIP domains which is proving to be either not possible or severely cost prohibitive. Their current certificate provider, Thawte, can only support up to 25 SANs and have quoted them 5 figures. We tend to use GeoTrust as they are cheaper but they
  appear to have a limit of 25 SANs. GoDaddy appear to support up to 100 SANs for a pretty reasonable cost. My questions are as follows:
  Is there a way that I’m missing of reducing the number of SANs required on the Edge server?
  Use aliases for access edge FQDNs - Supported by desktop client but not by other devices so not really workable
  Don’t support XMPP federation therefore removing the need for domain name FQDNs for each SIP domain
  Is there a way that I’m missing of reducing the number of SANs required on the Reverse Proxy server?
  Friendly URL option 3 from this page:
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  Client auto-configuration:
  i.     
  Don’t support mobile client auto-configuration in which case no lyncdiscover.sipdomain1.com DNS records or SANs would be required.
  ii.     
  Support mobile client auto-configuration over HTTP only in which case CNAME records are required for each SIP domain (lyncdiscover.sipdomain1.com, etc. pointing to lyncdiscover.designateddomain.com) but no SANs are required.
  iii.     
  Support mobile client auto-configuration over HTTPS in which case DNS records are required for each SIP domain and a SAN entry for each SIP domains is also required. This is because a DNS CNAME to another domain is not supported over
  HTTPS.
  If the answer to 1 and/or 2 is no, are there certificate providers that support over 100 SANs?
  How do certificate requirements differ when using the Lync 2013 hosting pack? I would think that this issue is something that a hosting provider would need to overcome.
  Would the Lync 2013 Hosting Pack work for this customer? The customer uses SPLA licensing so I think is eligible to use the hosting pack but not 100% sure it will work in their environment given that client connections are supposed
  to all come through the Edge where their tenants will be internal and also given the requirement for an ACP for PSTN conferencing.
  Many thanks,

  Many thanks for the response.
  I was already planning to use option 3 from the below page for simple URLs to cut down on SAN requirement.
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  What are the security concerns for publishing autodiscover over port 80? I.e. Is this only used for the initial download of the discovery record and then HTTPS is used for authentication? This seems to be the case from the following note on the below page:
  http://technet.microsoft.com/en-gb/library/hh690030.aspx
  Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.contoso.com that redirects
  to an address of director.contoso.net is not supported over HTTPS.
  In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing
  rule for port 80 (HTTP).
  For details, see "To create a web publishing rule for port 80" in Configuring the Reverse Proxy for Mobility. CNAME redirection to the same domain is supported over HTTPS. In this case, the destination domain's certificate covers the originating
  domain.”
  I don’t think SRV records for additional SIP domain access edge is a workable solution as this is not supported by some devices.
  As per the below article:
  http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
  “The recommended approach for external client Automatic Sign-In when supporting multiple SIP domains is to include a unique Access Edge FQDN for each domain name in the SAN field.  This is no longer a requirement (it was in OCS) as it is possible to
  create a DNS Service Locator Record (SRV) for each additional SIP domain yet have them all point back to the same original FQDN for the Access Edge service (e.g. sip.mslync.net). 
  This approach will trigger a security alert in Windows Lync clients which can be accepted by the user, but some other clients and devices are unable to connect when the Automatic Sign-In process returns a pair of SRV and Host (A) records which do not share
  the same domain namespace.  Thus it is still best practice to define a unique FQDN for each additional SIP domain and include that hostname in the external Edge certificate’s SAN field”.
  ===================
  1. Basically the requirement is to initially provide Lync conferencing services (minus PSTN conferencing) to internal, external, federated and anonymous participants with a view to providing PSTN conferencing and therefore enterprise voice services later.
  2. The customer currently supports close to 100 SMTP domains and wants to align their SIP domains with these existing domains. The structure of their business is such that “XXX IT Services” provide the IT infrastructure for a collection of companies who
  fall under the XXX umbrella but are very much run as individual entities.
  Question:
  Would you agree that I’m going to need a SAN for every SIP domain’s access edge FQDN?
  Thanks.

• Edge 2013 External Wildcard Certificate

  Hi,
  I know this has been covered a number of times but I'd like something that's been posted more recently.
  We use Lync 2013 with a wildcard certificate on our edge external interface.  Everything works as expected and that's on version 5.0.8308.556
  I've recently deployed Lync 2013 at a customer site and when applying the certificate I'm unable to sign on externally or contact federated partners.  They're running 5.0.8308.577
  When testing from Lync connectivity tester I get the following:
  Attempting to resolve the host name blah.co.uk in DNS.
  The host name resolved successfully.
  Additional Details
  Testing TCP port 443 on host blah.co.uk to ensure it's listening and open.
  The port was opened successfully.
  Additional Details
  Testing the SSL certificate to make sure it's valid.
  The certificate passed all validation requirements.
  Additional Details
  Elapsed Time: 758 ms.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server blah.co.uk on port 443.
  The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
  Additional Details
  Validating the certificate name.
  The certificate name was validated successfully.
  Additional Details
  Certificate trust is being validated.
  The certificate is trusted and all certificates are present in the chain.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.blah.co.uk, OU=Domain Control Validated.
  One or more certificate chains were constructed successfully.
  Additional Details
  Analyzing the certificate chains for compatibility problems with versions of Windows.
  Potential compatibility problems were identified with some versions of Windows.
  Additional Details
  The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
  Elapsed Time: 4 ms.
  Testing the certificate date to confirm the certificate is valid.
  Date validation passed. The certificate hasn't expired.
  Additional Details
  The certificate is valid. NotBefore = 10/25/2013 2:46:03 PM, NotAfter = 10/25/2016 1:42:28 PM
  Elapsed Time: 0 ms.
  Testing remote connectivity for user [email protected] to the Microsoft Lync server.
  Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
   <label for="testSelectWizard_ctl12_ctl06_ctl03_tmmArrow">Tell
  me more about this issue and how to resolve it</label>
  Additional Details
  Couldn't sign in. Error: Error Message: Unknown error (0x80131500).
  Error Type: TlsFailureException.
  Elapsed Time: 1649 ms.
  Any help would be much appreciated!
  Thanks

  Hi,
  Wildcard certificate doesn’t support for Edge server (both external and internal interface). It is supported to use a public certificate for Edge external interface, for Edge internal interface typically use a private certificate issued by an internal certification
  authority.
  More details about certificate requirements for external user access:
  http://technet.microsoft.com/en-us/library/gg398920.aspx
  You can refer to the link below of “Wildcard Certificate Support”:
  http://technet.microsoft.com/en-us/library/hh202161.aspx
  Here is a similar case my help you:
  http://social.technet.microsoft.com/Forums/lync/en-US/6bd237eb-2e96-437b-b559-54cf95230417/lync-server-2013-edge-unknown-error-0x80131500-tlsfailureexception?forum=lyncdeploy
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Lync 2013 Certificates for DR Pool

  Hello, I'm kind of new to Lync 2013 so I could use a little guidance.....  
  My question is regarding edge server certificates for my DR site. We have 2 geographic locations, one for Prod, and one for DR in an active/passive arrangement. The pools are paired for resiliency.
  The prod site is up and running, everything is functioning as it should. We recently decided to deploy Lync in DR. The prod site is using sip.x.com in DNS and SRV records for access edge. Knowing that we cannot use the same DNS
  name for the DR pool, I have used sip_DR.x.com. It is recommended to use the same cert for all edge servers. Does that mean I should use the same cert for both pools? If so, should I then add the SAN sip_dr.x.com to my existing UC cert from digicert, and
  import it to all my edge servers in both pools, or should I have a separate cert for DR? Or, would I request a duplicate cert from digicert and generate the request from one of my edge servers in the DR pool?
  Any help you can provide will be greatly appreciated.
  Thank you. 

  The same cert requirement is for all Edge servers in an Edge pool. You can use a new certificate for the DR Edge pool.
  Take a look at Jeff Schertz' blog: http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
  "The exact same certificate must be used on all common interfaces across the pool, regardless of whether DNS load balancing or hardware load balancing is utilized.  This means that the original certificate request must provide the ability to export
  the private key as the exact same certificate and private key pair must be able to be exported from one Edge server into all other Edge servers.  This is required so that in the event of a failover any existing sessions can be moved to another server
  in the pool and the data can still be decrypted by the same certificate that was used to encrypt the session just prior to the failover."
  Please mark posts as answers/helpful if it answers your question.
  Blog
  Lync Validator - Used to assist in the validation and documentation of Lync Server 2013.

• Lync Edge Certificate

  Hi All
  I am Doing POC of Microsoft Lync 2010 for one of my client, i had deployed lync Front End server (STD Edition) and configured the same. I have also installed lync on some client side and test all the features internally was sucessfull, now i want to deploy
  lync Edge server, i have done all the necassary configuration for Lync edge server, but now i have stuck in part of External certificate, though this is just a POC i dont want to import any public certificate now for this POC, so is there is any way to import
  private certificate on Lync Edge server which can be used externally so that i can bring internet users in my lync environment
  please provide me some step, how to create private certificate for Lync edge server and also how to import the same
  Thanks in advance
  Vinayak

  Hi,
  Basically the steps are the same as how you've create for the internal certificates, using an internal Microsoft CA Server:
  Using the Installation Wizard, generate an offline certificate requests for your external domain: sip.domain.com, webconf.domain.com, av.domain.com, meet.domain.com & dialin.domain.com.
  With that, log in to your internal CA server (e.g.
  https://servername/certserv)
  Paste the offline certificate request onto the web page, make sure you've select Web Server as the certificate type
  Download the generate certificate
  Assign the downloaded certificate using the Lync installation wizard to the Access Edge external interface
  If you're publishing via a Reverse Proxy, just export the certificate from the Access Edge and install it into your TMG certificate store
  Alternatively, VeriSign also offers a free 30 days trial -
  http://www.verisign.com/ssl/free-30day-trial/index.html
  Hope this helps.
  James Ooi MCITP Lync Server 2010 | Blog: http://jamesosw.wordpress.com Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial
  to other community members reading the thread