Lync Edge Certificate

Similar Messages

• Combining Lync Edge certificate of Reverse Proxy

  I wonder if the creation of a certificate from the combined Lync Edge server names and Reverse Proxy will work?
  Wants to create a certificate for Lync Edge with CN = sip.domain.com and add names required for the Edge and Reverse Proxy as an additional DNS:
  sip.domain.com 
  webconf.domain.com
  webext.domain.com
  meet.domain.com
  dialin.domain.com
  lyncdiscover.domain.com

  Hi,
  Yes, you can use the same certificate for both Edge Server (external interface) and Reverse Proxy, which SAN including all Edge Server and Reverse Proxy needed (such as: webcon.contoso.com, sip.contoso.com, webext.contoso.com, meet.contoso.com, dialin.contoso.com,
  lyncdiscover.contoso.com, and so on).
  More details:
  https://technet.microsoft.com/en-us/library/gg398519.aspx?f=255&MSPPError=-2147217396
  https://technet.microsoft.com/en-us/library/gg429704.aspx
  There is no special SAN for federate with Skype. However, the certificate must be the public SAN certificate.
  Best Regards,
  Eason Huang
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Eason Huang
  TechNet Community Support

• Lync + Exchange certificate

  Hello guys,
  I want to go through the PIC provisioning process so that my lync users can communicate with Skype users. I am aware that i need a public certificate for my edge server in order to do this. Right now i have certificates for my Exchange 2013 and Lync 2013
  from my internal CA and i want to replace the Lync Edge certificate and the Exchange Certificate with a public one(SAN, i want all the FQDNs on one certificate). I have read other articles on this but i want to be sure so please hear me out.
  1) My Lync Edge server has only one external intereface with the FQDN sip.contoso.com. From what i've read i cant use wildcard certificates with this interface, so i must use SANs.
  2) My Exchange uses one namespace: mail.contoso.com. Also i need autodiscover.contoso.com for autodiscovery.
  So the certificate will look something like:
  CN: sip.contoso.com
  SAN: mail.contoso.com, autodiscover.contoso.com
  Do i need to put sip.contoso.com or anything else in SAN also?
  I'm going to test this with an internal certificate before i buy a public one, but i want a second opinion before testing on a production environment.
  Thank you

  Hi,
  I would say , we should include sip.domain.com in certificate SAN entry. Few validation checks will skip subject name and verify SAN in the certificate. Following article may help you ;
  http://technet.microsoft.com/en-us/library/gg398519.aspx
  Thanks
  Saleesh
  If answer is helpful, please hit the green arrow on the left, or mark as answer. Blog : http://blogs.technet.com/b/saleesh_nv/

• Lync Server 2013 - Edge Certificate Problem

  Hi,
  A few days ago, we have discover that the Edge server of Lync 2013 has failed in replicating the store from Lync Front-End server.
  From the Event Viewer, I get the below event logged.
  And the details
  ============================================================================================
  TLS outgoing connection failures.
  Over the past 2 minutes, Lync Server has experienced TLS outgoing connection failures 20 time(s). The error code of the last failure is 0x80090322(SEC_E_WRONG_PRINCIPAL) while trying to connect
  to the server "lyncedge.xxx.yyy" at address [xxx.xxx.xxx.xxx:5061], and the display name in the peer certificate is "Unavailable".
  Cause: Most often a problem with the peer certificate or perhaps the host name (DNS) record used to reach the peer server. Target principal name is incorrect means that the peer certificate does
  not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is not trusted by the local machine.
  Resolution:
  Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced
  pool then check that all addresses returned by DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting
  the local machine.
  ============================================================================================
  Kindly advice if anyone have come across this issue ?

  Hi,
  I managed to resolve the issue. I have added  a DWORD of ClientAuthTrustedMode with Value 2 below
  HKey_Local_Machine\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
  Once the Lync Edge restarted, the replication kicks in without error.
  Thanks all

• Lync Edge Server 2013 Certificate Issue seems unresolvable

  I've implemented a single internal Standard Edition Front End server with a single consolidated Edge server and Reverse Proxy server/appliance located in a perimeter network.
  On the internal IP of the Edge server I use a certificate form a internal CA ( which is trusted by the edge server), the "internal" certificate issued by the internal Ca is used only between the edge server and the frontend server. An external certificate
  with cn sip.ipabo.nl and alt.subj sip.ipabo.nl and webconf.ipabo.nl. from Globalsign is used on the external IP’s . Services have their own ip adresses and are natted by a router. Ive tested that all ports can be reached from the internet. But still no connection
  possible from external clients. The ms. connectivity analyser says: "The The certificate couldn't be validated because SSL negotiation wasn't successful". Connections from mobile clients through reverse proxy are no problem also internal clients
  have no issue ( they both don’t use the edge but proxy ). So i assume there's someting wrong with the certificate implementation on the Edge server, however ive tested it with the RUCT from Curtis Johnstone, and the certificate seems to be OK. Also in the
  Lync Server Deployment Wizard the certificates seem to be OK. In the computers personal certificate store the are only the two necessary certificates ( internal and external) also intermediate certificates are installed. Routing ( default gateway on external
  interface ) is working fine. So I think I'm out of options, any ideas? 
  Tnx, 
  Guido

  Please check the DNS records for sip.ipabo.nl and webconf.ipabo.nl are created on external DNS server.
  Please check you can telnet Lync Edge Access service FQDN on 443 port.
  Check the automatic configuration for remote access is configured correctly or you can try to sign in manually.
  Follow the steps in blog blow to test your Edge Server:
  http://blogs.technet.com/b/nexthop/archive/2011/12/07/useful-tips-for-testing-your-lync-edge-server.aspx
  Lisa Zheng
  TechNet Community Support

• Lync Edge 2013 Certificate Assign (again!)

  Hi,
  I recently posted a similar topic on the forum (Lync
  Edge 2013 Certificate Assign). The issue was related to certificate assignation. I solved it, but I needed later to change my certification authority, and so change the certificate assigned to the public Edge interface. Trying this, I encountered a new
  (different) problem with my new certificate, so I am back here to try to find a solution.
  As said, I am trying to assign a Certificate to my Lync 2013 Edge Server on the Internet edge.  This certificate is signed by a recognized authority (Comodo).
  Whenever I imported the certificate in the store via the Lync wizard and proceed on to the Assign Certificate step, the Certificate that i have imported does not appear in the List of certificates on the Lync deployment tool interface, so that I cannot assign
  it to the External Edge interface.
  I tried to import it with Digicert (which allow me to solve my previous importation problem, but not this time...) with no more result.  I tried to import it from cer format, or crt format, results are the same.
  I launched the MMC on the computer and add the Computer Certificate Snap-In. If I look at the certificate icon, I see the little key in the icon, so it sounds like I have the private key available.
  Any help would be greatly appreciated!
  Thank you very much for your help.
  EDIT: when running the digicert tool "Test Key", the result is the following : " the private key was successfully tested" and "revocation check for certificate chain failed". Does it give any clue ?

  I had the feeling I did everything fine too...!  This is maybe a silly question, but I try anyway: do you think it be possible that I cannot choose the imported certificate by the Lync Deployment assistant because the assistant does not recognize the
  public name of the computer? I mean, I could add the internal interface certificate because the computer recognized its local name (edge.local.domain). But it seems he doesn't know its Internet FQDN (lync.mydomain.com) which is mentionned in the topology.
  It does not explain why I could previously add the wilcard certificate, so I think my remark is silly, but I am kind of lost....
  Thank you anyway for your messages.
  EDIT: when I try to use powershell to assign manually my certificate, i got an error message telling that the command execution failed because [my certificate thumbprint] is not in the store or not approved. It is true that I had some intermediate certificate
  provided by Comodo, but I installed all of them in the store via mmc>Certificate, both in trusted root CA and intermediate CA. Maybe I miss a location ?

• Lync Edge External Certificate request.

  Hi,
  We have a Lync 2010 Server deployed in our Organization, We have requirement to add 2 additional SIP domain to our Organization.
  We have successfully configured the 2 Additional SIP domains with necessary requirement its working internally.
  Where as the 2 new Additional SIP domain users not able to communicate Externally.
  We found in Edge External certificate we required to add 2 SAN names which is of 2 Additional SIP domain.
  My Query is what is the procedure to generate certificate with additional SAN names.
  I have tried in Edge console its automatically includes 3 sip.domain.com which results in more SAN entries in Certificates.
  My company worried on Cost for Public Certificate which has more SAN names included.
  How to overcome this.
  Note: My existing Lync External certificate have 2 SAN names.

  After doing Lync for several years - my evolution included my embracing the fact that Lync is going to need a lot of SAN's and the cost of certs is going to something that is part of doing Lync.  If you're going to have multiple SIP domains, it's the
  cost of doing business that you;ll have corresponding cert additions.
  I beseech you to NOT heed the recommendation above that included cross domain SRV records.  Your Windows users will get prompted and it makes for a bad impression for Lync.  Keep your SRV records pointed to a matching DNS zone.   You WILL
  get support calls on it and security will only be getting tighter against practices such as this in the future.
  And yes, do the meet/dialin URL's that have the long URL format. 
  We use the HTTP lyncdiscover.domain1.com and lyncdiscover.domain2.com over port 80 - it works great.  I don't see any issue with as it only directs your client to the desired external web services (SSL connection).  It works great.  
  if my post is helpful - please click on the green arrow. (please excuse, in advance, any perceived sarcasm/humor - as I often forget it does not translate through text) :)

• Lync Edge 2013 Certificate Assign

  Hi,
  I am trying to assign a Certificate to my Lync 2013 Edge Server on the Internet edge.  This certificate is signed by a recognize authority, so it should not be a problem.
  Whenever I have imported the certificate in via the Lync wizard and proceed on to the Assign Certificate step, the Certificate that i have imported does not appear in the List of certificate for me to assign it to the External Edge Certificate.
  I launched the MMC on the computer and add the Computer Certificate Snap-In. Unfortunatelly, if I look at the certificate icon, I do not see the little key in the icon. This sounds like I don't have the private key.
  In addition, I should say that I earned my certificate as a PEM file. I tried to convert it in PFX, DER, but always with the same result. So maybe I made a mistake while converting....
  Any help would be greatly appreciated!
  Thank you very much

  He's probably requested it on a different platform (like Linux w/Apache and then exported it)
  Try this: https://www.sslshopper.com/ssl-converter.html I
  wouldn't upload your private key and cert to the site, because it's not something you want to be sharing, but if you scroll to the bottom there are some options (mainly the second last option to grab certificate and key pem and output to PFX
  file)
  If I'm assuming correctly and your admin is using Linux/Unix then you can run the OpenSSL commands there or you could do it yourself on Windows http://www.openssl.org/related/binaries.html (but
  I'd say the first option is much easier)
  If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer" | Blog
  www.lynced.com.au | Twitter
  @imlynced

• Lync Edge Server External Private Certificate

  Hey GURUS!
  Please help me out:
  I'm having issues accessing Lync from external network.
  Mobile clients login fine, but computer clients fail to login.
  My current deployment consists in a single 2013 front-end and a single 2013 edge server.
  All servers have certificates from my internal CA.
  All servers have the root CA certificate installed in the trusted root certificate authority.
  I have 2 sip domains, and the edge certificate has both sip domains.
  However, when I test from test connectivity.microsoft.com, I get an error regarding the certificate chain.
  I can't understand why lync requires a intermediate certificate, if I don't have any published in my organisation.
  The certificate path goes: Root CA -> Certificate.
  Also, the lync discover test runs with no errors what so ever.
  This error on the edge didn't occur when I had lync 2010 running.
  Does anyone know how to solve this?
  Thanks!
  Andrey Santana
  edit: i forgot to upload the screenshot

  Thiago,
  The certificates from the Front End / Reverse Proxy are also from the internal CA and I don't get the error, it actually runs successfully.
  Andrey
  How did you test the certificates from the Front End and Reverse Proxy Server?
  The public website connectivity.microsoft.com need a public certificate.
  But if you use private certificate in lab, it could work as long as you install the Root CA certificate on client computer.
  Lisa Zheng
  TechNet Community Support

• Lync 2013 certificate requirements for multiple SIP domains

  Hi All,
  I am engaged with a client in respect of a Lync 2013 implementation initially as a conferencing platform with a view to enabling EV functions (inc. PSTN conferencing) in the future. They initially need to support 30 SIP domains and eventually
  around 100 SIP domains which is proving to be either not possible or severely cost prohibitive. Their current certificate provider, Thawte, can only support up to 25 SANs and have quoted them 5 figures. We tend to use GeoTrust as they are cheaper but they
  appear to have a limit of 25 SANs. GoDaddy appear to support up to 100 SANs for a pretty reasonable cost. My questions are as follows:
  Is there a way that I’m missing of reducing the number of SANs required on the Edge server?
  Use aliases for access edge FQDNs - Supported by desktop client but not by other devices so not really workable
  Don’t support XMPP federation therefore removing the need for domain name FQDNs for each SIP domain
  Is there a way that I’m missing of reducing the number of SANs required on the Reverse Proxy server?
  Friendly URL option 3 from this page:
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  Client auto-configuration:
  i.     
  Don’t support mobile client auto-configuration in which case no lyncdiscover.sipdomain1.com DNS records or SANs would be required.
  ii.     
  Support mobile client auto-configuration over HTTP only in which case CNAME records are required for each SIP domain (lyncdiscover.sipdomain1.com, etc. pointing to lyncdiscover.designateddomain.com) but no SANs are required.
  iii.     
  Support mobile client auto-configuration over HTTPS in which case DNS records are required for each SIP domain and a SAN entry for each SIP domains is also required. This is because a DNS CNAME to another domain is not supported over
  HTTPS.
  If the answer to 1 and/or 2 is no, are there certificate providers that support over 100 SANs?
  How do certificate requirements differ when using the Lync 2013 hosting pack? I would think that this issue is something that a hosting provider would need to overcome.
  Would the Lync 2013 Hosting Pack work for this customer? The customer uses SPLA licensing so I think is eligible to use the hosting pack but not 100% sure it will work in their environment given that client connections are supposed
  to all come through the Edge where their tenants will be internal and also given the requirement for an ACP for PSTN conferencing.
  Many thanks,

  Many thanks for the response.
  I was already planning to use option 3 from the below page for simple URLs to cut down on SAN requirement.
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  What are the security concerns for publishing autodiscover over port 80? I.e. Is this only used for the initial download of the discovery record and then HTTPS is used for authentication? This seems to be the case from the following note on the below page:
  http://technet.microsoft.com/en-gb/library/hh690030.aspx
  Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.contoso.com that redirects
  to an address of director.contoso.net is not supported over HTTPS.
  In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing
  rule for port 80 (HTTP).
  For details, see "To create a web publishing rule for port 80" in Configuring the Reverse Proxy for Mobility. CNAME redirection to the same domain is supported over HTTPS. In this case, the destination domain's certificate covers the originating
  domain.”
  I don’t think SRV records for additional SIP domain access edge is a workable solution as this is not supported by some devices.
  As per the below article:
  http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
  “The recommended approach for external client Automatic Sign-In when supporting multiple SIP domains is to include a unique Access Edge FQDN for each domain name in the SAN field.  This is no longer a requirement (it was in OCS) as it is possible to
  create a DNS Service Locator Record (SRV) for each additional SIP domain yet have them all point back to the same original FQDN for the Access Edge service (e.g. sip.mslync.net). 
  This approach will trigger a security alert in Windows Lync clients which can be accepted by the user, but some other clients and devices are unable to connect when the Automatic Sign-In process returns a pair of SRV and Host (A) records which do not share
  the same domain namespace.  Thus it is still best practice to define a unique FQDN for each additional SIP domain and include that hostname in the external Edge certificate’s SAN field”.
  ===================
  1. Basically the requirement is to initially provide Lync conferencing services (minus PSTN conferencing) to internal, external, federated and anonymous participants with a view to providing PSTN conferencing and therefore enterprise voice services later.
  2. The customer currently supports close to 100 SMTP domains and wants to align their SIP domains with these existing domains. The structure of their business is such that “XXX IT Services” provide the IT infrastructure for a collection of companies who
  fall under the XXX umbrella but are very much run as individual entities.
  Question:
  Would you agree that I’m going to need a SAN for every SIP domain’s access edge FQDN?
  Thanks.

• Edge Certificate Not Appearing After Import

  Having trouble assigning a public certificate to the Edge External Interface.
  I imported the Root CA Cert. to Computer Store along with intermediate CA Cert. and imported the Certificate issued using the Lync Wizard. However when I go to assign, nothing shows as being available. Is it because this type of cert. was purchased? http://www.instantssl.com/ssl-certificate-products/ssl/ssl-certificate-essentialssl.html
  instead of a UCC or should this work as well?
  Had no problems with this assigning a public cert to my front end pool. But those were both UCC certs.

  I give my feedback about Instant SSL trial certificate on Lync Edge.
  I had exactly the same as you, I couldn't assign the Instant SSL imported certificate to Edge External Services through the Lync Deployment Wizard. It simply doesn't show. (however, another trial certificate from another Public CA (from Thawte) showed correctly
  and I could assign it from the Deployment Wizard.
  So, I will give a workaround that worked for me.
  - In  MMC > Certificates (Local computer) > Personal > Certificates, make sure your certificate is there and contains the private key.
  If it doesn't show, import it manually by double clicking on it and import it to the folder "Personal".
  Then if the certificate doesn't contain the private key, run the repair utility through CMD by this command
  certutil -repairstore my "THUMBPRINT" where the thumbprint can be collected by double clicking the certificate in MMC, going to Details tab, and collect the Thumbprint value (remove the spaces between each two bytes). Your certificate
  now has the private key associated.
  - Launch Lync Management, and run this command : Set-CsCertificate -Thumbprint
  <Your_thumbprint> -Type AccessEdgeExternal,DataEdgeExternal,AudioVideoAuthentication,XmppServer
  This will apply the certificate to the External Edge Services.
  - If you deployed "Single consolidated edge with private IP addresses using NAT" and all external services are under the same DNS (but with different ports), you will succeed*** the Microsoft Remote Connectivity Wizard and you should be able to
  federate with everybody including Skype and Lync Online.
  Now the drawbacks (of course!) :
  - In the Lync Deployment Wizard, the step 3 (about certificates) shows an exclamation mark in front of External Web Services certificate. I don't know why, sure because we forced the certificate through the management shell.
  - The Instant SSL certificate doesn't provide ANY SANs in the trial certificate, ONLY one Subject Name is allowed. (they automatically provide an additional SAN prepending "www." to the original Subject Name you demanded) . They provide a -by excellence-
  Web Server certificate, neither more nor less. just one Common Name, with an additional SAN entry with "www." prepended. But if you manage to combine Access Edge, A/V and WebConf in a single DNS entry this will work (for just 3 months since it's
  a trial after all).

• Lync 2013 Certificates for DR Pool

  Hello, I'm kind of new to Lync 2013 so I could use a little guidance.....  
  My question is regarding edge server certificates for my DR site. We have 2 geographic locations, one for Prod, and one for DR in an active/passive arrangement. The pools are paired for resiliency.
  The prod site is up and running, everything is functioning as it should. We recently decided to deploy Lync in DR. The prod site is using sip.x.com in DNS and SRV records for access edge. Knowing that we cannot use the same DNS
  name for the DR pool, I have used sip_DR.x.com. It is recommended to use the same cert for all edge servers. Does that mean I should use the same cert for both pools? If so, should I then add the SAN sip_dr.x.com to my existing UC cert from digicert, and
  import it to all my edge servers in both pools, or should I have a separate cert for DR? Or, would I request a duplicate cert from digicert and generate the request from one of my edge servers in the DR pool?
  Any help you can provide will be greatly appreciated.
  Thank you. 

  The same cert requirement is for all Edge servers in an Edge pool. You can use a new certificate for the DR Edge pool.
  Take a look at Jeff Schertz' blog: http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
  "The exact same certificate must be used on all common interfaces across the pool, regardless of whether DNS load balancing or hardware load balancing is utilized.  This means that the original certificate request must provide the ability to export
  the private key as the exact same certificate and private key pair must be able to be exported from one Edge server into all other Edge servers.  This is required so that in the event of a failover any existing sessions can be moved to another server
  in the pool and the data can still be decrypted by the same certificate that was used to encrypt the session just prior to the failover."
  Please mark posts as answers/helpful if it answers your question.
  Blog
  Lync Validator - Used to assist in the validation and documentation of Lync Server 2013.

• Lync Edge 2013 NOT Replicating config data with CMS / NOT up to date

  I have recently installed my Lync 2013 Edge pool (1 edge server).
  all services are UP and public & internal certificates deployed successfully.
  BUT i keep seeing an X sign in the Replication Status field in the "Lync Control Panel->Topology" page.
  even running the "Get-CsManagementStoreReplicationStatus" gives:
      UpToDate           : False
      ReplicaFqdn        : internalEDGEFQDN.domain.com
      LastStatusReport   :
      LastUpdateCreation : 06/08/2013 10:09:41 AM
      ProductVersion     :
  telnet from my front-end to edge over port 4443 works
  all edge services are UP
  browsing [https://internalEDGEFQDN.domain.com:4443/ReplicationWebService] returns a special page
  there is a file called "data.zip" placed on the FileStore destined to my edge replica   \\filestorefqdn\lync2010files\1-CentralMgmt-1\CMSFileStore\xds-master\replicas\internalEDGEFQDN.domain.com\to-replica
  I dont know what might be causing the replciation to NOT get initiated. the edge server needs to be replicated so to be functional.
  thanks in advance,

  Hi,
  Please also run the Invoke-CsManagementStoreReplication cmdlet and allow time for the replication to complete before running the Get-CsManagementStoreReplicationStatus again.
  Would you tell us more details about certificate you used for Lync edge internal and external interface, and front end server? If you assigned a wildcard certificate to front end server, this may cause the replication issue between front end and edge.
  Please check event viewer if there is any relevant error message. In addition, you can refer to the blog you pasted how to check the CMS replication traffic.
  http://ocsguy.com/2011/09/07/troubleshooting-cms-replication/
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
  sure that you completely understand the risk before retrieving any suggestions from the above link.
  Kent Huang
  TechNet Community Support

• Lync Edge Server (step 3)

  Hi All,
  Need help on Lync Edge Configuration.
  I've 1 lync FE & 1 Lync Edge. I'm successfully install Lync FE.
  Problem come on Edge Lync Setup.
  Step 1 : Install local Configuration Store (Complete)
  Step 2 : Setup or remove lync server component (Complete)
  step 3 : Request install or assigned certificates. ( I've assign certificate for both Internal & External but the status for step 3 not showing "Complete")
  I cannot proceed to step 4 (start Service) until step 3 is complete.
  Kindly help me on this issue.
  Thank you. 

  Hi,
  I'd restart your Edge server if you haven't already done so, and check that you have not accidentally assigned the certificate to only specific Edge services and Sneff_Gabor suggested.
  Could you confirm that you used the Lync Certificate Wizard to generate the CSR's for these cert's rather than generating them through some other means?
  If you haven't already done so, import and assign the certificates for a second time post Edge restart to see if this makes a difference.
  If you're using a third party public certificate for you external Edge services, make sure that you have any required root and intermediate certificates in place for a valid chain. You can check this by viewing the certificate details and looking
  at the 'certification path' tab to ensure your public certificate is trusted.
  If you don't have any luck, create a new CSR for your External Edge services and generate a certificate from your internal CA rather than through a public CA and assign that. This will tell you if it's the external certificate that's causing an upset.
  Can you confirm the 'public key' and 'signature algorithm' on the details tab of both certificates?
  Kind regards
  Ben
  Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems or queries.

• Lync Edge - Ports for internal NIC

  Hello,
  I know that Microsoft says that Edge should have 2 NICs where one is connected to DMZ, another one is connected to LAN. At the same time, all Microsoft diagrams show that Lync Edge is between two firewalls.
  We have a client who insist that Lync Edge should not be connected directly to LAN, so we are trying to set it up using two different DMZ. The problem that I have is firewall ports. Different diagrams show me different ports, but none of them show me everything.
  For example, what ports should be opened to request certificate for Internal CA? My firewall guy tells me that he opened ports 80 and 443 but Lync Wizard cannot connect to Internal CA.
  Does anyone have a list of ports/protocols/directions that should be opened for Internal DMZ firewall?
  Thank you. Eric.

  To request certificate for Lync Edge server, you user Lync Wizard to create the certificate request file and request the certificate via the web to a Windows Server CA.
  You need to open the port 80 and port 443 between Edge Server and Windows Server CA.
  Microsoft diagrams only describe the traffic between Lync Edge Server and Front End Server.
  Lisa Zheng
  TechNet Community Support