Lync edge internal Certificate

Similar Messages

• Lync Edge 2013 Certificate Assign (again!)

  Hi,
  I recently posted a similar topic on the forum (Lync
  Edge 2013 Certificate Assign). The issue was related to certificate assignation. I solved it, but I needed later to change my certification authority, and so change the certificate assigned to the public Edge interface. Trying this, I encountered a new
  (different) problem with my new certificate, so I am back here to try to find a solution.
  As said, I am trying to assign a Certificate to my Lync 2013 Edge Server on the Internet edge.  This certificate is signed by a recognized authority (Comodo).
  Whenever I imported the certificate in the store via the Lync wizard and proceed on to the Assign Certificate step, the Certificate that i have imported does not appear in the List of certificates on the Lync deployment tool interface, so that I cannot assign
  it to the External Edge interface.
  I tried to import it with Digicert (which allow me to solve my previous importation problem, but not this time...) with no more result.  I tried to import it from cer format, or crt format, results are the same.
  I launched the MMC on the computer and add the Computer Certificate Snap-In. If I look at the certificate icon, I see the little key in the icon, so it sounds like I have the private key available.
  Any help would be greatly appreciated!
  Thank you very much for your help.
  EDIT: when running the digicert tool "Test Key", the result is the following : " the private key was successfully tested" and "revocation check for certificate chain failed". Does it give any clue ?

  I had the feeling I did everything fine too...!  This is maybe a silly question, but I try anyway: do you think it be possible that I cannot choose the imported certificate by the Lync Deployment assistant because the assistant does not recognize the
  public name of the computer? I mean, I could add the internal interface certificate because the computer recognized its local name (edge.local.domain). But it seems he doesn't know its Internet FQDN (lync.mydomain.com) which is mentionned in the topology.
  It does not explain why I could previously add the wilcard certificate, so I think my remark is silly, but I am kind of lost....
  Thank you anyway for your messages.
  EDIT: when I try to use powershell to assign manually my certificate, i got an error message telling that the command execution failed because [my certificate thumbprint] is not in the store or not approved. It is true that I had some intermediate certificate
  provided by Comodo, but I installed all of them in the store via mmc>Certificate, both in trusted root CA and intermediate CA. Maybe I miss a location ?

• Lync Edge External Certificate request.

  Hi,
  We have a Lync 2010 Server deployed in our Organization, We have requirement to add 2 additional SIP domain to our Organization.
  We have successfully configured the 2 Additional SIP domains with necessary requirement its working internally.
  Where as the 2 new Additional SIP domain users not able to communicate Externally.
  We found in Edge External certificate we required to add 2 SAN names which is of 2 Additional SIP domain.
  My Query is what is the procedure to generate certificate with additional SAN names.
  I have tried in Edge console its automatically includes 3 sip.domain.com which results in more SAN entries in Certificates.
  My company worried on Cost for Public Certificate which has more SAN names included.
  How to overcome this.
  Note: My existing Lync External certificate have 2 SAN names.

  After doing Lync for several years - my evolution included my embracing the fact that Lync is going to need a lot of SAN's and the cost of certs is going to something that is part of doing Lync.  If you're going to have multiple SIP domains, it's the
  cost of doing business that you;ll have corresponding cert additions.
  I beseech you to NOT heed the recommendation above that included cross domain SRV records.  Your Windows users will get prompted and it makes for a bad impression for Lync.  Keep your SRV records pointed to a matching DNS zone.   You WILL
  get support calls on it and security will only be getting tighter against practices such as this in the future.
  And yes, do the meet/dialin URL's that have the long URL format. 
  We use the HTTP lyncdiscover.domain1.com and lyncdiscover.domain2.com over port 80 - it works great.  I don't see any issue with as it only directs your client to the desired external web services (SSL connection).  It works great.  
  if my post is helpful - please click on the green arrow. (please excuse, in advance, any perceived sarcasm/humor - as I often forget it does not translate through text) :)

• Lync Edge Server Certificate Issue

  I've implemented a single internal Standard Edition
  Front End server with a single consolidated Edge server and Reverse Proxy server/appliance located in a perimeter network.
  On the internal IP of the Edge server I use a certificate form a internal CA ( which is trusted by the edge server), the "internal" certificate issued by the internal Ca is used only between the edge server and the frontend server. An external certificate
  with cn sip.ipabo.nl and alt.subj sip.ipabo.nl and webconf.ipabo.nl. from Globalsign is used on the external IP’s . Services have their own ip adresses and are natted by a router. Ive tested that all ports can be reached from the internet. But still no connection
  possible from external clients. The ms. connectivity analyser says: "The The certificate couldn't be validated because SSL negotiation wasn't successful". Connections from mobile clients through reverse proxy are no problem also internal clients
  have no issue ( they both don’t use the edge but proxy ). So i assume there's someting wrong with the certificate implementation on the Edge server, however ive tested it with the RUCT from Curtis Johnstone, and the certificate seems to be OK. Also in the
  Lync Server Deployment Wizard the certificates seem to be OK. In the computers personal certificate store the are only the two necessary certificates ( internal and external) also intermediate certificates are installed. Routing ( default gateway on external
  interface ) is working fine. So I think I'm out of options, any ideas? 
  Tnx, 
  Guido

  Ok I found It:
  It was a simple setting in the Control panel, or in the management shell:
  In Set-Accessedgeconfiguration
  AllowOutsideUsers was set to False. this should be true.
  I found it by Using OCSlogging on the Edgeserver, looking at SIP.
  So I don't understand how all the certificate and server unavailable warnings make any sense. 
  The next issue will be exchange integration :)
  Thanks for your help everybody

• Lync Edge Internal Interface + all subnets ?

  Hi All,
  I have a problem with audio/video connection between, internal to internal-wifi/external lync clients.
  Audio/Video from same subnet lync clients is no problem (external-external / internal/internal / wifi-wifi)
  I have 3 questions:
  1. Does the Lync 2013 Edge Server internal interface needs to know the route to every subnet ? (client subnet)
  2. If routing to each subnet with lync clients is needed, which ports needs to be opened and which directions (from Edge to subnet)?
  3. I know that when a Audio/Video call is placed, the 2 lync clients try to connect peer-to-peer first. Does that mean that when you have a internal-client-subnet and an internal wifi-subnet, that both differents subnet lync clients needs to be ports
  opened to eachother ?  Only Port tcp/443 and udp/3478 ?
  Thank you very much !

  1) Yes.  Check out this poster, it might be a little more clear than some of the TechNet posts:
  http://www.microsoft.com/en-us/download/details.aspx?id=39968
  2) TCP/443 and UDP/3478 are a must from client to edge.
  3) Correct, and you'll want ports opened but they will want a bigger range.  Check out client ports at the bottom of this article:
  http://technet.microsoft.com/en-us/library/gg398833.aspxYou can tighen those client port ranges up using Set-CsConferencingConfiguration if it helps 
  http://technet.microsoft.com/en-us/library/jj204760.aspx
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• Lync Edge 2013 Certificate Assign

  Hi,
  I am trying to assign a Certificate to my Lync 2013 Edge Server on the Internet edge.  This certificate is signed by a recognize authority, so it should not be a problem.
  Whenever I have imported the certificate in via the Lync wizard and proceed on to the Assign Certificate step, the Certificate that i have imported does not appear in the List of certificate for me to assign it to the External Edge Certificate.
  I launched the MMC on the computer and add the Computer Certificate Snap-In. Unfortunatelly, if I look at the certificate icon, I do not see the little key in the icon. This sounds like I don't have the private key.
  In addition, I should say that I earned my certificate as a PEM file. I tried to convert it in PFX, DER, but always with the same result. So maybe I made a mistake while converting....
  Any help would be greatly appreciated!
  Thank you very much

  He's probably requested it on a different platform (like Linux w/Apache and then exported it)
  Try this: https://www.sslshopper.com/ssl-converter.html I
  wouldn't upload your private key and cert to the site, because it's not something you want to be sharing, but if you scroll to the bottom there are some options (mainly the second last option to grab certificate and key pem and output to PFX
  file)
  If I'm assuming correctly and your admin is using Linux/Unix then you can run the OpenSSL commands there or you could do it yourself on Windows http://www.openssl.org/related/binaries.html (but
  I'd say the first option is much easier)
  If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer" | Blog
  www.lynced.com.au | Twitter
  @imlynced

• Lync Connectivity Analyzer Certificate Error

  The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server lyncedgesvr.redfoxtechnologies.net on port 443.
  The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
  Elapsed Time: 456 ms.
  I got the following certificate error when trying to test remote connection from lync connectivity analyzer, But we have purchase a comodo PositiveSSL Multi-domain what do I need to do Please help I have contact the SSL provider but they don't even know
  the problem.
  Than Public Certificate is bind only on Lync Edge Server and there is not Public Certificate on Lync Federation Server.
  The Lync Edge server is not using a NAT it is directly connected to the internet or the public ip address mounted on LAN.
  I have used only one Public IP address.

  Hi Everyone,
  I am not using reversed proxy I only just used the following below:
  Pfsense: Public IP
  Lync Fe : Single internal IP
  Lync Edge : External Public IP no NAT
  Lync Edge : Internal IP
  Based on the Lync Validator below it says that I should create a NAT of Lync Fe Server to the External ip 103.17.21.198 Then issues a public Certificate to Internal of Lync Fe. Just because I don't have a External for Lync Fe. And I only have one LAN. correct
  me if this validator is wrong.
  For the Certificate CAN I USE THE "Comodo PositiveSSL Multi-Domain"?
  Internal DNS:
  Internal DNS Records                                
  Type
  FQDN
  IP
  Service
  Protocol
  Domain
  Host
  PRI
  Weight
  Port
  SRV
  _sipinternaltls
  _tcp
  redfoxtechnologies.net
  sip.redfoxtechnologies.net
  0
  0
  5061
  Automatic Login
  A
  dialin.redfoxtechnologies.net
  10.10.10.11
  Simple URL Dialin
  A
  lyncadmin.redfoxtechnologies.net
  10.10.10.11
  Simple URL Admin
  A
  lyncdiscoverinternal.redfoxtechnologies.net
  10.10.10.11
  Internal Lync client discovery.
  A
  lyncedgesvr.redfoxtechnologies.net
  172.0.0.113
  Edge Pool Name
  A
  lyncedgesvr.redfoxtechnologies.net
  172.0.0.113
  Edge Server #1
  A
  lyncfesvr.redfoxtechnologies.net
  103.17.21.198
  External Web Services
  A
  lyncfesvr.redfoxtechnologies.net
  10.10.1.1
  Front-End Server #1
  A
  lyncfesvr.redfoxtechnologies.net
  10.10.10.11
  Internal Web Services
  A
  lyncpool.redfoxtechnologies.net
  10.10.1.1
  Front-End Server #1
  A
  meet.redfoxtechnologies.net
  10.10.10.11
  Simple URL Meet
  A
  sip.redfoxtechnologies.net
  10.10.1.1
  Front-End Server #1
  External DNS:
  External DNS Records                                
  Type
  FQDN
  IP
  Service
  Protocol
  Domain
  Host
  PRI
  Weight
  Port
  SRV
  _sip
  _tls
  redfoxtechnologies.net
  lyncedgesvr.redfoxtechnologies.net
  0
  0
  443
  Automatic Login
  SRV
  _sipfederationtls
  _tcp
  redfoxtechnologies.net
  lyncedgesvr.redfoxtechnologies.net
  0
  0
  5061
  Lync Federation Discovery
  A
  dialin.redfoxtechnologies.net
  103.17.21.198
  Simple URL Dialin
  A
  lyncdiscover.redfoxtechnologies.net
  103.17.21.198
  Lync client discovery.
  A
  lyncedgesvr.redfoxtechnologies.net
  103.17.21.196
  Access Edge #1
  A
  lyncedgesvr.redfoxtechnologies.net
  0.0.0.0
  Web Conferencing #1
  A
  lyncedgesvr.redfoxtechnologies.net
  0.0.0.0
  AV #1
  A
  lyncfesvr.redfoxtechnologies.net
  103.17.21.198
  External Web Services
  A
  meet.redfoxtechnologies.net
  103.17.21.198
  Simple URL Meet
  Internal Certificates                                
  Type
  Server
  SN
  SAN
  EKU
  Internal
  Front-End
  lyncpool.redfoxtechnologies.net
  lyncpool.redfoxtechnologies.net
  lyncfesvr.redfoxtechnologies.net
  meet.redfoxtechnologies.net
  dialin.redfoxtechnologies.net
  lyncadmin.redfoxtechnologies.net
  lyncdiscoverinternal.redfoxtechnologies.net
  lyncdiscover.redfoxtechnologies.net
  sip.redfoxtechnologies.net
  lyncfesvr.redfoxtechnologies.net
  lyncfesvr.redfoxtechnologies.net
  Server
  SAN/UCC Certificate for Front-End Pool
  Internal
  OAuth
  redfoxtechnologies.net
  Server
  OAuth
  Internal
  Edge Server
  lyncedgesvr.redfoxtechnologies.net
  Server
  Certificate for Internal Edge
  External Certificates                                
  Type
  Server
  SN
  SAN
  EKU
  Public
  Lync Edge
  lyncedgesvr.redfoxtechnologies.net
  lyncedgesvr.redfoxtechnologies.net
  lyncedgesvr.redfoxtechnologies.net
  Server Client
  SAN/UCC Certificate for Edge Server
  Public
  Reverse Proxy
  lyncfesvr.redfoxtechnologies.net
  meet.redfoxtechnologies.net
  dialin.redfoxtechnologies.net
  lyncdiscover.redfoxtechnologies.net
  lyncfesvr.redfoxtechnologies.net
  Server
  SAN/UCC Certificate for Reverse Proxy

• Lync Edge 2013 NOT Replicating config data with CMS / NOT up to date

  I have recently installed my Lync 2013 Edge pool (1 edge server).
  all services are UP and public & internal certificates deployed successfully.
  BUT i keep seeing an X sign in the Replication Status field in the "Lync Control Panel->Topology" page.
  even running the "Get-CsManagementStoreReplicationStatus" gives:
      UpToDate           : False
      ReplicaFqdn        : internalEDGEFQDN.domain.com
      LastStatusReport   :
      LastUpdateCreation : 06/08/2013 10:09:41 AM
      ProductVersion     :
  telnet from my front-end to edge over port 4443 works
  all edge services are UP
  browsing [https://internalEDGEFQDN.domain.com:4443/ReplicationWebService] returns a special page
  there is a file called "data.zip" placed on the FileStore destined to my edge replica   \\filestorefqdn\lync2010files\1-CentralMgmt-1\CMSFileStore\xds-master\replicas\internalEDGEFQDN.domain.com\to-replica
  I dont know what might be causing the replciation to NOT get initiated. the edge server needs to be replicated so to be functional.
  thanks in advance,

  Hi,
  Please also run the Invoke-CsManagementStoreReplication cmdlet and allow time for the replication to complete before running the Get-CsManagementStoreReplicationStatus again.
  Would you tell us more details about certificate you used for Lync edge internal and external interface, and front end server? If you assigned a wildcard certificate to front end server, this may cause the replication issue between front end and edge.
  Please check event viewer if there is any relevant error message. In addition, you can refer to the blog you pasted how to check the CMS replication traffic.
  http://ocsguy.com/2011/09/07/troubleshooting-cms-replication/
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
  sure that you completely understand the risk before retrieving any suggestions from the above link.
  Kent Huang
  TechNet Community Support

• Unable to Import Internal Certificate to Lync Deployment wizard Local Store

  hi,
  While installing Edge server. i imported internal certificate to Certificate local store. But when i tried to assign those certificate i did not see any imported certificate. I have installed Lync and Edge server several times but this is the 1st time, i m
  facing this issue.
  FYI,
  Its Lync 2010 Standalone Server. Also i have installed, domain’s root certificate to Edge server ” trusted root authority”.
  Kindly suggest.
  Thanks and Regards,
  Ankit

  Hi Ankkit18,
  You can download the Certificate Chain from CA and import it to Edge Server using MMC (Computer Account ->
  Trusted Root Certification Authorities).
  And in certificate request step, make sure that you have selected the
  Mark certificate private key as exportable check box.
  For more details, please refer to the following article.
  Set up certificates for the internal edge interface in Lync Server 2013
  Best regards,
  Eric

• Lync Edge Server 2013 Certificate Issue seems unresolvable

  I've implemented a single internal Standard Edition Front End server with a single consolidated Edge server and Reverse Proxy server/appliance located in a perimeter network.
  On the internal IP of the Edge server I use a certificate form a internal CA ( which is trusted by the edge server), the "internal" certificate issued by the internal Ca is used only between the edge server and the frontend server. An external certificate
  with cn sip.ipabo.nl and alt.subj sip.ipabo.nl and webconf.ipabo.nl. from Globalsign is used on the external IP’s . Services have their own ip adresses and are natted by a router. Ive tested that all ports can be reached from the internet. But still no connection
  possible from external clients. The ms. connectivity analyser says: "The The certificate couldn't be validated because SSL negotiation wasn't successful". Connections from mobile clients through reverse proxy are no problem also internal clients
  have no issue ( they both don’t use the edge but proxy ). So i assume there's someting wrong with the certificate implementation on the Edge server, however ive tested it with the RUCT from Curtis Johnstone, and the certificate seems to be OK. Also in the
  Lync Server Deployment Wizard the certificates seem to be OK. In the computers personal certificate store the are only the two necessary certificates ( internal and external) also intermediate certificates are installed. Routing ( default gateway on external
  interface ) is working fine. So I think I'm out of options, any ideas? 
  Tnx, 
  Guido

  Please check the DNS records for sip.ipabo.nl and webconf.ipabo.nl are created on external DNS server.
  Please check you can telnet Lync Edge Access service FQDN on 443 port.
  Check the automatic configuration for remote access is configured correctly or you can try to sign in manually.
  Follow the steps in blog blow to test your Edge Server:
  http://blogs.technet.com/b/nexthop/archive/2011/12/07/useful-tips-for-testing-your-lync-edge-server.aspx
  Lisa Zheng
  TechNet Community Support

• Lync Edge - Ports for internal NIC

  Hello,
  I know that Microsoft says that Edge should have 2 NICs where one is connected to DMZ, another one is connected to LAN. At the same time, all Microsoft diagrams show that Lync Edge is between two firewalls.
  We have a client who insist that Lync Edge should not be connected directly to LAN, so we are trying to set it up using two different DMZ. The problem that I have is firewall ports. Different diagrams show me different ports, but none of them show me everything.
  For example, what ports should be opened to request certificate for Internal CA? My firewall guy tells me that he opened ports 80 and 443 but Lync Wizard cannot connect to Internal CA.
  Does anyone have a list of ports/protocols/directions that should be opened for Internal DMZ firewall?
  Thank you. Eric.

  To request certificate for Lync Edge server, you user Lync Wizard to create the certificate request file and request the certificate via the web to a Windows Server CA.
  You need to open the port 80 and port 443 between Edge Server and Windows Server CA.
  Microsoft diagrams only describe the traffic between Lync Edge Server and Front End Server.
  Lisa Zheng
  TechNet Community Support

• Lync Edge Certificate

  Hi All
  I am Doing POC of Microsoft Lync 2010 for one of my client, i had deployed lync Front End server (STD Edition) and configured the same. I have also installed lync on some client side and test all the features internally was sucessfull, now i want to deploy
  lync Edge server, i have done all the necassary configuration for Lync edge server, but now i have stuck in part of External certificate, though this is just a POC i dont want to import any public certificate now for this POC, so is there is any way to import
  private certificate on Lync Edge server which can be used externally so that i can bring internet users in my lync environment
  please provide me some step, how to create private certificate for Lync edge server and also how to import the same
  Thanks in advance
  Vinayak

  Hi,
  Basically the steps are the same as how you've create for the internal certificates, using an internal Microsoft CA Server:
  Using the Installation Wizard, generate an offline certificate requests for your external domain: sip.domain.com, webconf.domain.com, av.domain.com, meet.domain.com & dialin.domain.com.
  With that, log in to your internal CA server (e.g.
  https://servername/certserv)
  Paste the offline certificate request onto the web page, make sure you've select Web Server as the certificate type
  Download the generate certificate
  Assign the downloaded certificate using the Lync installation wizard to the Access Edge external interface
  If you're publishing via a Reverse Proxy, just export the certificate from the Access Edge and install it into your TMG certificate store
  Alternatively, VeriSign also offers a free 30 days trial -
  http://www.verisign.com/ssl/free-30day-trial/index.html
  Hope this helps.
  James Ooi MCITP Lync Server 2010 | Blog: http://jamesosw.wordpress.com Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial
  to other community members reading the thread

• Can't assign certificate in Lync Edge Server

  Hello, everyone
  I've installed Lync Server, internally it works fine, but while i'm deploying edge server, i have a certificate problem. On request assign certificate step, I've issued by online certificate authority, after request i see following error:
  The certificate has been issued by the online certification authority and is installed to the local certificate store, however it is not valid. Make sure that the Root certificate, and necessary certificate chain is installed on this server.
  I've downloaded root certificate from CA and imported to trusted root certificate of edge server. I think root certificate is valid, because non domain members which imported root certificate, sign in Lync successfully.
  I also sent offline certificate request (http://technet.microsoft.com/en-us/library/gg412750.aspx), importing certificate was successful. But  there are no certificates in assign
  certificate wizard. I checked personal certificates using mmc, there were certificates i have requested.
  How can I solve this problem? Please help me!
  Regards and thanks for any help :)
  Enkhee

  Hi,
  You need to access htt://CAserver/certsrv to download the certificate chain in the edge server. Open MMC and install the Certificate chain with the following steps(To import the CA certification chain for the internal interface ):
  http://technet.microsoft.com/en-us/library/gg412750.aspx
  Check whether the Certificate chain is installed successfully in the
  Trusted Root Certification Authorities.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Combining Lync Edge certificate of Reverse Proxy

  I wonder if the creation of a certificate from the combined Lync Edge server names and Reverse Proxy will work?
  Wants to create a certificate for Lync Edge with CN = sip.domain.com and add names required for the Edge and Reverse Proxy as an additional DNS:
  sip.domain.com 
  webconf.domain.com
  webext.domain.com
  meet.domain.com
  dialin.domain.com
  lyncdiscover.domain.com

  Hi,
  Yes, you can use the same certificate for both Edge Server (external interface) and Reverse Proxy, which SAN including all Edge Server and Reverse Proxy needed (such as: webcon.contoso.com, sip.contoso.com, webext.contoso.com, meet.contoso.com, dialin.contoso.com,
  lyncdiscover.contoso.com, and so on).
  More details:
  https://technet.microsoft.com/en-us/library/gg398519.aspx?f=255&MSPPError=-2147217396
  https://technet.microsoft.com/en-us/library/gg429704.aspx
  There is no special SAN for federate with Skype. However, the certificate must be the public SAN certificate.
  Best Regards,
  Eason Huang
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Eason Huang
  TechNet Community Support

• DNS records to be created for Lync deployment (Internal and External)

  Hi There,
  If I want the Lync server environment to work Internal as well from External in all the aspects. (auto-discover, meetings, AV conferencing,web conferencing, voice integration, mobility etc), please answer to the below questions and also their purpose please.
  I'm not sure whether the answer varies for 2010 and 2013 version.
  1. What are the Internal and External(public) DNS records to be created for the reverse proxy(assume i'm using TMG servers), and their purpose?
  2. What are the Internal and External(public) DNS records to be created for Lync Edge server, and their purpose?

  I'll try to answer as well.
  1) For the reverse proxy, you'll need to publish the following:
  External:
  lyncdiscover.sipdomain.com (You'll need this record for every sip domain you have).  This is for client autodiscover.
  external web services FQDN (You'll need one of these per pool, you get to choose the name).  This is for address book downloads, web conferencing, etc.
  Meet.sipdomain.com (You can choose the name here, and have one per sip domain or one for the whole org).  This is for web conferencing.
  Dialin.sipdomain.com (You'll just need one here, it doesn't have to be dialin).  This is for changing your conferencing/phone pin, resetting conference info, and general conferencing info.
  For Lync 2013 only, you may want the Office Web Application server pool name as well for PowerPoint sharing.  Lync 2010 doesn't use this.  
  Internal:
  The external web services FQDN.  You'll need this available internally through the reverse proxy so you can redirect requests on port 443 to port 4443.  This will be used for mobile devices on WiFi.
  2) For the Edge server:
  Externally:
  sip.sipdomain.com (you'll need one per sip domain) this is an autodiscover/multi use FQDN and should point to your access edge IP.
  webedge.sipdomain.com (edge web conferencing, you can pick any name you like).
  avedge.sipdomain.com (av edge, you can pick any name you like).
  accessedge.sipdomain.com (you'll need a name for the access edge role, however you can just use sip.sipdomain.com and save a name in your certificate request).
  Internally:
  edgepool.sipdomain.com (you can pick any name you want, it's just the name assigned to the internal edge interface.
  If you choose to have a single ip for the external edge, you can get away with just an access edge name and/or sip.sipdomain.com
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.