Securing RDS with SSL certificate

Similar Messages

• REDUNDANT ACE 20 WITH SSL CERTIFICATE

  Hi
  I have an ACE 20 redundant infrastructure (Active-Standby),and  it´s needed to implement a secure aplication with SSL certificate.
  The question I have is, for this solution is neccesary to generate a digital certificate and key  for each ACE module? and, It´s is possible to use the same certificate and key in both ACE modules?
  Thanks for your help.
  Regards

  Ricardo,
  You can just the same certificates for both devices.
  Jorge

• Importing external web service with SSL certificate security

  Hello,
  I'm trying to import an external web service (that resides in another server, independent of ours). However, right after I enter the WSDL in the import window I get the following error in the NWDS:
  sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target      [Error: com.sap.ide.es.core.ui.internal.wizards.fragments  Thread[ModalContext,6,main]]
  javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
            at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)
            at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
            at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
            at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
            at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
            at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
            at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)
            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)
            at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
            at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
            at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1172)
            at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
            at com.sap.ide.es.core.ui.internal.wizards.fragments.UrlValidationRunnable.getURLAsStream(UrlValidationRunnable.java:137)
            at com.sap.ide.es.core.ui.internal.wizards.fragments.UrlValidationRunnable.validate(UrlValidationRunnable.java:75)
            at com.sap.ide.es.core.ui.internal.wizards.fragments.UrlValidationRunnable.run(UrlValidationRunnable.java:55)
            at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)
  Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
            at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)
            at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)
            at sun.security.validator.Validator.validate(Validator.java:218)
            at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
            at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
            at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
            at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
            ... 15 more
  Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
            at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
            at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
            at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
            ... 21 more
  Has anyone ever consumed an external web service with SSL certificate security? How do you import this in your Web Dynpro project?
  Cheers!

  Hi Alain,
  I just checked on a newer NW environment (NW 7.2) and was presented an empty list as well... It seems the mapping procedure I described is deprecated since NW 7.11, and the modeled CAF application service is already exposed as a web service.
  You may want to have a look at http://help.sap.com/saphelp_nwce711/helpdata/en/43/f173947bbb025be10000000a1553f7/content.htm or http://scn.sap.com/message/7852996 for more info

• Getting error "Problem with SSL Certificate" but I'm connecting to my private server without SSL

  I wanted to create a PDF from a subtree at a website. The first problem was that Acrobat Pro (11.0.7) wouldn't spider it (probably because there was a robot.txt file there) so I had to use SiteSucker to pull the pages down to my Mac.
  Then I discovered that Acrobat Pro can't handle file:/// URLs so that was no good either
  So then I copied all the pages to a folder on my Linux server where I use a non-standard port (86) for http connection as a minor security precaution.
  When I tried to access that from Acrobat Pro, it bitched about a problem with SSL Certificate but gave me no option to do anything about it. More relevantly, all the files were accessible using http protocol, not https so there shouldn't have been any need to deal with SSL certificates at all
  I had to temporarily enable port 80 on my apache server at which point it's now pulling all the files in and hopefully converting them.
  A) We're at version 11 ---- these kinds of issues should have been fixed years ago
  B) While you're at it, fix the stupid UI issue where the download dialog disappears completely if Acrobat Pro doesn't have the focus. On a long download, I'd like to be able to see progress while working on other stuff. Acrobat Pro is not the center of the universe!

  Interesting point 2, I am working on a Mac plugin at the moment. It does not hide its dialogs when switching to a different app. I consider this a bug and will fix it so the dialog disappears. I hadn't considered the question of progress but there is a very strong reason to do this on the Mac.
  My tests seem to show that
  (a) to get a dialog to sit above PDF documents all the time, it must be on a higher "level".
  (b) if a dialog is at a higher level, this is a global setting.
  So, if the dialog is not hidden when switching all, it will typically sit on top of the other app's document windows. This would not be popular, as the end user, unless they have mountains of screen space and choose to use it that way, must either close or move the dialog when switching app, then bring the dialog back.  So, because Acrobat Pro is not the centre of the universe, it will hide dialogs (or rather, the Mac will, as it's a standard option when creating a window).

• Securing webaccess with ssl

  OK, I will admit right now I don't fully understand how
  webaccess and ssl works. In my current setup I used a
  self-signed key generated and stored in eDir. This key is
  used in httpd.conf like:
  SecureListen xxx.yyy.zzz.1:443 "SSL Certificate"
  I know have my freshly minted ssl cert (filename.crt) from
  my CA. GHow the heck do I use it. I have search the TIDs
  and Documentation with no luck, although I may not know
  exactly what to look for.
  Can someone either point me towards the correct docs or
  otherwise instruct on how to set this up???
  Much thanks, Chris.

  OK, figured this one out. What is confusing is that in the
  webaccess gateway there is an option to secure the gateway.
  To the unfamiliar this would be the spot to add the
  certificate. However, after doing more investigation I
  realized that the ssl connection to the user is handled by
  apache.
  Now the apache setup is fairly straight forward provided
  your CA issue you a certificate in pfx or p12 format. If
  they issue a PEM certificate, then you have some dancing to
  do. Luckily openssl helped here and I was able to convert
  the certificate to pfx.
  Chris
  >>> On 7/16/2009 at 11:55 AM, in message
  <4A5F15AB.CE15.0032.0@N0_$pam.vrapc.com>,
  Chris<cmosentine@N0_$pam.vrapc.com> wrote:
  > OK, I will admit right now I don't fully understand how
  > webaccess and ssl works. In my current setup I used a
  > self-signed key generated and stored in eDir. This key
  > is
  > used in httpd.conf like:
  >
  > SecureListen xxx.yyy.zzz.1:443 "SSL Certificate"
  >
  > I know have my freshly minted ssl cert (filename.crt)
  > from
  > my CA. GHow the heck do I use it. I have search the
  > TIDs
  > and Documentation with no luck, although I may not know
  > exactly what to look for.
  >
  > Can someone either point me towards the correct docs or
  > otherwise instruct on how to set this up???
  >
  > Much thanks, Chris.

• Problem with ssl certificate

  Hello everyone!
  I have a scenario wherein I am trying to connect SRM to a marketsite through XI.
  SRM (Purchase Order) --->  XI (marketplace adapter) ---> Marketsite
  The URL of the marketsite is of the type HTTPS so I am using certificate logon as the method for authentication.
  Please tell me whether this is the right thing to do:
  1. Create a self-signed certificate in the "Key Storage" of the visual administrator.
  2. Export the certificate and have it installed in the marketsite.
  3. Configure the marketplace com. channel in the integration directory to use the private key I used to generate the certificate I sent to the marketsite.
  Having done that, I am get a "server rejected by chain verifier" error in the message monitoring tool.
  Here are some other questions:
  1. Should I create a new View for the certificate and private key, or should I create the certificate in the existing "service_ssl" and rename the new certificate "ssl-credentials-cert" and the private key "ssl_credentials"
  2. Will a self-signed certificate work or do I need to get it signed by a CA before importing the response.
  3. If a self-signed certificate will work, do I need to add another certificate in the "TrustedCAs" view?
  4. If I should import a certificate response from a CA, where can I get the certificate of the CA?
  I know these are a lot of questions, but I'd really appreciate all the help I can get from you guys. Please avoid posting links to other threads as I have pretty much read all of them..
  Warm regards,
  Glenn

  Hi Glenn,
  Let me explain the scenario without client certificate Logon (User and password) first .
  When you want to communicate with marketsite in secure manner, get the certificate of the CA (Certifying Authority) who has signed market site Cert. and add it to Trusted CAs view in Visual Admin of XI. Sometimes it may be a CA certificate chain.
  If that certificate is self-signed, add the market site certificate itself in to Trusted CAS of Vis.Admin of XI.
  Certificate Logon:
  This is for ur (XI servers) Identity to Marketsite.
  In Visual Admin KeyStorage create a view or in any of existing views create a Private Key and Public key (Certificate) pair representing XI Server (CN should be hostname of XI server). Get the public Key signed by CA and import the Certificate in Visual Admin.
  Now in Configuration select view and the Private Key just created for XI's Identity.
  PS: There may be some steps in Marketsite too in case of Certificate logon like Adding XI certificate to something like Trusted CAS of Marketsite.You can get better picture from guys administrating the Marketsite..
  Try these options and post the results in forum.
  Good Luck.
  Regards,
  Sudharshan N A

• ICal server won't work with SSL certificate

  I'm running Leopard Server 10.5.7, and have a GoDaddy SSL certificate installed on the server, which is working fine in Apache, but not for iCal server.
  In the Security Certificates section of Server Admin, the certificate shows up properly with the correct hostname, with the correct authority (i.e. not self-signed). I can use the certificate for one of my SSL websites, and it works fine, no browser errors, all works great.
  However, if I use Server Admin to enable SSL for iCal server and then select my GoDaddy certificate from the "Certificate" dropdown, the dropdown immediately changes to "Custom Configuration." So I save changes and stop/start the iCal service.
  Then I took my iCal clients (which were all working fine without SSL), and in 'Server Settings,' I changed the server address to https (instead of http), and port 8443 (instead of port 8008). But then when I refresh the calendars, iCal throws an error saying:
  "Unexpected secure name resolution error (code -9844). The server name may be incorrect."
  When I set everything back to the way it was before I started, all works fine.
  Anyone have any suggestions?

  Your problem seems similar to this thread:
  http://discussions.apple.com/thread.jspa?threadID=1992033&tstart=0
  There is some contradictory anecdotal information there, however. Tis reply in another thread:
  http://discussions.apple.com/message.jspa?messageID=6288712#6288712
  may hold some answers to your problem. There are two very enlightening articles on AFP548.com regarding certificate issues:
  http://www.afp548.com/article.php?story=20080624005724638
  http://www.afp548.com/article.php?story=20071203011158936
  That might also be of assistance. Then there's this little tidbit:
  http://www.networkjack.info/blog/2007/11/30/ssl-cert-with-subject-alternate-name /
  These may-or-may-not solve theproblem but may provide insight as to why it's happening.

• BingMaps not showing with SSL certificate

  I have recently added SSL certificate to the server for the website I am developing.
  I changed my applications to use  https from http.
  <script type="text/javascript" src="https://ecn.dev.virtualearth.net/mapcontrol/mapcontrol.ashx?v=7.0">
  After changing it from http to https, it is showing a blank page in place of map. The error it says is 
  This page is trying to load scripts from unauthenticated sources
  I had to click on the right top corner shield and allow the browser to run unsafe scripts to get the bingmaps to show up.
  Any ideas on how I can resolve it. I am using ASP.NEt, C#, Javascript and jQuery.
  Thanks in advance.
  Nate

  I had to add &s=1 to run the BingMaps in secure mode
  so, we should use following link to run the bing maps with SSL.
  https://ecn.dev.virtualearth.net/mapcontrol/mapcontrol.ashx?v=7.0&s=1
  Thanks
  Nate

• Webservice with SSL Certificate givivg error

  Hi all,
  I am configuring an abap webservice with client certificate
  I had
  1) installed the sap cryptographic library.
  2) created SSL Server PSE in transaction STRUST
  3)imported the certificate response by CA.
  4)Exported the certificate to local computer.
  5)Added the certificate in mmc under trusted certificate authority.
  but when i am running the endpoint url, i am getting folllowing error
  Error Code: ICF-LE-https-c:800-l:E-T:-C:5-U:4-P:4-L:7
  HTTP 401 - Unauthorized
  Your SAP Internet Communication Framework Team
  Please help me on what step i am missing.
  Thanks,
  Anshul

  You can add FOR TEST your pi userid & passw into enpoint url, like follow:
  &sap-user=<userid>&sap-password=<passw>
  Example:
  http://sapi.sap.com:50xxx/sap/xi/.....&sap-user=donald&sap-password=duck
  ps. Create a Service User into PI System for this. Regarding Role, i'm not a security guru, but i think that SAP_BC_WEBSERVICE_PI_CFG_SRV or SAP_BC_WEBSERVICE_ADMIN roles can be enough for this purpose.

• Securing Portal with SSL/https

  Has anyone successfully setup oracle portal 9.0.2 on solaris running all over secure sockets for both login/server and portal ?
  I've followed the otn documentation but i'm still having problems with gettin portal to work with https.
  It's driving me insane!! please help with any suggestions.
  Kind Regards
  Neil

  Hi,
  We did the following steps and it working :)
  Assuming that HTTPS is correctly working and without security aspects.
  Assuming that the HTTPS is 443
  1) configure Webcache to work on port 443 and link it to the 4444 port of Apache
  1) configure SSO
  I directly change in WWSEC_ENABLER_CONFIG_INFO$ LS_LOGIN_URL to the https URL
  the LSNR_TOKEN has to be like 'myhost' and not 'myhost:port'
  2) Login to SSO and update the HOME, SUCCESS and CANCEL URL of SSO
  to https
  3) register mod_osso against the new SSO Server
  4) register the portal using ptlasst
  (if possible remove the already installed portal)
  beware You might have big trouble with groups you have created.
  5) Add in ORACLE_HOME\j2ee\OC4J_Portal\applications\portal\WEB-INF\web.xml
  <init-param>
  <param-name>httpsports<param-name>
  <param-value>443:4444</param-value>
  </init-param>
  That is it !!!!
  You have also to protect some URL with SSL and
  to redefine some virtual path
  The best test is to stop WebCache to liste http port
  Have fun
  Philippe Camelio
  SysAdmin

• What's the difference with SSL Certificates?

  Hi,
  I need to get an SSL Certificate for my client's online
  store. There are so
  many choices out there ranging from stupidly expensive, down
  to suspiciously
  cheap.
  Can anyone help me sort through the mob and recommend
  something that is
  trustworthy, secure and cheap.
  I'm happy to buy globally, but I'd prefer either a true
  multi-national, or
  an Australian company.
  Thanks,
  B

  Which certificate you choose depends on your intended use for
  the cert. The cheap ones (US $20/year and up) simply assure that
  you control the domain in question. The certificate agency sends an
  email to the administrative contact specified in the domain's Whois
  listing. If they get the appropriate response, the certificate is
  issued. If all you are out to do is establish SSL connections to a
  web site to prevent eavesdropping, this type of certificate is
  fine. There is no difference in the level of security between these
  certificates and fancier offerings as long as both the cert and
  your web server support 256 bit encryption. You can also get a
  certificate that is valid for up to 10 years, so you won't have to
  worry about SSL for a long time. The cheap certificates are not
  recommended for online commerce, as there is no assurance you are
  an actual company. If you go this route, getting a certificate from
  an outfit that supports single root verification greatly eases
  installation on your server. (Translation from geek: A single root
  certificate is inherently trusted by all major browsers. Companies
  such as RapidSSL (cheap), Geotrust and Thawte (not so cheap), and
  Verisign (expensive) all own their root certificates. Many other
  certificate agencies require installing a chain of certificates on
  your server that point back to the trusted root certificate. Use
  Firefox to test your SSL site, as it has the most comprehensive
  certificate validation routines.)
  The next step up are the high assurance certificates. These
  require you to prove that you own or represent the company whose
  domain you are getting a certificate for. The price for these
  certificates ranges from US$100/year to ~$400. The certificate
  company will perform a search on your business or organization, and
  you may be required to submit supporting documentation to prove you
  are who you claim to be. The more expensive flavors of these certs
  usually offer larger guarantees against credit card fraud resulting
  from certificate misuse. These certificates are valid for up to 3
  years.
  Finally, there are the new extended validation certificates.
  These require an in-depth evaluation of your business, including an
  investigation into the overall legitimacy of your corporation.
  Government agencies also qualify. Sole proprietorships and and
  general partnerships are not eligible, although the CA/B says they
  may be in the future. Get one of these and IE users can see the
  navigation bar turn a trustworthy green color. There is also a
  large amount of green involved in purchasing one of these
  certificates, ranging from US$500/year from the cheapie outfits to
  $900/year from Thawte to $1500 per year from Verisign.
  No matter which option you pursue, there are a couple of
  points to be aware of. First, choose a vendor that offers free
  certificate replacement. This protects you in case a change in
  hosting provider or web server invalidates your existing
  certificate. Also, a normal certificate is very specific in terms
  of which domain it supports. For example, a certificate for
  www.domain.com does not work for mail.domain.com, ftp.domain.com,
  or even domain.com. If this is important to you, you can either
  purchase multiple certificates or a wildcard certificate that
  supports any number of subdomains. Wildcard cert prices are
  typically 4-5x higher than for a single cert. Finally, many cert
  companies offer verification seals that you can add to your SSL web
  pages. These allow your clients to click or hover over the seal to
  get a quick verification that your site certificate comes from a
  recognizable brand. Useful, perhaps, if you want to brag that "I
  care enough to purchase certs from Thawte, Network Solutions,
  Geotrust, et. al." or "I'm a penny-pincher and use GoDaddy!"

• Can't get mail to work with SSL certificates

  I'm setting up a 10.5.3 mail server and wanted to enable SSL for SMTP and IMAP.
  It all works fine if I use the Default certificate that the server generates automatically. But if I want to generate a new certificate with a pass phrase it stops working.
  You start seeing errors like the in the system log:
  May 30 18:29:19 megalon postfix/smtpd[1143]: warning: cannot get private key from file /etc/certificates/myserver.mydomain.com.key
  May 30 18:29:19 megalon postfix/smtpd[1143]: warning: TLS library problem: 1143:error:0906406D:PEM routines:DEF_CALLBACK:problems getting password:pem_lib.c:105:
  May 30 18:29:19 megalon postfix/smtpd[1143]: warning: TLS library problem: 1143:error:0906A068:PEM routines:PEMdoheader:bad password read:pem_lib.c:401:
  May 30 18:29:19 megalon postfix/smtpd[1143]: warning: TLS library problem: 1143:error:140B0009:SSL routines:SSLCTX_use_PrivateKeyfile:PEM lib:ssl_rsa.c:709:
  May 30 18:29:19 megalon postfix/smtpd[1147]: warning: cannot get private key from file /etc/certificates/myserver.mydomain.com.key
  May 30 18:29:19 megalon postfix/smtpd[1147]: warning: TLS library problem: 1147:error:0906406D:PEM routines:DEF_CALLBACK:problems getting password:pem_lib.c:105:
  May 30 18:29:19 megalon postfix/smtpd[1147]: warning: TLS library problem: 1147:error:0906A068:PEM routines:PEMdoheader:bad password read:pem_lib.c:401:
  May 30 18:29:19 megalon postfix/smtpd[1147]: warning: TLS library problem: 1147:error:140B0009:SSL routines:SSLCTX_use_PrivateKeyfile:PEM lib:ssl_rsa.c:709:
  Anyone know how to fix this?

  I still think there's something wrong with Server Admin in 10.5 that's stopping this from working.
  I've checked the certificate I'm using on my 10.4.11 mail server and it's key file is encrypted but SMTP mail works fine over SSL. I imported the certificate using Server Admin, I didn't edit the config file manually.
  How would the system be decrypting the key before postfix uses it in 10.4? Any why doesn't this work in 10.5?

• Keep getting security warnings about ssl certificate, forum solutions are not helping so far

  I cannot log onto common websites like mozilla.org , google.com , facebook.com etc. I get an error message saying the "certifcate is not trusted because the user is unknown" i corrected the date and time on my pc and tried the "delete cert8.db file." method can someone suggest anything else to solve the problem. I have ran full pc virus checks and network checks with avast, the only way i can access these sites is with the use of a linux usb boot drive, but with windows it wont let me.

  Also check the date and time and time zone in the clock on your computer: (double) click the clock icon on the Windows Taskbar.
  *https://support.mozilla.org/kb/Secure+Connection+Failed
  ''(I've updated the tags because you posted with Iceweasel on Linux)''

• RDS - External connections only for those with SSL Certifcate - how to accomplish that?

  Hi,
  we have a lot of partners for sales purposes and they need connect to our servers due to ERP access and then input 'sales order' and etc; there is a way to only accept connections from Computers/Tablets with enabled/installed an specific SSL?
  If so, should we buy SSL from a valid external C.A for the server and clients? or just for Clients? or just for the server?
  * I found similiar question but too old: https://social.technet.microsoft.com/Forums/windowsserver/en-US/a254f1d0-43dd-4be3-8fe5-90f9fc97904a/securing-rds-with-ssl-certificate?forum=winserverTS#0f663d6e-aa58-4ad0-a315-b88bb3ec8c27
  tks,
  Renato P

  Hi,
  If you are looking to connect to a particular PC on your home network from outside then follow the steps
  There are six steps you'll need to follow to set this up. Each one is explained in detail below.
  Allow remote connections to the computer you want to access.
  Make sure Remote Desktop is able to communicate through your firewall.
  Find the IP address of the computer on your home network that you want to connect to.
  Open your router's configuration screen and forward TCP port 3389 to the destination computer's IP address.
  Find your router's public IP address so that Remote Desktop can find it on the Internet.
  Open Remote Desktop Connection and connect.(Type in your public IP + the forwarded port to acces the desired PC- public IP : port  )
  If you have already done this and all you want is to decide who access it then give user permission in
  Remote Desktop Users Group.
  Apart using SSL cert you can limit the user access using your firewall/router.
  SSL certificate is required for your server alone.

• Office Web Apps Server SSL Certificate

  Hi
  I am deploying Office Web App Server for Integration with Lync 2013. I opted for secure communication with SSL Certificate. I want this server available to internal and external users.
  I am little confused over CA for Issuance of SSL Certificate. On most of the forums, I found SSL Certificate to be issued by Internal CA. If so, will this also work for external users?
  If not, then plz guide me for Generating Certificate Request on Office Web App Server to be submitted to External CA for Issuance of Certificate.
  Regards.

  Hi,
  Thanks for your posting in this forum.
  I have moved this thread in Lync Server 2013-Management, Planning, and Deployment forum for more dedicated support.
  Thanks for your understanding.
  Best Regards,
  Wendy
  Wendy Li
  TechNet Community Support