Admins get confused about the certificate requirements for Lync 2010 Edge server, as there are two certs involved. Let me try to clarify what is needed.
As you should know by now, Lync 2010 Edge server needs two NICs – one external (with DMZ IP) and internal (with internal AD range IP). It also need two certificates. Following are the points to note before you start playing around with Edge.
- Good thing is that the Lync Edge Deployment Wizard has a certificate request wizard which will put all the necessary urls it needs.
- The certificate that goes on the external cert has to be from a trusted public CA.
- The certificate should be created as exportable.
- If you have more than one Edge, all of them should have the same certificate, from the same CA, with the same private key (for A/V authentication service).
- The common name (subject name) of the cert should be the access Edge external fqdn or hardware LB VIP (say access.exchangemaster.me). The common name url should be present in the subject alternative name list as well.
- The certificate also needs the web conferencing edge external fqdn or hardware LB VIP (say, webconf.exchangemaster.me)
- If you need client auto-config or federation, you need all the sip domains you will use (say sip.exchangemaster.me)
- You don’t need the AV authentication service url in the cert. The AV authentication service only needs a valid public certificate with a private key. It does not use the common name or subject alternaive name in the certificate.
- The certificate can be from a public CA or from an internal CA (most likely).
- The common name should be the edge internal fqdn or hardware LB VIP.
- You can use wildcard certificate for the internal interface.
Yes, you can use the same certificate on your reverse proxy, say TMG server. But, make sure you add all the simple & lync web services urls as well in the certificate. Another option will be to have one cert for TMG and another for Edge. Hope this helps