Certificate Requirements For Lync 2010 Edge Server

ByRajith Enchiparambil

Admins get confused about the certificate requirements for Lync 2010 Edge server, as there are two certs involved. Let me try to clarify what is needed. As you should know by now, Lync 2010 Edge server needs two NICs – one external (with DMZ IP) and internal (with internal AD range IP). It also need…

Admins get confused about the certificate requirements for Lync 2010 Edge server, as there are two certs involved. Let me try to clarify what is needed.

As you should know by now, Lync 2010 Edge server needs two NICs – one external (with DMZ IP) and internal (with internal AD range IP). It also need two certificates. Following are the points to note before you start playing around with Edge.

External Interface:

  • Good thing is that the Lync Edge Deployment Wizard has a certificate request wizard which will put all the necessary urls it needs.
  • The certificate that goes on the external cert has to be from a trusted public CA.
  • The certificate should be created as exportable.
  • If you have more than one Edge, all of them should have the same certificate, from the same CA, with the same private key (for A/V authentication service).
  • The common name (subject name) of the cert should be the access Edge external fqdn or hardware LB VIP (say access.exchangemaster.me). The common name url should be present in the subject alternative name list as well.
  • The certificate also needs the web conferencing edge external fqdn or hardware LB VIP (say, webconf.exchangemaster.me)
  • If you need client auto-config or federation, you need all the sip domains you will use (say sip.exchangemaster.me)
  • You don’t need the AV authentication service url in the cert. The AV authentication service only needs a valid public certificate with a private key. It does not use the common name or subject alternaive name in the certificate.

Internal Interface:

  • The certificate can be from a public CA or from an internal CA (most likely).
  • The common name should be the edge internal fqdn or hardware LB VIP.
  • You can use wildcard certificate for the internal interface.

Yes, you can use the same certificate on your reverse proxy, say TMG server. But, make sure you add all the simple & lync web services urls as well in the certificate. Another option will be to have one cert for TMG and another for Edge. Hope this helps Winking smile

Rajith Enchiparambil

Cloud Architect & Blogger with interests in Microsoft 365, Azure, AWS & PowerShell. I am active on Experts Exchange & TechNet forums and I am a technical author for SearchExchange. Follow me on Twitter, LinkedIn, or Facebook for the latest updates. For consultancy opportunities, drop me a line.

2 Comments

  1. Have you ever thought about writing an e-book or guest authoring on other sites?
    I have a blog based upon on the same ideas you discuss and would love to have you share some stories/information. I
    know my visitors would enjoy your work. If you’re even remotely interested, feel free to shoot me an e-mail.

    Reply

  2. Hi Rajith, thank you for your excellent blog post on the Lync edge configuration, I have followed your article and have successfully implemented the Lync edge server internally in our environment. I have a question regarding the external certificate, we currently have a public certificate with the subject name (CN) as mail.mydomain.com, it has SAN entries for our exchange environment and our enterprise vault public DNS SAN entry. Rather than buy another public cert for the external access (federation etc), can I just add sip.mydomain.com SAN entry to the existing public cert. Will my external users be able to access the edge server with just this entry or would I need a new public cert with the subject name (CN) sip.mydomain.com. I am currently using one external ip natted to a public IP which server as web, a/v and sip access. Thank you in advance, Derek

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *