.

PKI and Certificates in Lync Server 2010

Handling of certificates has greatly improved in Lync Server when compared to OCS.

Firstly, let us look at what certificates are used for in Lync Server.

  • TLS connections between client and server
  • MTLS connections between servers
  • Federation using automatic DNS discovery of partners
  • Remote user access for instant messaging (IM)
  • External user access to audio/video (A/V) sessions, application sharing, and conferencing

Some Lync roles require certificates issued by Certificate Providers, while many roles can use certificates issued from an internal CA.

Microsoft has verified a number of Certificate Providers who issue (sell) public certificates that are UC compatible; the current list is available here

Certificates for Internal Servers


Certificates for Standard Edition Server

Certificate

Subject name/ Common name

Subject alternative name

Example

Comments

Default

FQDN of the pool

FQDN of the pool and the FQDN of the server

SN=se01.contoso.com; SAN=se01.contoso.com

On Standard Edition server, the server FQDN is the same as the pool FQDN.

The wizard detects any SIP domains you specified during setup and automatically adds them to the SAN.

Web internal

FQDN of the server

Each of the following:

  • Internal web FQDN
  • simple URLs

SN=se01.contoso.com; SAN=se01.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com; SAN=admin.contoso.com

Internal web FQDN cannot be overwritten in Topology Builder.

Web external

FQDN of the server

Each of the following:

  • External web FQDN
  • simple URLs

SN=se01.contoso.com; SAN=webcon01.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com

If you have multiple Meet simple URLs, you must include all of them as SAN.

Certificates for Front End Server in a Front End Pool

Certificate

Subject name/ Common name

Subject alternative name

Example

Comments

Default

FQDN of the pool

FQDN of the pool and FQDN of the server.

SN=eepool.contoso.com; SAN=eepool.contoso.com; SAN=ee01.contoso.com

The wizard detects any SIP domains you specified during setup and automatically adds them to the Subject Alternative Name.

Web Internal

FQDN of the server

Each of the following:

  • Internal web FQDN
  • simple URLs

SN=ee01.contoso.com; SAN=ee01.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com; SAN=admin.contoso.com

Internal web FQDN cannot be overwritten in Topology Builder.

Web external

FQDN of the server

Each of the following:

  • External web FQDN
  • simple URLs

SN=ee01.contoso.com; SAN=webcon01.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com

If you have multiple Meet simple URLs, you must include all of them as SAN.

Certificates for Director

Certificate

Subject name/ Common name

Subject alternative name

Example

Default

FQDN of the Director pool

FQDN of the Director/ Director pool

SN=dir-pool.contoso.com; SAN=dir-pool.contoso.com; SAN=dir01.contoso.com

Web Internal

FQDN of the server

Each of the following:

  • Internal web FQDN
  • simple URLs

SN=dir01.contoso.com; SAN=dir01.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com; SAN=admin.contoso.com

Web external

FQDN of the server

Each of the following:

  • External web FQDN
  • simple URLs

The Director external web FQDN must be different from the Front End pool or Front End Server.

SN=dir01.contoso.com; SAN=directorwebcon01.contoso.com SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com

Certificates for External Servers


Certificates for Edge

Certificate

Subject name/ Common name

Subject alternative name

Example

Default

FQDN of the Access Edge

FQDN of the Access Edge

FQDN of Web Conferencing Edge

SN=access.contoso.com; SAN=access.contoso.com; SAN=webcon.contoso.com; SAN=sip.contoso.com; SAN=sip.fabrikam.com

Internal Interface

FQDN of the Access Edge internal

None

SN=lsedge.contoso.com


 

Certificates for Reverse Proxy


Certificate

Subject name/ Common name

Subject alternative name

Example

Default

FQDN of the pool

FQDN of the pool

simple URLs

SN=webext.contoso.com; SAN=webext.contoso.com; SAN=meet.contoso.com; SAN=dialin.contoso.com


 

Wildcard certificates are support but with a number of caveats and limitations. These limitations are not explicitly documented but Jeff Schertz has pulled together the available information and shows that in reality, wildcard certificates are of little benefit. However, this article has a very good explanation of how certificates requests are handled in Lync 2010, and explains in detail the Request-CsCertificate Powershell cmdlet.

To view assigned certificates in Lync 2010 requires a little work, which is documented on Inside OCS, basically you either have to run the installation wizard or use Powershell Get-CsCertificate | fl –property *.

The Powershell cmdlets available to manage certificates in Lync are:

Cmdlet

Description

Get-CsCertificate

Returns information about certificates on the local computers that have been configured for use with Microsoft Lync Server 2010.

Import-CsCertificate

Imports a certificate for use with Microsoft Lync Server 2010. If a certificate is not acquired by using the Request-CsCertificate cmdlet, then that certificate must be imported before it can be assigned to a Lync Server 2010 server role.

Remove-CsCertificate

Removes a certificate previously marked as being available for use by Microsoft Lync Server 2010.

Request-CsCertificate

Provides a way to request certificates for use with servers running Microsoft Lync Server 2010 and server roles. Also provides a way to check the status of existing certificate requests and, if needed, to cancel any (or all) of those requests.

Set-CsCertificate

Enables you to assign a certificate to a Microsoft Lync Server 2010 server or server role.

Test-CsCertificateConfiguration

Returns information about the Microsoft Lync Server 2010 certificates being used on the local computer.


 

DNS in Lync Server 2010


Correct configuration of DNS is key to a usable and stable Lync deployment.

  • To discover internal servers or pools for server-to-server communications.
  • To allow clients to discover the Front End pool or Standard Edition server used for various SIP transactions.
  • To allow unified communications (UC) devices that are not logged on to discover the Front End pool or Standard Edition server running Device Update Web Service, obtain updates, and send logs.
  • To allow Ext servers and clients to connect to Edge Servers or the HTTP reverse proxy for instant messaging (IM) or conferencing.
  • To allow Ext UC devices to connect to Device Update Web service through Edge Servers or the HTTP reverse proxy and obtain updates.

 

Standard Edition Server

  • An Internal A record that resolves the fully qualified domain name (FQDN) of the server to its IP address.
Enterprise Edition Pool (with DNS Load Balancing)

  • A set of Internal A records that resolve the FQDN of the pool to the IP address of each server in the pool. There must one A record for each server in the pool.
  • An A record that lists all the deployed Front End Servers
  • An A record (separate to the pool record) that points to the VIP of the hardware load balancer, this is used for the pool's Web Services
Enterprise Edition Pool (with Hardware Load Balancing)

  • An Internal A record that resolves the fully qualified domain name (FQDN) of the Front End pool to the virtual IP (VIP) address of the load balancer.
DNS Records for Automatic client sign-in

  • _sipInternaltls._tcp.<domain>    e.g. An SRV record for _sipInternaltls._tcp.contoso.com domain over port 5061 that maps to pool01.contoso.com
Device Update Web service discovery by (UC) devices

  • An Internal A record with the name ucupdates-r2.<SIP domain> that resolves to the IP address of the Front End pool (or Standard Edition Service) that hosts the Device Update Web service.
DNS records for Simple URLs

  • Refer to the blog post on SimpleURLs here

 


 

Standard Edition Server

FunctionRecord TypeEntryValueInt / Ext
Automatic Client Sign-inSRV 5061_sipInternaltls._tcp.contoso.comPool01.contoso.comInt
Server/Pool discoveryAPool01.contoso.com192.168.6.1Int
Device Update Web ServiceAucupdates-r2.contoso.com192.168.6.1Int
Time ServerSRV 123_ntp._udp.contoso.comDC.contoso.comInt
Simple URL (Meet)AMeet.contoso.com192.168.6.1Int
Simple URL (Dial-in)ADial-in.contoso.com192.168.6.1Int
Simple URL (Admin)AAdmin.contoso.com192.168.6.1Int
Edge InternalALsedge.contoso.com10.2.2.1Int
Ext TLS connectionsSRV 443_sip._tls. contoso.comaccess.contoso.comExt
SIP Access Edge Ext interfaceAaccess.contoso.com10.1.2.1Ext
Web Conferencing Edge Ext interfaceAwebcon.contoso.com10.1.2.2Ext
A/V Edge Ext interfaceAav.contoso.com10.1.2.3Ext
FederationSRV 5061_sipfederationtls._tcp.contoso.comAccess.contoso.comExt
Simple URL (Meet)AMeet.contoso.com10.1.2.4Ext
Simple URL (Dial-in)ADial-in.contoso.com10.1.2.4Ext
Address Box etc. via Reverse ProxyALsrp.contoso.com10.1.2.4Ext
Lync Web Services published via Reverse ProxyAlsweb-ext.contoso.com10.1.2.4Ext
Note: In these examples, Standard Edition Lync Server address is 192.168.6.1, Edge has external addresses 10.1.2.1 – 10.1.2.3 and internal 10.2.2.1, Reverse Proxy is 10.1.2.4


Internal DNS entries for Standard Edition Server
External DNS entries for consolidated Edge



 

Enterprise Pool (DNS Load Balancing)

FunctionRecord TypeEntryValueInt / Ext
Automatic Client Sign-inSRV 5061_sipInternaltls._tcp.contoso.comPool01.contoso.comInt
Server/Pool discoveryAPool01.contoso.com192.168.6.1

192.168.6.2 192.168.6.3
Int
Server accessALS01.contoso.com192.168.6.1Int
Server accessALS02.contoso.com192.168.6.2Int
Server accessALS03.contoso.com192.168.6.3Int
Web ServicesAWebcon.contoso.com192.168.6.10Int
Device Update Web ServiceAucupdates-r2.contoso.com192.168.6.10Int
Time ServerSRV 123_ntp._udp.contoso.comDC.contoso.comInt
Simple URL (Meet)AMeet.contoso.com192.168.6.10Int
Simple URL (Dial-in)ADial-in.contoso.com192.168.6.10Int
Simple URL (Admin)AAdmin.contoso.com192.168.6.10Int
Edge InternalALsedge.contoso.com10.2.2.1Int
Ext TLS connectionsSRV 443_sip._tls. contoso.comaccess.contoso.comExt
SIP Access Edge Ext interfaceAaccess.contoso.com10.1.2.1Ext
Web Conferencing Edge Ext interfaceAwebcon.contoso.com10.1.2.2Ext
A/V Edge Ext interfaceAav.contoso.com10.1.2.3Ext
FederationSRV 5061_sipfederationtls._tcp.contoso.comAccess.contoso.comExt
Simple URL (Meet)AMeet.contoso.com10.1.2.4Ext
Simple URL (Dial-in)ADial-in.contoso.com10.1.2.4Ext
Address Box etc. via Reverse ProxyALsrp.contoso.com10.1.2.4Ext
Lync Web Services published via Reverse ProxyAlsweb-ext.contoso.com10.1.2.4Ext
Note: In these examples, Enterprise Edition Lync Servers addresses are 192.168.6.1 – 192.168.6.3, the HLB has a VIP address of 192.168.6.10, Edge has external addresses 10.1.2.1 – 10.1.2.3 and internal 10.2.2.1, Reverse Proxy is 10.1.2.4

Internal DNS entries for Enterprise Edition pool with DNS Load Balancing



Enterprise Pool (HLB Load Balancing)

FunctionRecord TypeEntryValueInt / Ext
Automatic Client Sign-inSRV 5061_sipInternaltls._tcp.contoso.comPool01.contoso.comInt
Server/Pool discoveryAPool01.contoso.com192.168.6.10Int
Server accessALS01.contoso.com192.168.6.1Int
Server accessALS02.contoso.com192.168.6.2Int
Server accessALS03.contoso.com192.168.6.3Int
Web ServicesAWebcon.contoso.com192.168.6.10Int
Device Update Web ServiceAucupdates-r2.contoso.com192.168.6.10Int
Time ServerSRV 123_ntp._udp.contoso.comDC.contoso.comInt
Simple URL (Meet)AMeet.contoso.com192.168.6.10Int
Simple URL (Dial-in)ADial-in.contoso.com192.168.6.10Int
Simple URL (Admin)AAdmin.contoso.com192.168.6.10Int
Edge InternalALsedge.contoso.com10.2.2.1Int
Ext TLS connectionsSRV 443_sip._tls. contoso.comaccess.contoso.comExt
SIP Access Edge Ext interfaceAaccess.contoso.com10.1.2.1Ext
Web Conferencing Edge Ext interfaceAwebcon.contoso.com10.1.2.2Ext
A/V Edge Ext interfaceAav.contoso.com10.1.2.3Ext
FederationSRV 5061_sipfederationtls._tcp.contoso.comAccess.contoso.comExt
Simple URL (Meet)AMeet.contoso.com10.1.2.4Ext
Simple URL (Dial-in)ADial-in.contoso.com10.1.2.4Ext
Address Box etc. via Reverse ProxyALsrp.contoso.com10.1.2.4Ext
Lync Web Services published via Reverse ProxyAlsweb-ext.contoso.com10.1.2.4Ext
Note: In these examples, Enterprise Edition Lync Servers addresses are 192.168.6.1 – 192.168.6.3, the HLB has a VIP address of 192.168.6.10, Edge has external addresses 10.1.2.1 – 10.1.2.3 and internal 10.2.2.1, Reverse Proxy is 10.1.2.4


Internal DNS entries for Enterprise Pool using Hardware Load Balancing
Official documentation on Technet

Lync 2010 SimpleURLs

One of the changes that Microsoft made when they were developing Lync Server 2010 was to implement a method of providing URLs to access the system that was much simpler than in OCS 2007. The new method is called SimpleURLs.

There are three URLs that need to be published, namely Meet, Dial-in and Admin.

The Meet URL is used for all conferences and is in the format of https://meet.contoso.com/username/meetingID.

The Dial-in URL allows access to the Dial-in conference webpage which displays dial-in conference numbers, DTMF controls and allows management of PINs and is in the format of https://dialin.contoso.com.

The Admin URL allows access to the Lync Control Panel. This URL is only for access within the organisation and is in the format https://admin.contoso.com.

SimpleURLs can exist at both the Global and Site level. They are configured in Topology Builder or, at the site level, with the Powershell Set-CsSimpleURLConfiguration cmdlet. Overall, the method to use these cmdlets is

$newUrlEntry = New-CsSimpleUrlEntry -Url "https://meet.contoso.com"

$newUrl = New-CsSimpleUrl -Component "meet" -Domain "contoso.com" -SimpleUrl $newUrlEntry -ActiveUrl "https://meet.conoso.com"

Set-CsSimpleUrlConfiguration Global -SimpleUrl @{Add=$newUrl}


 

A Meet URL is configured for each domain in the organisation, but only a single Dial-in and Admin URL is required.

There are three options on how to configure the SimpleURLs and the choice has implications for DNS records and Certificates.

Simple URL Naming Option 1

Simple URL

Example

DNS

Certificates

Meet

https://meet.contoso.com, https://meet.fabrikam.com, and so on (one for each SIP domain in your organization)

One DNS A Record per domain

Each Meet URL must be a SAN entry

Dial-in

https://dialin.contoso.com

One DNS A Record

SAN Entry required

Admin

https://admin.contoso.com

One DNS A Record

SAN Entry required


 

Simple URL Naming Option 2

Simple URL

Example

DNS

Certificates

Meet

https://lync.contoso.com/Meet, https://lync.fabrikam.com/Meet, and so on (one for each SIP domain in your organization)

One DNS A Record required for Contoso.com SimpleURLs and one per domain

Each Meet URL must be a SAN entry

Dial-in

https://lync.contoso.com/Dialin

N/A

N/A

Admin

https://lync.contoso.com/Admin

N/A

N/A


 

Simple URL Naming Option 3

Simple URL

Example

DNS

Certificates

Meet

https://lync.contoso.com/contosoSIPdomain/Meet

https://lync.contoso.com/fabrikamSIPdomain/Meet

One DNS A Record required

Single URL in the SAN entry

Dial-in

https://lync.contoso.com/Dialin

N/A

N/A

Admin

https://lync.contoso.com/Admin

N/A

N/A


 

Changing SimpleURLs may require DNS and Certificate changes. Whenever you change a simple URL name, however, you must run Enable-CsComputer on each Director and Front End Server to register the change.

SimpleURLs are limited to a-z, A-Z, 0-9, and the dot (.)

Some of the information in this post and a lot more besides is from Joe Calev's blog entry on the Complexities of SimpleURLs and the official Technet documentation.