Topic Last Modified: 2011-05-11

Before proceeding, take a minute to map the entries in the table with the FQDNs/IP addresses shown in the Scaled consolidated edge topology (hardware load balanced) figure in Reference Architecture 3: Scaled Consolidated Edge (Hardware Load Balanced) so that the relationships are clear. For example, looking at the Certificates Required for Scaled Consolidated Edge Topology (Hardware Load Balanced) table, notice there is no certificate assigned to the A/V Edge external interface (av.contoso.com) but there is an A/V related certificate (avauth.contoso.net) assigned to the Media Authentication Service.

The certificates listed in the Certificates Required for Scaled Consolidated Edge Topology (Hardware Load Balanced) table are required to support the edge topology shown in the Scaled Consolidated Edge Topology (Hardware Load Balanced) figure. There are three certificates shown for the reverse proxy server to highlight the certificate requirements for dedicated simple URLs (for example https://dial-in.contoso.com). For deployments that have a single pool or where multiple pools share the same dial-in conferencing and meeting simple URLs, you could create a single publishing rule and corresponding certificate. For example, URLs defined in Topology Builder as cs.contoso.com/dialin and cs.contoso.com/meet could share a single publishing rule and certificate with a subject name of cs.contoso.com. For details, see Simple URL Options.

Note:
The Certificates Required for Scaled Consolidated Edge Topology (Hardware Load Balanced) table shows a second SIP entry in the subject alternative name list for reference. For each SIP domain in your organization, you need a corresponding FQDN listed in the certificate subject alternative name list.
Important:
The public certificate used on the Edge interfaces must be created as “exportable” and the same certificate must be assigned to each Edge Server in the pool.

Certificates Required for Scaled Consolidated Edge Topology (Hardware Load Balanced)

Component Subject name Subject alternative name entries/Order Certification authority (CA) Enhanced key usage (EKU) Comments

Scaled consolidated Edge

access.contoso.com

webcon.contoso.com

sip.contoso.com

sip.fabrikam.com

Public

Server*

Assign to the following Edge Server roles on each server in the Edge pool:

External Interface:

SIP Access Edge

Web Conferencing Edge

A/V Edge

Scaled consolidated Edge

lsedge.contoso.net

Not applicable

Private

Server

Assign to the following Edge Server role:

Internal Interface:

Edge

Reverse proxy

lsrp.contoso.com

lsweb-ext.contoso.com

dialin.contoso.com

meet.contoso.com

(Optional): *.contoso.com

Public

Server

Address Book Service, distribution group expansion, and Lync IP device publishing rules. Subject alternative name includes:

External Web Services FQDN

Dial-in conferencing

Online meeting publishing rule

The wildcard replaces both meet and dialin SAN

Next hop pool (on Front End 01)

pool01.contoso.net (on Front End 01)

sip.contoso.com

sip.fabrikam.com

lsweb.contoso.net

lsweb-ext.contoso.com

admin.contoso.com

dialin.contoso.com

meet.contoso.com

fe01.contoso.net

pool01.contoso.net

(Optional): *.contoso.com

Private

Server

Assign to the following servers and roles in the next hop pool:

Front End 01 in Pool01

The wildcard replaces admin, meet and dialin SAN

Next hop pool (on Front End 02)

pool01.contoso.net (on Front End 02)

sip.contoso.com

sip.fabrikam.com

lsweb.contoso.net

lsweb-ext.contoso.com

admin.contoso.com

dialin.contoso.com

fe02.contoso.net

pool01.contoso.net

(Optional): *.contoso.com

Private

Server

Assign to the following servers and roles in the next hop pool:

Front End 02 in Pool01

The wildcard replaces admin, meet and dialin SAN

* Client EKU is required if public internet connectivity with AOL is enabled.