Topic Last Modified: 2011-05-11
Before proceeding, take a minute to map the entries in the table with the FQDNs/IP addresses shown in the Scaled consolidated edge topology (hardware load balanced) figure in Reference Architecture 3: Scaled Consolidated Edge (Hardware Load Balanced) so that the relationships are clear. For example, looking at the Certificates Required for Scaled Consolidated Edge Topology (Hardware Load Balanced) table, notice there is no certificate assigned to the A/V Edge external interface (av.contoso.com) but there is an A/V related certificate (avauth.contoso.net) assigned to the Media Authentication Service.
The certificates listed in the Certificates Required for Scaled Consolidated Edge Topology (Hardware Load Balanced) table are required to support the edge topology shown in the Scaled Consolidated Edge Topology (Hardware Load Balanced) figure. There are three certificates shown for the reverse proxy server to highlight the certificate requirements for dedicated simple URLs (for example https://dial-in.contoso.com). For deployments that have a single pool or where multiple pools share the same dial-in conferencing and meeting simple URLs, you could create a single publishing rule and corresponding certificate. For example, URLs defined in Topology Builder as cs.contoso.com/dialin and cs.contoso.com/meet could share a single publishing rule and certificate with a subject name of cs.contoso.com. For details, see Simple URL Options.
 Note: |
|---|
| The Certificates Required for Scaled Consolidated Edge Topology (Hardware Load Balanced) table shows a second SIP entry in the subject alternative name list for reference. For each SIP domain in your organization, you need a corresponding FQDN listed in the certificate subject alternative name list. |
 Important: |
|---|
| The public certificate used on the Edge interfaces must be created as “exportable” and the same certificate must be assigned to each Edge Server in the pool. |
Certificates Required for Scaled Consolidated Edge Topology (Hardware Load Balanced)
| Component | Subject name | Subject alternative name entries/Order | Certification authority (CA) | Enhanced key usage (EKU) | Comments |
|---|---|---|---|---|---|
|
Scaled consolidated Edge |
access.contoso.com |
webcon.contoso.com sip.contoso.com sip.fabrikam.com |
Public |
Server* |
Assign to the following Edge Server roles on each server in the Edge pool: External Interface: SIP Access Edge Web Conferencing Edge A/V Edge |
|
Scaled consolidated Edge |
lsedge.contoso.net |
Not applicable |
Private |
Server |
Assign to the following Edge Server role: Internal Interface: Edge |
|
Reverse proxy |
lsrp.contoso.com |
lsweb-ext.contoso.com dialin.contoso.com meet.contoso.com (Optional): *.contoso.com |
Public |
Server |
Address Book Service, distribution group expansion, and Lync IP device publishing rules. Subject alternative name includes: External Web Services FQDN Dial-in conferencing Online meeting publishing rule The wildcard replaces both meet and dialin SAN |
|
Next hop pool (on Front End 01) |
pool01.contoso.net (on Front End 01) |
sip.contoso.com sip.fabrikam.com lsweb.contoso.net lsweb-ext.contoso.com admin.contoso.com dialin.contoso.com meet.contoso.com fe01.contoso.net pool01.contoso.net (Optional): *.contoso.com |
Private |
Server |
Assign to the following servers and roles in the next hop pool: Front End 01 in Pool01 The wildcard replaces admin, meet and dialin SAN |
|
Next hop pool (on Front End 02) |
pool01.contoso.net (on Front End 02) |
sip.contoso.com sip.fabrikam.com lsweb.contoso.net lsweb-ext.contoso.com admin.contoso.com dialin.contoso.com fe02.contoso.net pool01.contoso.net (Optional): *.contoso.com |
Private |
Server |
Assign to the following servers and roles in the next hop pool: Front End 02 in Pool01 The wildcard replaces admin, meet and dialin SAN |
* Client EKU is required if public internet connectivity with AOL is enabled.