Topic Last Modified: 2012-10-22

If your watcher node computer lies inside the perimeter network, using Trusted Server authentication can greatly reduce administration taxes to maintaining a single certificate rather than numerous user account passwords.

The first step in configuring Trusted Server authentication is to create a trusted application pool to host the watcher node computer. After the trusted application pool has been created, you must then configure synthetic transactions on that watcher node to run as a trusted application.

A trusted application is an application that is given trusted status to run as part of Lync Server 2013, but that is not a built-in part of the product. Trusted status means that the application will not be challenged for authentication each time it runs.

To create a trusted application pool, open the Lync Server 2013 Management Shell and run a command similar to this:

Copy Code
New-CsTrustedApplicationPool -Identity -Registrar -ThrottleAsServer $True -TreatAsAuthenticated $True -OutboundOnly $False -RequiresReplication $True -ComputerFqdn -Site Redmond
For details about the parameters used in the preceding command, type the following at the Lync Server Management Shell prompt:

Get-Help New-CsTrustedApplicationPool -Full | more

After creating the trusted application pool, configure the watcher node computer to run synthetic transactions as a trusted application. This is done by using the New-CsTrustedApplication cmdlet and a command similar to this:

Copy Code
New-CsTrustedApplication -ApplicationId STWatcherNode -TrustedApplicationPoolFqdn -Port 5061

When the preceding command completes and the trusted application has been created, run Enable-CsTopology to make sure that the changes take effect:

Copy Code

After running Enable-CsTopology, we recommend that you restart the computer.

To verify that the new trusted application has been created, type the following at the Lync Server Management Shell prompt:

Copy Code
Get-CsTrustedApplication -Identity ""

Configuring a Default Certificate on the Watcher Node

Each watcher node must have a Default certificate assigned by using the Lync Server Deployment Wizard.

To assign a Default certificate
  1. Click Start, click All Programs, click Lync Server, and then click Lync Server Deployment Wizard.

  2. In the Lync Server Deployment Wizard, click Install or Update Lync Server System and then click Run under the heading Request, Install, or Assign Certificate.

    If the Run button is disabled, you may need to first click Run under Install Local Configuration Store.
  3. Do one of the following:

    • If you already have a certificate that can be used as the Default certificate, click Default in the Certificate wizard and then click Assign. Follow the steps in the Certificate Assignment wizard to assign that certificate.

    • If you need to request a certificate for use the Default certificate, click Request and then follow the steps in the Certificate Request wizard to request that certificate. If you use the default values for the Web Server certificate, you get a certificate that you can assign as the Default certificate.

Installing and Configuring a Watcher Node

After you have restarted the watcher node computer and configured a certificate, you need to run the file Watchernode.msi. (You must run Watchernode.msi on a computer where both the Operations Manager agent files and the Lync Server 2013 core components are installed.)

To install and configure a watcher node
  1. Open the Lync Server Management Shell by clicking Start, clicking All Programs, clicking Lync Server, and then clicking Lync Server Management Shell.

  2. In the Lync Server Management Shell, type the following command and then press ENTER (specify the actual path to your copy of Watchernode.msi):

    Copy Code
    C:\Tools\Watchernode.msi Authentication=TrustedServer
    You can also run Watchernode.msi from a command window. To open a command window, click Start, right-click Command Prompt, and then click Run as administrator. When the command window opens, type the same preceding command.

Note that the name/value pair in the preceding command Authentication=TrustedServer is case-sensitive. You must type it exactly as shown. The following command fails because it does not use the correct letter casing:

C:\Tools\Watchernode.msi authentication=trustedserver

You can use TrustedServer mode only with computers that are located within the perimeter network. When a watcher node is running in TrustedServer mode, administrators do not have to maintain test user passwords on the computer.