Topic Last Modified: 2014-02-14

You need to install the root certification authority (CA) certificate on the server running Microsoft Forefront Threat Management Gateway 2010 or IIS ARR for the CA infrastructure that issued the server certificates to the internal servers running Microsoft Lync Server 2013.

You also must install a public web server certificate on your reverse proxy server. This certificate’s subject alternative names should contain the published external fully qualified domain names (FQDNs) of each pool that is home to users enabled for remote access, and the external FQDNs of all Directors or Director pools that will be used within that Edge infrastructure. The subject alternative name must also contain the meeting simple URL, the dial-in simple URL, and, if you are deploying mobile applications and plan to use automatic discovery, the external Autodiscover Service URL as shown in the following table.

Value Example

Subject name

Pool FQDN

webext.contoso.com

Subject alternative name

Pool FQDN

webext.contoso.com

Important:
The subject name must also be present in the subject alternative name.

Subject alternative name

Optional Director Web Services (if Director is deployed)

webdirext.contoso.com

Subject alternative name

Meeting simple URL

Note:
All meeting simple URLs must be in the subject alternative name. Each SIP domain must have at least one active meeting simple URL.

meet.contoso.com

Subject alternative name

Dial-in simple URL

dialin.contoso.com

Subject alternative name

Office Web Apps Server

officewebapps01.contoso.com

Subject alternative name

External Autodiscover Service URL

lyncdiscover.contoso.com

Note:
If you are also using Microsoft Exchange Server you will also need to configure reverse proxy rules for the Exchange autodiscover and web services URLs.
Note:
If your internal deployment consists of more than one Standard Edition server or Front End pool, you must configure web publishing rules for each external web farm FQDN and you will either need a certificate and web listener for each, or you must obtain a certificate whose subject alternative name contains the names used by all of the pools, assign it to a web listener, and share it among multiple web publishing rules.

Create a Certificate Request

You create a certificate request on the reverse proxy. You create a request on another computer, but you must export the signed certificate with the private key and import it onto the reverse proxy once you have received it from the public certification authority.

Note:
A certificate request or a certificate signing request (CSR) is a request to a trusted public certification authority (CA) to validate and sign the requesting computer’s public key. When a certificate is generated, a public key and a private key are created. Only the public key is shared and signed. As the name implies, the public key is made available to any public request. The public key is for use by clients, servers and other requesters that need to exchange information securely and validate a computer’s identity. The private key is kept secured and is used only by the computer that created the key pair to decrypt messages encrypted with its public key. The private key can be used for other purposes. For reverse proxy purposes, data encipherment is the primary use. Secondarily, the certificate authentication at the certificate key level is another use, and is limited only to validation that a requester has the computer’s public key, or that the computer that you have a public key for is actually the computer that it claims to be.
Tip:
If you plan your Edge Server certificates and your reverse proxy certificates at the same time, you should notice that there is a great deal of similarity between the two certificate requirements. When you configure and request your Edge Server certificate, combine the Edge Server and the reverse proxy subject alternative names. You can use the same certificate for your reverse proxy if you export the certificate and the private key and copy the exported file to the reverse proxy and then import the certificate/key pair and assign it as needed in the upcoming procedures. Refer to the certificate requirements for the Edge Server Plan for Edge Server Certificates and the reverse proxy Certificate Summary - Reverse Proxy. Make sure that you create the certificate with an exportable private key. Creating the certificate and certificate request with an exportable private key is required for pooled Edge Servers, so this is a normal practice and the Certificate Wizard in the Lync Server Deployment Wizard for the Edge Server will allow you to set the Make private key exportable flag. Once you receive the certificate request back from the public certification authority, you will export the certificate and the private key. See the section “To export the certificate with the private key for Edge Servers in a pool” in the topic Set Up Certificates for the External Edge Interface for details on how to create and export your certificate with a private key. The extension of the certificate should be of type .pfx.

To generate a certificate signing request on the computer where the certificate and private key will be assigned, you do the following:

Creating a certificate signing request
  1. Open the Microsoft Management Console (MMC) and add the Certificates snap-in and select Computers, then expand Personal. For details on how to create a certificates console in the Microsoft Management Console (MMC), see http://go.microsoft.com/fwlink/?LinkId=282616.

  2. Right-click Certificates, click All Tasks, click Advanced Operations, click Create Custom Request.

  3. On the Certificate Enrollment page, click Next.

  4. On the Select Certificate Enrollment Policy page under Custom Request, select Proceed without enrollment policy. Click Next.

  5. On the Custom Request page, for Template select (No template) Legacy key. Unless otherwise directed by your certificate provider, leave Suppress default extensions unchecked and the Request format selection on PKCS #10. Click Next.

  6. On the Certificate Information page, click Details, then click Properties.

  7. On the Certificate Properties page on the General tab in the Friendly Name field, type a name for this certificate. Optionally, type a description in the Description field. The Friendly Name and description are typically used by the Administrator to identify what the certificate purpose is, such as Reverse Proxy Listener for Lync Server.

  8. Select the Subject tab. Under Subject name for the Type, select Common name for the Subject name type. For the Value, type the subject name that you will use for the reverse proxy, and then click Add. In the example provided in the table in this topic, the subject name is webext.contoso.com and would be typed into the Value field for the Subject name.

  9. On the Subject tab under Alternative name, select DNS from the drop down for Type. For each defined subject alternative name that you require on the certificate, type the fully qualified domain name, then click Add. For example, in the table there are three subject alternative names, meet.contoso.com, dialin.contoso.com, and lyncdiscover.contoso.com. In the Value field, type meet.contoso.com, then click Add. Repeat for each subject alternative names that you need to define.

  10. On the Certificate Properties page, click the Extensions tab. On this page, you will define the cryptographic key purposes in Key usage and the extended key usage in Extended Key Usage (application policies).

  11. Click the Key usage arrow to show the Available options. Under Available options, click Digital signature, then click Add. Click Key encipherment, then click Add. If the checkbox for Make these key usages critical is unchecked, select the checkbox.

  12. Click the Extended Key Usage (application policies) arrow to show the Available options. Under Available options, click Server Authentication, then click Add. Click Client Authentication, then click Add. If the check box for Make the Extended Key Usages critical is checked, unselect the checkbox. Contrary to the Key usage checkbox (which must be checked) you must be sure that the Extended Key Usage checkbox is not checked.

  13. On the Certificate Properties page, click the Private Key tab. Click the Key options arrow. For Key size, select 2048 from the drop down. If you are generating this key pair and CSR on a computer other than the reverse proxy that this certificate is intended for, select Make private key exportable.

    Security Note:
    Selecting Make a private key exportable is generally advised when you have more than one reverse proxy in a farm because you will copy the certificate and the private key to each machine in the farm. If you do allow for an exportable private key, you must take extra care with the certificate and the computer that it is generated on. The private key, if compromised, will render the certificate useless as well as potentially expose the computer or computers to external access and other security vulnerabilities.
  14. On the Private Key tab, click the Key type arrow. Select the Exchange option.

  15. Click OK to save the Certificate Properties that you have set.

  16. On the Certificate Enrollment page, click Next.

  17. On the Where do you want to save the offline request? page, you are prompted for a File Name and a File Format for saving the certificate signing request.

  18. In the File Name entry field, type a path and filename for the request, or click Browse to select a location for the file and type the filename for the request.

  19. For File format, click either Base 64 or Binary. Select Base 64 unless you are instructed otherwise by the vendor for your certificates.

  20. Locate the request file that you saved in the previous step. Submit to your public certification authority.

    Important:
    Microsoft has identified Public CAs that meets the requirements for Unified Communications purposes. A list is maintained in the following knowledge base article. http://go.microsoft.com/fwlink/?LinkId=282625