Topic Last Modified: 2012-10-22

Microsoft Lync Server 2013 uses certificates to mutually authenticate other servers and to encrypt data from server to server and server to client. Certificates require name matching of the domain name system (DNS) records associated with the servers and the subject name (SN) and subject alternative name (SAN) on the certificate. To successfully map servers, DNS records and certificate entries, you must carefully plan your intended server fully qualified domain names as registered in DNS and the SN and SAN entries on the certificate.

The certificate assigned to the external interfaces of the Edge Server is requested from a public certification authority (CA). Public CAs that have demonstrated success in supplying certificates for the purposes of Unified Communications are listed in the following article: http://go.microsoft.com/fwlink/p/?linkid=3052&kbid=929395. When requesting the certificate, you can use the certificate request generated by the Lync Server Deployment Wizard or create the request manually using Lync Server Management Shell cmdlets or by a process provided by a public CA. For details on Lync Server Management Shell cmdlets for certificate management, see Certificate and Authentication Cmdlets When assigning the certificate, the certificate is assigned to the Access Edge service interface, the Web Conferencing Edge service interface, and the Audio/Video Authentication service. The Audio/Video Authentication service should not be confused with the A/V Edge service which does not use a certificate to encrypt the audio and video streams. The internal Edge Server interface can use a certificate from an internal (to your organization) CA or a certificate from a public CA. The internal interface certificate uses only the SN and does not need or use SAN entries.

Note:
The following table shows a second SIP entry (sip.fabrikam.com) in the subject alternative name list for reference. For each SIP domain in your organization, you need to add a corresponding FQDN listed in the certificate subject alternative name list.

Certificates Required for Single Consolidated Edge with Private IP Addresses using NAT

Component Subject name (SN) Subject alternative names (SAN)/Order Comments

Single consolidated Edge (External Edge)

sip.contoso.com

webcon.contoso.com

sip.contoso.com

sip.fabrikam.com

Certificate must be from a Public CA, and must have the server EKU and client EKU if public IM connectivity with AOL is to be deployed. The certificate is assigned to the external Edge interfaces for:

  • Access Edge

  • Conferencing Edge

  • A/V Edge

Note that SANs are automatically added to the certificate based on your definitions in Topology Builder. You add SAN entries as needed for additional SIP domains and other entries that you need to support. The subject name is replicated in the SAN and must be present for correct operation.

Single consolidated Edge (Internal Edge)

lsedge.contoso.net

No SAN required

Certificate can be issued by a public or private CA, and must contain the server EKU. The certificate is assigned to the internal Edge interface.

Certificate Summary – Public Instant Messaging Connectivity

Component Subject name Subject alternative names (SAN)/Order Comments

External/Access Edge

sip.contoso.com

sip.contoso.com

webcon.contoso.com

sip.fabrikam.com

Certificate must be from a Public CA, and must have the server EKU and client EKU if public IM connectivity with AOL is to be deployed. The certificate is assigned to the external Edge interfaces for:

  • Access Edge

  • Conferencing Edge

  • A/V Edge

Note that SANs are automatically added to the certificate based on your definitions in Topology Builder. You add SAN entries as needed for additional SIP domains and other entries that you need to support. The subject name is replicated in the SAN and must be present for correct operation.

Certificate Summary for Extensible Messaging and Presence Protocol

Component Subject name Subject alternative names (SAN)/Order Comments

Assign to Access Edge service of Edge Server or Edge pool

sip.contoso.com

webcon.contoso.com

sip.contoso.com

sip.fabrikam.com

xmpp.contoso.com

*.contoso.com

The first three SAN entries are the normal SAN entries for a full Edge Server. The contoso.com is the entry required for federation with the XMPP partner at the root domain level. This entry will allow XMPP for all domains with the suffix *.contoso.com.