A certificate is required for mutual TLS (MTLS) communication between the Edge Servers and internal servers, including the A/V Conferencing Server and Mediation Server.

For details about the certificate requirements, see Certificate Requirements for External User Access.

Configuring the Certificates on Your Internal Interface

To set up a certificate on the internal interface of Edge Servers at one site, follow these steps:

  • Step 1: Download the certification authority (CA) certification path for the internal interface to each Edge Server. For details, see Prepare for Edge Server Internal Certificates.

  • Step 2: Import the CA certification path for the internal interface, on each Edge Server.

  • Step 3: Verify that the CA is in the list of trusted root CAs, on each Edge Server.

  • Step 4: Create the certificate request for the internal interface, on one Edge Server, called the first Edge Server.

  • Step 5: Import the certificate for the internal interface on the first Edge Server.

  • Step 6: Export the certificate, using the first Edge Server.

  • Step 7: Import the certificate on the other Edge Servers at this site (or deployed behind this load balancer).

  • Step 8: Assign the certificate for the internal interface of every Edge Server.

Instructions for steps 2 through 8 are later in this topic.

If you have more than one site with Edge Servers (that is, a multiple-site consolidated edge topology), or separate sets of Edge Servers deployed behind different load balancers, you need to follow steps 1 through 8 separately for each site that has Edge Servers, and for each set of Edge Servers deployed behind a different load balancer.

Note:
The steps of the procedures in this section are based on using a Windows Server 2003 Enterprise CA or a Windows Server 2003 R2 CA. For step-by-step guidance for any other CA, consult the documentation for that CA. By default, all authenticated users have rights to request certificates.

To import the CA certification path for the internal interface

  1. On each Edge Server in your deployment, in the Deployment Wizard, on the Deploy Edge Serverpage, next to Step 4: Configure Certificates for the Edge Server, click Run.

  2. On the Welcomepage of the Communications Certificate Wizard, click Next.

  3. On the Available Certificate Taskspage, select Import a certificate chain from a .p7b file, and then click Next.

  4. On the Import Certificate Chainpage, type the full path and name of the .p7b file, and then click Next.

  5. Click Finish.

  6. Repeat this procedure on each Edge Server.

To verify that your CA is in the list of trusted root CAs

  1. On each Edge Server, open the Microsoft Management Console (MMC) by clicking Start, clicking Run, typing mmcin the Openbox, and then clicking OK.

  2. On the Filemenu, click Add/Remove Snap-in, and then click Add.

  3. In the Add Standalone Snap-insbox, click Certificates, and then click Add.

  4. In the Certificate snap-indialog box, click Computer account, and then click Next.

  5. In the Select Computerdialog box, ensure that the Local computer: (the computer this console is running on)check box is selected, and then click Finish.

  6. Click Close, and then click OK.

  7. In the console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.

  8. In the details pane, verify that your CA is on the list of trusted CAs.

  9. Repeat this procedure on each Edge Server.

To create the certificate request for the internal interface

  1. On one Edge Server, in the Deployment Wizard, on the Deploy Edge Serverpage, next to Step 4: Configure Certificates for the Edge Server, click Run.

  2. On the Welcomepage of the Communications Certificate Wizard, click Next.

  3. On the Available Certificate Taskspage, click Create a new certificate, and then click Next.

  4. On the Select the Component for Which the Certificate Is Requestedpage, select Edge Server Private Interface, and then click Next.

  5. On the Delayed or Immediate Requestpage, select the Prepare the request now, but send it latercheck box, and then click Next.

    Note:
    If the Enterprise CA is reachable from the Edge Server, you can use the Send the request immediately to an online certification authorityoption. Since this is typically not the case, this procedure and other certificate request procedures in this guide do not cover the use of that option.

    Additionally, be aware that once you create a request, it is pending and the Certificate Wizard will not let you create another request until you have processed the pending one.

  6. On the Name and Security Settingspage, type a friendly name for the certificate, and specify the bit length (typically, the default of 1024), verify that the Mark certificate as exportablecheck box is selected, and then click Next.

  7. On the Organization Informationpage, type the name for the organization and the organizational unit (such as a division or department, if appropriate), and then click Next.

  8. On the Your Server's Subject Namepage, type or select the subject name and subject alternate name of the Edge Server.

    The subject name should match the fully qualified domain name (FQDN) of the Edge Server published by the internal firewall for the internal interface on which you are configuring the certificate:

    • For the internal interface of the Edge Server, this subject name should match the name that your internal servers use to connect to the Edge Server (typically, the FQDN of the internal interface for the Edge Server).

    • If you are using a load balancer, the Edge Server traffic still uses the FQDN of the internal edge of the server (server name), but if you are using a virtual IP address for the Edge Server, the certificate should match the server FQDN of the virtual IP address used by this server role on the internal load balancer. For the internal interface, this is typically the published Domain Name System (DNS) name for the perimeter network that maps to the Edge Server.

  9. Select Automatically add local machine name to subject alternate nameif you would like to add the computer name of the Edge Server to the certificate’s list of alternate names.

  10. Click Next.

  11. On the Geographical Informationpage, type the location information, and then click Next.

  12. On the Certificate Request File Namepage, type the full path and file name to which the request is to be saved in the File namebox (for example, C:\certrequest_AccessEdge.txt), and then click Next.

  13. On the Request Summarypage, click Next.

  14. On the wizard completion page, verify successful completion, and then click Finish.

  15. Submit this file to your CA (by e-mail or other method supported by your organization for your Enterprise CA) and, when you receive the response file, copy the new certificate to this computer so that it is available for import.

  16. Repeat this procedure for each Edge Server.

To import the certificate for the internal interface

  1. On the Edge Server on which you created the certificate request, in Deployment Wizard, on the Deploy Edge Serverpage, next to Step 4: Configure Certificates for the Edge Server, click Run.

  2. On the Welcomepage of the Communications Certificate Wizard, click Next.

  3. On the Pending Certificate Requestpage, click Process an offline certificate request and import the certificate, and then click Next.

  4. On the Process a Pending Requestpage, in Path and file name, type the full path and file name of the certificate that you requested and received for the internal interface of this Edge Server, and then click Next.

  5. On the wizard completion page, verify successful completion, and then click Finish.

To export the certificate (for use by other Edge Servers)

  1. On the Edge Server on which you requested and imported the certificate, in Deployment Wizard, on the Deploy Edge Serverpage, next to Step 4: Configure Certificates for the Edge Server, click Run.

  2. On the Welcomepage of the Communications Certificate Wizard, click Next.

  3. On the Available Certificate Taskspage, click Export a certificate to a .pfx file, and then click Next.

  4. On the Available Certificates page, in Select a certificate, click the certificate that you imported to this Edge Server, and then click Next.

  5. On the Export Certificatepage, in Path and file name, type the full path and file name to which you want to export the certificate, and then click Next.

    Include all certificates in the certificate path, if possible.

  6. In the Export Certificate Passwordpage, in Password, type the password that will be used to import the certificate on the other Edge Servers, and then click Next.

  7. On the wizard completion page, verify successful completion, and then click Finish.

  8. Copy the exported file to a location or media to which the other Edge Servers have access.

To import the certificate for the internal interface on the other Edge Servers

  1. On each of the other Edge Servers at this site, in the Deployment Wizard, on the Deploy Edge Serverpage, next to Step 4: Configure Certificates for the Edge Server, click Run.

  2. On the Welcomepage of the Communications Certificate Wizard, click Next.

  3. On the Available Certificate Taskspage, click Import a certificate from a .pfx file, and then click Next.

  4. On the Import Certificatepage, in Path and file name, type the full path and file name of the certificate that you exported from the first Edge Server, clear the Mark certificate as exportablecheck box, and then click Next.

  5. In the Import Certificate Password, in Password, type the password that you typed when you exported the certificate from the first server, and then click Next.

  6. On the wizard completion page, verify successful completion, and then click Finish.

  7. Repeat this procedure for each Edge Server that you want to use the same certificate.

To assign the certificate to the internal interface of the Edge Servers

  1. On each Edge Server, in the Deployment Wizard, on the Deploy Edge Serverpage, next to Step 4: Configure Certificates for the Edge Server, click Run.

  2. On the Welcomepage of the Communications Certificate Wizard, click Next.

  3. On the Available Certificate Taskspage, click Assign an existing certificate, and then click Next.

  4. On the Available Certificatespage, select the certificate that you requested for the internal interface of this Edge Server, and then click Next.

  5. On the Available Certificate Assignmentspage, select the Edge Server private interfacecheck box (that is, the server interface on which you want to install the certificate), and then click Next.

  6. On the Configure the Certificate Settings of Your Serverpage, review your settings, and then click Nextto assign the certificates.

  7. On the wizard completion page, click Finish.

  8. Repeat this procedure for each Edge Server to which you assigned this certificate.