Topic Last Modified: 2012-09-08

Microsoft Lync Server 2013 communications software supports the use of a single public certificate for access and web conferencing Edge external interfaces, plus the A/V Authentication service. The Edge internal interface typically uses a private certificate issued by an internal certification authority (CA), but can also use a public certificate, provided that it is from a trusted public CA. The reverse proxy in your deployment uses a public certificate and encrypts the communication from the reverse proxy to clients and the reverse proxy to internal servers by using HTTP (that is, Transport Layer Security over HTTP).

Following are the requirements for the public certificate used for access and web conferencing Edge external interfaces, and the A/V authentication service:

If you are deploying multiple, load-balanced Edge Servers at a site, the A/V authentication service certificate that is installed on each Edge Server must be from the same CA and must use the same private key. Note that the certificate's private key must be exportable, regardless of whether it is used on one Edge Server or many Edge Servers. It must also be exportable if you request the certificate from any computer other than the Edge Server. Because the A/V authentication service does not use the subject name or subject alternative name, you can reuse the access Edge certificate as long as the subject name and subject alternative name requirements are met for the access Edge and the web conferencing Edge and the certificate’s private key is exportable.

Requirements for the private (or public) certificate used for the Edge internal interface are as follows:

The reverse proxy in your deployment services requests for:

The reverse proxy publishes the internal server Web Components URLs. The Web Components URLs are defined on the Director, Front End Server or Front End pool as the External web services in Topology Builder.

Wildcard entries are supported in the subject alternative name field of the certificate assigned to the reverse proxy. For details about how to configure the certificate request for the reverse proxy, see Request and Configure a Certificate for Your Reverse HTTP Proxy.

See Also