In recent years, Microsoft has
adopted a “secure out of the box” approach for both operating system
and application releases. Lync Server 2013 continues with that same
approach, requiring SSL certificates to protect communications between
Lync servers, as well as between client and server. In addition, a
second type of certificate is being introduced with Lync Server 2013,
the Open Authentication (OAuth) certificate. While the SSL certificates
will continue to be used to encrypt communications, the OAuth
certificates will be used to establish trust across the Office 2013
family of servers. The OAuth certificates allow the exchange of
security tokens that grant access to resources for a period of time.
Server-to-server authentication and authorization using OAuth is
supported between Lync 2013 servers, as well as among Lync 2013,
Exchange 2013, and SharePoint 2013 servers for integration scenarios.
The certificates applied to Lync Server
systems can be either public certificates issued by a third party
certificate authority (CA), or internal certificates issued using a
self-managed public key infrastructure (PKI). The most ideal scenario
for most organizations is to use a mix of both public and internal
certificates for the Lync deployment, with third-party certificates
being used for services that are public-facing (such as Edge services),
and internal certificates being used for services that are strictly
internal (such as communication between Lync Front End Servers).
Although this hybrid approach serves to meet the certificate
requirements of Lync and reduce the cost of the certificates, it does
require that an internal PKI be deployed before the installation of the
Lync environment. Since an internal PKI deployment is a project unto
itself, organizations that do not already manage an internal PKI
deployment will likely need to procure server certificates from a
third-party CA for Lync services. The one exception to this is the
OAuth certificate, since this can be a self-signed certificate
generated internally.
Lync Server Certificate Requirements
Following are the primary uses for certificates within Lync:
• Communication between Lync clients and Lync servers is encrypted using TLS.
• Authentication between Lync 2013
servers, as well as authentication among Lync 2013 servers, Exchange
2013 servers, and SharePoint 2013 servers, uses server-to-server OAuth
certificates.
• Communications between Lync servers is encrypted using MTLS.
• Automatic DNS discovery of partners for federation uses certificates for authentication.
• Remote or external user access for
any Lync functionality is encrypted, including IM, audio/video (A/V)
sessions, application sharing, and conferencing.
• A mobile request using automatic discovery of Web Services is encrypted.
Following are the common requirements that apply to the SSL certificates issued for use with Lync Server:
• All server certificates must support server authorization (Server EKU).
• All server certificates must contain a CRL Distribution Point (CDP).
• Auto-enrollment is supported for internal Lync servers, but is not supported for Lync Edge Servers.
• Key lengths of 1024, 2048, and 4096 are supported.
• Supported hash algorithms include RSA (the default), ECDH_P256, ECDH_P384, and ECDH_P521.
• All certificates are standard web server certificates, and must include the private key.
Following are the requirements that apply to the OAuth certificates issued for use with Lync Server:
• The certificate issued for OAuth must
be the same across all Lync servers in the environment, and therefore
the private key must be exportable for the certificate.
• A Web Server certificate that has the name of the SIP domain as subject can be used as an OAuth certificate.
• Generally, any Lync Server SSL
certificate can also be used as an OAuth certificate, provided that all
other requirements are met. However, if the default Lync Server
certificate is used for both SSL and OAuth, it must be assigned twice,
once for each certificate usage.
Note
Distribution of the OAuth
certificate between Lync Server 2013 Front End Servers is handled
automatically via Central Management Store replication.
Installing Lync Certificates
The number of certificates required for a
Lync deployment and the configuration of those certificates vary
greatly depending on the topology chosen and the Lync features that are
installed. The internal Lync server roles that require certificates
include Front End Server, Mediation Server, Director, and Persistent
Chat Server. For external user access, a combination of public and
internal certificates is used on the Edge Server, and a public
certificate is also required for the reverse HTTP proxy system.
Lync Server 2013 provides a wizard for
requesting, installing, and assigning certificates. For example, the
following procedure is used to create an offline SSL certificate
request to be sent to a third-party CA for a Front End Server:
1. Log on to the Front End Server, and launch the Lync Server Deployment Wizard.
2. At the opening screen, click Install or Update Lync Server System.
3. The Deployment
Wizard determines the current state of the environment and provides
links to various installation options as needed. Assuming that the
Local Configuration Store is installed and at least one Lync Server
component has been installed, the link to run Step 3: Request, Install
or Assign Certificates will be available. Click Run on Step 3 to begin
the certificate request.
4. When the
Certificate Wizard screen appears, expand the arrow to the left of
Default Certificate to display the certificate usage options. As shown
in Figure 1,
by default the certificate requested will be used as the default Lync
server certificate, and will also be used for both the internal and the
external web services. If a separate certificate is planned for any of
these, that usage can be deselected here. When finished, click Request.
Figure 1. Lync certificate usages.
5. The Certificate Request Wizard now launches. Click Next.
6. For a certificate
request that will be sent to a third-party CA, choose Prepare the
Request Now, but Send It Later (offline certificate request). If the
request will be sent to an internal CA, it is possible to instead
select Send the Request Immediately to an Online Certificate Authority.
7. If offline
certificate request was chosen in the previous step, the Certificate
Request File screen appears. Browse to a location where the certificate
request file will be stored, such as a local subdirectory on the
server, and enter a name for the certificate request file. After the
location is selected, click Next.
8. By default, the
wizard creates the certificate request using the WebServer (SSL)
template. If a different certificate template is planned, select the
option Use Alternate Certificate Template for the
Selected Certification Authority, and then enter the name of the
template into the Certificate Template Name field. When finished, click
Next.
9. At the Name and
Security Settings screen, enter a friendly name for the certificate,
which makes it easier to identify later. Also, choose a bit length for
the certificate. If the private key will need to be exported later,
which is typically the case when a SAN cert is imported onto multiple
computers, select the option for Mark the Certificate’s Private Key as
Exportable. Click Next.
10. At the
Organization Information screen, enter the name of the organization and
organizational unit into the corresponding fields, and then click Next.
11. At the
Geographical Information screen, select the country from the drop-down
menu, and then enter the information into the State/Province and
City/Locality fields. Click Next.
Tip
With an external CA, typically the values for
the organizational and geographical information have already been
defined as naming constraints, in which case the information entered on
these screens must match the values already defined with the
certificate provider.
12. Review the names that are populated into the certificate as shown in Figure 2, and then click Next.
Figure 2. Certificate names.
Tip
Figure 2
shows that the wizard has automatically populated several subject
alternative names that are required for specific Lync functions.
13. For each SIP
domain, if automatic sign-in will be used without DNS SRV entries, if
strict domain matching will be used, or if Lync Phone edition devices
will be used, the check box shown in Figure 3 should be selected for that domain to provide an additional required SAN. When finished, click Next.
Figure 3. Configuring SANs per SIP domain.
Tip
For each SIP domain selected on the previous screen, the wizard will add a subject alternative name of sip.<domain>, which is required for the scenarios that are mentioned. Using the example in Figure 3 a SAN of sip.companyabc.com will be added.
14. The opportunity
to enter additional subject alternate names outside those automatically
determined by the wizard is presented. Enter each additional SAN that
will be used, and then click Next.
Tip
The screen described in step 14 provides an
opportunity for the Lync administrator to “future proof” a public
certificate that will be purchased for use with Lync. For example,
there may be Lync services that are planned for a future phase of the
Lync deployment. Adding the names that will be used for those services
now will both save time and prevent any additional certificate costs.
15. At the Certificate Request Summary screen, review the values for accuracy, and then click Next.
16. The commands
required to generate the certificate request file are now executed.
Click View Log to determine whether any errors occurred during the
certificate request process. When finished, click Next.
17. At the
Certificate Request File screen, the opportunity is presented to view
the resulting certificate request text file. With most third-party
certificate providers, it is typically necessary to copy and paste this
text into the provider’s web portal when requesting the certificate. If
so, click View and use the resulting Notepad file to copy the text to
the Windows clipboard. When finished, close the Notepad file and click
Finish.
After the certificate has been issued by the
vendor, the Lync Server Deployment Wizard is used to import the
certificate and assign it, as described here:
1. Log on to the Front End Server, and launch the Lync Server Deployment Wizard.
2. At the opening screen, click Install or Update Lync Server System.
3.
The Deployment Wizard determines the current state of the environment
and provides links to various installation options as needed. Click Run
on Step 3 to install and assign the certificate.
4. At the Certificate Wizard screen, click the Import Certificate button at the bottom of the screen.
5. At the Import
Certificate screen, click Browse and navigate to the location of the
certificate issued by the third-party CA. If there is a private key
contained in the file (for example, if it was exported from another
Lync server), select the Certificate File Contains Certificate’s
Private Key check box and enter the password that was applied to the
export in the field provided. When finished, click Next.
6. At the Import Certificate Summary screen, review the summary information and click Next.
7. The commands
required to import the certificate are now executed. Click View Log to
determine whether any errors occurred during the certificate import
process. When finished, click Finish to return to the Certificate
Wizard.
8. At the Certificate Wizard screen, click Assign.
9. At the Certificate Assignment screen, click Next.
10. The certificates that are available in the local certificate store of the server are now displayed, as shown in Figure 4. Select the certificate that will be assigned to Lync, and then click Next.
Figure 4. Assigning a certificate to Lync.
Tip
If there are several certificates in the
local certificate store of the server, at first glance it might be
difficult to differentiate between these in order to make the right
selection. If so, click the View Certificate Details button at the
bottom of the screen. Typically, the Friendly Name or the Subject
Alternative Name fields will make it evident as to which certificate is
intended for Lync.
11. At the Certificate Assignment Summary screen, review the summary information, and then click Next.
12. The commands
required to assign the certificate are now executed. Click View Log to
determine whether any errors occurred during the certificate assignment
process. When finished, click Finish to return to the Certificate
Wizard.
13. The default certificate is now assigned to the server, as shown in Figure 5. Click Close to exit the Certificate Wizard.
Figure 5. Viewing the assigned certificate.
