Creating Certificates
Like all other roles in Lync Server, the Edge
Server communicates to other servers in the organization using Mutual
Transport Layer Security (MTLS). The Edge Server requires two
certificates. At a minimum, the Edge Server always requires a
certificate with its internal fully qualified domain name (FQDN) for
communication to other servers, and a certificate for external services
with all public FQDNs that are used. For internal certificates, the
subject name should contain the Edge pool’s internal FQDN.
The certificate used for Access Edge services should adhere to the following guidelines:
• The subject name should be the published name for Access Edge services.
• All supported SIP domains must be entered as a subject alternative name in the format sip.<SIP domain>.
The certificate used for Web Conferencing Edge services should adhere to the following guideline:
• The subject name should be the published name for Web Conferencing Edge services.
• The certificate used for A/V
Authentication service has no specific guidelines. The certificate is
used only to generate encryption keys, but the name used by the wizard
matches the internal Edge pool FQDN.
Note
The Certificate Wizard in Lync Server
automatically populates the subject name and required subject
alternative names based on the published topology. This greatly
simplifies certificate confusion created by prior versions. As long as
the published topology is accurate, changing the certificate names or
adding subject alternative names is unnecessary.
Use the following steps to request the necessary Edge Server certificates:
1. Under Step 3: Request, Install, or Assign Certificate, click the Run button.
2. Highlight the Edge Internal option and click the Request button.
3. Click Next to begin the wizard.
4. Select either Send
the Request Immediately to an Online Certification Authority or Prepare
the Request Now, but Send It Later (Offline Certificate Request), and
click Next.
Tip
The option to send a certificate request
immediately is usually reserved for internal servers. This requires
communication between the Edge Server and an internal Domain
Certificate Authority server. If your server has access, you can choose
this option and enter the URL and credentials required. However, it is
more common for offline requests to be generated, even for internal
certificates.
5. Click the Browse button and select a file location for the certificate signing request (CSR) file to be saved, and click Next.
6. To use the standard WebServer template, click Next on the Specify Alternate Certificate Template page.
Tip
Many organizations with managed internal
Certificate Authority deployments are not using the built-in WebServer
templates. You should check with your CA administrator to verify the
certificate temple that should be used for your Edge Server requests.
7. Enter a friendly name for the certificate such as Lync Server Internal. This is only a display name for the certificate.
8. Select a key bit length for your certificate: 2048 or 4096.
9. If the certificate should be exportable, select the Mark Certificate Private Key as Exportable check box, and click Next.
Tip
If this is the first server in a Lync Edge
Server Pool, this certificate must be exportable. All Edge Servers in
the Edge Server pool must share the same internal certificate. If this
is not the first server in the pool, you should cancel the wizard and
instead import the certificate from the first server, and follow the
steps to Assign Certificates.
10. Through the next few steps, enter all organization information that applies to your organization. Click Next to continue.
11. Click Next after reviewing the automatically populated subject and subject alternative names.
12. For the internal
certificate, you should not configure additional subject alternative
names, because they are not needed. For the external certificate, it is
possible to enter additional SAN entries if they are required. Click
Next.
13. Click Next to complete the request, and then click Finish to complete the wizard.
After
completing the wizard, it must be run one more time to generate a CSR
for the External Edge Server certificate. Repeat all preceding steps,
but choose the External Certificate as part of step 1.
Importing Offline Certificate Requests
After you have processed an offline
certificate request from the certificate authority, you will be
presented with a certificate file. The certificate file must be
imported to your Edge Server, and the easiest way to do this is through
the Lync Server Deployment Wizard.
1. Under Step 3: Request, Install, or Assign Certificate, click the Run button.
2. In the Certificate Wizard window, choose Import Certificate.
3. Choose the certificate file from your certificate authority and finish the import wizard.
4. This certificate should now be available to assign to Lync Services. See the next section for more information.
Assigning Certificates
After the necessary certificates have been
created, the Edge Server services must have certificates assigned to
them. This process binds each certificate to a specific Edge service.
To assign a certificate, perform the following steps:
1. Under Step 3: Request, Install, or Assign Certificate, click the Run button.
2. Highlight Edge Internal and click the Assign button.
3. Click the Next button to begin the wizard.
4. Select Assign an Existing Certificate, and then click Next.
5. Select the correct
certificate for this usage. Certificates will not appear here unless
they can be verified to a Trusted Root Certification Authority and have
a private key associated. Click Next.
6. Verify that the certificate is selected, and then click Next.
7. Click Finish when the process is complete.
Repeat the previous steps to assign the External Edge certificate.
Start Services
After the necessary certificates are requested and assigned, the Lync Server Edge Server services can be started.
1. Under Step 4: Start Services, click the Run button.
2. Click Next to start the Lync Server services.
3. Click Finish to complete the wizard.
At this point, the Edge Server installation is complete and functional.
