Monitoring the Edge Server role requires an install
of certificate-based mutual authentication. This process has several
steps, but is straightforward. To install and configure certificates to
enable the Edge Transport servers to use mutual authentication, complete
the following five major tasks:
1. | Create
a Certificate Template to issue the correct format of X.509
certificates for Operations Manager to use for mutual authentication.
|
2. | Request
the Root CA certificate to trust the CA and the certificates it issues.
This is done for each Edge Transport server and possibly for the
management servers if not using an enterprise CA.
|
3. | Request
a certificate from the Root CA to use for mutual authentication. This
is done for each Edge Transport server and for each management server.
|
4. | Install the Operations Manager agent manually. This is done for each Edge Transport server.
|
5. | Configure the agent to use the certificate. This is done for each Edge Transport server and for each management server.
|
These various X.509 certificates are issued from a certificate authority.
Create Certificate Template
This task creates a certificate template named
Operations Manager that can be issued from the Windows Server 2008
certification authority web enrollment page. The certificate template
supports Server Authentication (OID 1.3.6.1.5.5.7.3.1) and Client
Authentication (OID 1.3.6.1.5.5.7.3.2), and enables the name to be
manually entered rather than auto-generated from Active Directory because the Edge Transport will not be an Active Directory domain member.
The steps to create the security template follow:
1. | Log on to CA, which is DC1.companyxyz.com in this example.
|
2. | Launch Server Manager.
|
3. | Expand Roles, Active Directory Certificate Services, and select Certificate Templates (fqdn).
|
4. | Right-click the Computer template and select Duplicate Template.
|
5. | Leave the version at Windows 2003 Server, Enterprise Edition and click OK.
|
6. | In the General tab in the Template display name, enter Operation Manager.
|
7. | Select the Request Handling tab and mark the Allow Private Key to Be Exported option.
|
8. | Select the Subject Name tab and select Supply in the request. Click OK at the warning.
|
9. | Select the Security tab, select Authenticated Users, and select the Enroll check box.
|
10. | Click OK to save the template.
|
11. | Select the Enterprise PKI to expose the CA.
|
12. | Right-click the CA and select Manage CA.
|
13. | In the certsrv console, expand the CA, right-click the Certificates Templates, and select New, Certificate Template to Issue.
|
14. | Select the Operations Manager certificate template and click OK.
|
The new Operations Manager template is now available in the Windows Server 2008 web enrollment page.
Request the Root CA Server Certificate
This enables the Edge Transport Server to trust the
Windows Server 2008 CA. This does not need to be done on the OpsMgr
management servers because the Windows Server 2008 CA is an Enterprise
CA, and all domain members automatically trust it. If the CA is not an
enterprise CA, complete the steps for the management servers as well.
To request and install the Root CA certificate on the Lync Server 2010 Edge Role server, execute the following steps:
1. | Log on to the Edge Transport Server (LS2.companyxyz.com, in this example) with local administrator rights.
|
2. | Open a web browser and point it to the certificate server, in this case https://dc1.companyxyz.com/certsrv. Enter credentials if prompted.
|
3. | Click the Download a CA certificate, certificate chain, or CRL link (see Figure 1).
|
4. | Click the Download CA certificate link.
Note
If the certificate does not download, add the site to the Local Intranet list of sites in IE.
|
5. | Click Open to open the CA certificate.
|
6. | Click Install Certificate to install the CA certificate.
|
7. | In the Certificate Import Wizard screen, click Next.
|
8. | Select the Place all certificates in the following store radio button.
|
9. | Click Browse.
|
10. | Click the Show physical stores check box.
|
11. | Expand the Trusted Root Certification Authorities folder and select the Local Computer store.
|
12. | Click OK.
|
13. | Click Next, Finish, and OK to install the CA certificate.
|
14. | Close any open windows.
|
Repeat for all Edge Transport servers. Now the Edge
Transport servers trust certificates issued by the certification
authority. The next step is to request the certificates to use for the
mutual authentication for all servers.