Export (0) Print
Expand All

Request and Configure a Certificate for Your Reverse HTTP Proxy

 

Topic Last Modified: 2012-07-15

The typical reverse proxy server has certificates from both a public certification authority (CA) and the internal CA infrastructure that is used for your Enterprise requirements when certificates are needed. Microsoft Lync Server 2010 can use an internal Enterprise Public Key Infrastructure (PKI) for all internal purposes, if you have one deployed. Or, you can use public CA certificates for all uses, both internal and external. If you intend to use the internal CA and public CA certificates, the reverse proxy needs both the root certificate (and any intermediate certificates) from the public CA and the root certificate (and any intermediate certificates) from the internal CA. You must install the root certificates and any intermediate CA certificates on the reverse proxy server. Refer to the documentation for your reverse proxy to determine how the root and intermediate certificates should be loaded onto the reverse proxy.

You must install a public certificate of type Web Server on your reverse proxy server. A certificate of type Web Server will ensure that the certificate can properly communicate with the client requests. The public certificate subject name (SN) will be the external name of the external Web services of Front End Server or Front End pool. In the examples used for the Reference Architecture in Planning for External User Access, the Front End Server or Front End pools external FQDN is webext.contoso.com. The certificate’s subject alternative name (SAN) definition should contain the published external web services fully qualified domain names (FQDNs) of each pool that is home to users enabled for remote access. A separate listener and certificate must be configured for external web services FQDNs of all Director or Director pool that will be used within that Edge infrastructure. An example Director or Director pool subject and subject alternative name for the certicate would be webdirext.contosom. The subject alternative name must also contain the meeting simple URL, the dial-in simple URL, and, if you are deploying mobile applications and plan to use automatic discovery, the external Autodiscover Service URL as shown in the following table. Simple URL and Lync Discover SANs would remain the same as the Front End Server, as shown in the table.

 

Value Example

Subject name

Pool FQDN

webext.contoso.com

Subject alternative name

Pool FQDN

webext.contoso.com

Subject alternative name

Meeting simple URL

noteNote:
All meeting simple URLs must be in the subject alternative name. Each SIP domain must have at least one active meeting simple URL.

meet.contoso.com

Subject alternative name

Dial-in simple URL

dialin.contoso.com

Subject alternative name

External Autodiscover Service URL

lyncdiscover.contoso.com

noteNote:
If your internal deployment consists of more than one Standard Edition server or Front End pool, you must configure web publishing rules for each external web farm FQDN and you will either need a certificate and web listener for each, or you must obtain a certificate whose subject alternative name contains the names used by all of the pools, assign it to a web listener, and share it among multiple web publishing rules.
 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft