Request and Configure a Certificate for Your Reverse HTTP Proxy

Topic Last Modified: 2012-07-15

The typical reverse proxy server has certificates from both a public certification authority (CA) and the internal CA infrastructure that is used for your Enterprise requirements when certificates are needed. Microsoft Lync Server 2010 can use an internal Enterprise Public Key Infrastructure (PKI) for all internal purposes, if you have one deployed. Or, you can use public CA certificates for all uses, both internal and external. If you intend to use the internal CA and public CA certificates, the reverse proxy needs both the root certificate (and any intermediate certificates) from the public CA and the root certificate (and any intermediate certificates) from the internal CA. You must install the root certificates and any intermediate CA certificates on the reverse proxy server. Refer to the documentation for your reverse proxy to determine how the root and intermediate certificates should be loaded onto the reverse proxy.

You must install a public certificate of type Web Server on your reverse proxy server. A certificate of type Web Server will ensure that the certificate can properly communicate with the client requests. The public certificate subject name (SN) will be the external name of the external Web services of Front End Server or Front End pool. In the examples used for the Reference Architecture in Planning for External User Access, the Front End Server or Front End pools external FQDN is webext.contoso.com. The certificate’s subject alternative name (SAN) definition should contain the published external web services fully qualified domain names (FQDNs) of each pool that is home to users enabled for remote access. A separate listener and certificate must be configured for external web services FQDNs of all Director or Director pool that will be used within that Edge infrastructure. An example Director or Director pool subject and subject alternative name for the certicate would be webdirext.contosom. The subject alternative name must also contain the meeting simple URL, the dial-in simple URL, and, if you are deploying mobile applications and plan to use automatic discovery, the external Autodiscover Service URL as shown in the following table. Simple URL and Lync Discover SANs would remain the same as the Front End Server, as shown in the table.