IT tutorials
 
Applications Server
 

Microsoft Lync Server 2013 : Dependent Services and SQL - Server Certificates - Installing Lync Certificates

12/14/2014 8:29:28 PM
- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire

In recent years, Microsoft has adopted a “secure out of the box” approach for both operating system and application releases. Lync Server 2013 continues with that same approach, requiring SSL certificates to protect communications between Lync servers, as well as between client and server. In addition, a second type of certificate is being introduced with Lync Server 2013, the Open Authentication (OAuth) certificate. While the SSL certificates will continue to be used to encrypt communications, the OAuth certificates will be used to establish trust across the Office 2013 family of servers. The OAuth certificates allow the exchange of security tokens that grant access to resources for a period of time. Server-to-server authentication and authorization using OAuth is supported between Lync 2013 servers, as well as among Lync 2013, Exchange 2013, and SharePoint 2013 servers for integration scenarios.

The certificates applied to Lync Server systems can be either public certificates issued by a third party certificate authority (CA), or internal certificates issued using a self-managed public key infrastructure (PKI). The most ideal scenario for most organizations is to use a mix of both public and internal certificates for the Lync deployment, with third-party certificates being used for services that are public-facing (such as Edge services), and internal certificates being used for services that are strictly internal (such as communication between Lync Front End Servers). Although this hybrid approach serves to meet the certificate requirements of Lync and reduce the cost of the certificates, it does require that an internal PKI be deployed before the installation of the Lync environment. Since an internal PKI deployment is a project unto itself, organizations that do not already manage an internal PKI deployment will likely need to procure server certificates from a third-party CA for Lync services. The one exception to this is the OAuth certificate, since this can be a self-signed certificate generated internally.

Lync Server Certificate Requirements

Following are the primary uses for certificates within Lync:

• Communication between Lync clients and Lync servers is encrypted using TLS.

• Authentication between Lync 2013 servers, as well as authentication among Lync 2013 servers, Exchange 2013 servers, and SharePoint 2013 servers, uses server-to-server OAuth certificates.

• Communications between Lync servers is encrypted using MTLS.

• Automatic DNS discovery of partners for federation uses certificates for authentication.

• Remote or external user access for any Lync functionality is encrypted, including IM, audio/video (A/V) sessions, application sharing, and conferencing.

• A mobile request using automatic discovery of Web Services is encrypted.

Following are the common requirements that apply to the SSL certificates issued for use with Lync Server:

• All server certificates must support server authorization (Server EKU).

• All server certificates must contain a CRL Distribution Point (CDP).

• Auto-enrollment is supported for internal Lync servers, but is not supported for Lync Edge Servers.

• Key lengths of 1024, 2048, and 4096 are supported.

• Supported hash algorithms include RSA (the default), ECDH_P256, ECDH_P384, and ECDH_P521.

• All certificates are standard web server certificates, and must include the private key.

Following are the requirements that apply to the OAuth certificates issued for use with Lync Server:

• The certificate issued for OAuth must be the same across all Lync servers in the environment, and therefore the private key must be exportable for the certificate.

• A Web Server certificate that has the name of the SIP domain as subject can be used as an OAuth certificate.

• Generally, any Lync Server SSL certificate can also be used as an OAuth certificate, provided that all other requirements are met. However, if the default Lync Server certificate is used for both SSL and OAuth, it must be assigned twice, once for each certificate usage.


Note

Distribution of the OAuth certificate between Lync Server 2013 Front End Servers is handled automatically via Central Management Store replication.

Installing Lync Certificates

The number of certificates required for a Lync deployment and the configuration of those certificates vary greatly depending on the topology chosen and the Lync features that are installed. The internal Lync server roles that require certificates include Front End Server, Mediation Server, Director, and Persistent Chat Server. For external user access, a combination of public and internal certificates is used on the Edge Server, and a public certificate is also required for the reverse HTTP proxy system.

Lync Server 2013 provides a wizard for requesting, installing, and assigning certificates. For example, the following procedure is used to create an offline SSL certificate request to be sent to a third-party CA for a Front End Server:

1. Log on to the Front End Server, and launch the Lync Server Deployment Wizard.

2. At the opening screen, click Install or Update Lync Server System.

3. The Deployment Wizard determines the current state of the environment and provides links to various installation options as needed. Assuming that the Local Configuration Store is installed and at least one Lync Server component has been installed, the link to run Step 3: Request, Install or Assign Certificates will be available. Click Run on Step 3 to begin the certificate request.

4. When the Certificate Wizard screen appears, expand the arrow to the left of Default Certificate to display the certificate usage options. As shown in Figure 1, by default the certificate requested will be used as the default Lync server certificate, and will also be used for both the internal and the external web services. If a separate certificate is planned for any of these, that usage can be deselected here. When finished, click Request.

Image

Figure 1. Lync certificate usages.

5. The Certificate Request Wizard now launches. Click Next.

6. For a certificate request that will be sent to a third-party CA, choose Prepare the Request Now, but Send It Later (offline certificate request). If the request will be sent to an internal CA, it is possible to instead select Send the Request Immediately to an Online Certificate Authority.

7. If offline certificate request was chosen in the previous step, the Certificate Request File screen appears. Browse to a location where the certificate request file will be stored, such as a local subdirectory on the server, and enter a name for the certificate request file. After the location is selected, click Next.

8. By default, the wizard creates the certificate request using the WebServer (SSL) template. If a different certificate template is planned, select the option Use Alternate Certificate Template for the Selected Certification Authority, and then enter the name of the template into the Certificate Template Name field. When finished, click Next.

9. At the Name and Security Settings screen, enter a friendly name for the certificate, which makes it easier to identify later. Also, choose a bit length for the certificate. If the private key will need to be exported later, which is typically the case when a SAN cert is imported onto multiple computers, select the option for Mark the Certificate’s Private Key as Exportable. Click Next.

10. At the Organization Information screen, enter the name of the organization and organizational unit into the corresponding fields, and then click Next.

11. At the Geographical Information screen, select the country from the drop-down menu, and then enter the information into the State/Province and City/Locality fields. Click Next.


Tip

With an external CA, typically the values for the organizational and geographical information have already been defined as naming constraints, in which case the information entered on these screens must match the values already defined with the certificate provider.


12. Review the names that are populated into the certificate as shown in Figure 2, and then click Next.

Image

Figure 2. Certificate names.


Tip

Figure 2 shows that the wizard has automatically populated several subject alternative names that are required for specific Lync functions.


13. For each SIP domain, if automatic sign-in will be used without DNS SRV entries, if strict domain matching will be used, or if Lync Phone edition devices will be used, the check box shown in Figure 3 should be selected for that domain to provide an additional required SAN. When finished, click Next.

Image

Figure 3. Configuring SANs per SIP domain.


Tip

For each SIP domain selected on the previous screen, the wizard will add a subject alternative name of sip.<domain>, which is required for the scenarios that are mentioned. Using the example in Figure 3 a SAN of sip.companyabc.com will be added.


14. The opportunity to enter additional subject alternate names outside those automatically determined by the wizard is presented. Enter each additional SAN that will be used, and then click Next.


Tip

The screen described in step 14 provides an opportunity for the Lync administrator to “future proof” a public certificate that will be purchased for use with Lync. For example, there may be Lync services that are planned for a future phase of the Lync deployment. Adding the names that will be used for those services now will both save time and prevent any additional certificate costs.


15. At the Certificate Request Summary screen, review the values for accuracy, and then click Next.

16. The commands required to generate the certificate request file are now executed. Click View Log to determine whether any errors occurred during the certificate request process. When finished, click Next.

17. At the Certificate Request File screen, the opportunity is presented to view the resulting certificate request text file. With most third-party certificate providers, it is typically necessary to copy and paste this text into the provider’s web portal when requesting the certificate. If so, click View and use the resulting Notepad file to copy the text to the Windows clipboard. When finished, close the Notepad file and click Finish.

After the certificate has been issued by the vendor, the Lync Server Deployment Wizard is used to import the certificate and assign it, as described here:

1. Log on to the Front End Server, and launch the Lync Server Deployment Wizard.

2. At the opening screen, click Install or Update Lync Server System.

3. The Deployment Wizard determines the current state of the environment and provides links to various installation options as needed. Click Run on Step 3 to install and assign the certificate.

4. At the Certificate Wizard screen, click the Import Certificate button at the bottom of the screen.

5. At the Import Certificate screen, click Browse and navigate to the location of the certificate issued by the third-party CA. If there is a private key contained in the file (for example, if it was exported from another Lync server), select the Certificate File Contains Certificate’s Private Key check box and enter the password that was applied to the export in the field provided. When finished, click Next.

6. At the Import Certificate Summary screen, review the summary information and click Next.

7. The commands required to import the certificate are now executed. Click View Log to determine whether any errors occurred during the certificate import process. When finished, click Finish to return to the Certificate Wizard.

8. At the Certificate Wizard screen, click Assign.

9. At the Certificate Assignment screen, click Next.

10. The certificates that are available in the local certificate store of the server are now displayed, as shown in Figure 4. Select the certificate that will be assigned to Lync, and then click Next.

Image

Figure 4. Assigning a certificate to Lync.


Tip

If there are several certificates in the local certificate store of the server, at first glance it might be difficult to differentiate between these in order to make the right selection. If so, click the View Certificate Details button at the bottom of the screen. Typically, the Friendly Name or the Subject Alternative Name fields will make it evident as to which certificate is intended for Lync.


11. At the Certificate Assignment Summary screen, review the summary information, and then click Next.

12. The commands required to assign the certificate are now executed. Click View Log to determine whether any errors occurred during the certificate assignment process. When finished, click Finish to return to the Certificate Wizard.

13. The default certificate is now assigned to the server, as shown in Figure 5. Click Close to exit the Certificate Wizard.

Image

Figure 5. Viewing the assigned certificate.

 
Others
 
- Microsoft Lync Server 2013 : Dependent Services and SQL - Domain Name System - DNS Load Balancing , Automatic Client Sign-in
- Microsoft Lync Server 2013 : Dependent Services and SQL - Active Directory (part 2) - Forest Prep, Domain Prep, Lync Server 2013 Security Groups
- Microsoft Lync Server 2013 : Dependent Services and SQL - Active Directory (part 1) - Schema Extensions
- Administering Active Directory 2008 : Creating and Managing Active Directory Objects (part 4) - Moving, Renaming, and Deleting Active Directory Objects , Resetting an Existing Computer Account
- Administering Active Directory 2008 : Creating and Managing Active Directory Objects (part 3) - Understanding Groups, Filtering and Advanced Active Directory Features
- Administering Active Directory 2008 : Creating and Managing Active Directory Objects (part 2) - Managing Object Properties
- Administering Active Directory 2008 : Creating and Managing Active Directory Objects (part 1) - Overview of Active Directory Objects
- Sharepoint 2010 : Windows PowerShell Remoting (part 2) - Entering a Remote Session, Running SharePoint 2010 Cmdlets Remotely
- Sharepoint 2010 : Windows PowerShell Remoting (part 1)
- Sharepoint 2010 : Windows PowerShell Scripts (part 3) - Writing Comment-Based Help Topics in Scripts,Using Functions in Scripts , Customizing Windows PowerShell with Profile Scripts
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
programming4us programming4us
 
Popular tags
 
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS