Certificates for Lync Server 2010
Topic Last Modified: 2011-05-02
Edge servers have certificates and communicate with internal servers over MTLS. Certificates are required on both the internal and external interfaces of each Edge Server.
Each Edge Server requires a public certificate on the interfaces between the perimeter network and the Internet. The certificate must be issued by a public certification authority (CA), and the certificate’s subject alternative name (SAN) must contain the external names of the Access Edge service and Web Conferencing Edge service fully qualified domain names (FQDNs), but the Deployment Wizard simplifies the configuration of the SAN, automating much of the process. Microsoft Lync Server 2010 supports the use of a single public certificate for all external interfaces. The certificate's private key must be exportable, if it is used with multiple Edge Servers, and we recommend that you use an exportable key with a single Edge Server. The key must also be exportable if you request the certificate from any computer other than the Edge Server.
A certificate is also required on the external Edge interface for A/V authentication. The private key of the A/V authentication certificate is used to generate authentication credentials. The certificate that you use must be issued from a public CA. By default, the same certificate is used for the external edge and A/V authentication. If you are deploying multiple, load-balanced Edge Servers at a site, the same certificate must be installed on each Edge Server. The certificate must be exportable if you use it on more than one Edge Server, or if you request the certificate from any computer other than the Edge Server.
Each reverse proxy server requires a web server certificate. The SAN of the web server certificate must specify all Web external FQDNs (form all Front End pools and Directors) and all simple URLs, except the one for the Admin URL. This certificate must be issued by a public CA.
For details about edge server certificate requirements and deployment, see the Certificate Requirements for External User Access in the Planning documentation, Request Edge Certificates in the Deployment documentation, and Set Up Edge Certificates in the Deployment documentation.
Best Practice for Certificates
To help ensure security when using the same certificate on multiple Edge servers, request a single certificate to be used for all Edge Servers and mark the private key as exportable, and then do the following:
On an Edge Server, request a certificate with an exportable private key.
Import the certificate to the first Edge Server. Include the root certificate chain, if necessary.
Export the certificate with its private key. The certificate must be marked to allow this.
Import the certificate you exported into the computer store on each Edge Server, but do not mark the private key of this certificate as exportable.