Lync Server 2013 中的证书摘要-使用公用 IP 地址的单一合并边缘Certificate summary - Single consolidated edge with public IP addresses in Lync Server 2013

 

上次修改的主题: 2012-09-08Topic Last Modified: 2012-09-08

Microsoft Lync Server 2013 使用证书对其他服务器进行相互身份验证,并将数据从服务器和服务器加密到客户端。Microsoft Lync Server 2013 uses certificates to mutually authenticate other servers and to encrypt data from server to server and server to client. 证书要求与服务器关联的域名系统 (DNS) 记录的名称与证书上的使用者名称 (SN) 和使用者替代名称 (SAN) 匹配。Certificates require name matching of the domain name system (DNS) records associated with the servers and the subject name (SN) and subject alternative name (SAN) on the certificate. 要成功映射服务器、DNS 记录和证书条目,您必须仔细规划在 DNS 中注册的目标服务器完全限定域名以及证书上的 SN 和 SAN 条目。To successfully map servers, DNS records and certificate entries, you must carefully plan your intended server fully qualified domain names as registered in DNS and the SN and SAN entries on the certificate.

为边缘服务器的外部接口分配的证书是从 (CA) 的公共证书颁发机构请求的。The certificate assigned to the external interfaces of the Edge Server is requested from a public certification authority (CA). 以下文章中列出了在为统一通信提供证书时已成功提供证书的公共 CAs:在 https://go.microsoft.com/fwlink/p/?linkid=3052&kbid=929395 请求证书时,可以使用由 Lync Server 部署向导生成的证书请求,也可以手动创建请求,也可以通过公共 CA 提供的进程创建请求。Public CAs that have demonstrated success in supplying certificates for the purposes of Unified Communications are listed in the following article: https://go.microsoft.com/fwlink/p/?linkid=3052&kbid=929395 When requesting the certificate, you can use the certificate request generated by the Lync Server Deployment Wizard or create the request manually or by a process provided by the public CA. 分配证书时,会将证书分配给访问边缘服务接口、Web 会议边缘服务接口和音频/视频身份验证服务。When assigning the certificate, the certificate is assigned to the Access Edge service interface, the Web Conferencing Edge service interface, and the Audio/Video Authentication service. 不应将音频/视频身份验证服务与 A/V 边缘服务相混淆,该服务不使用证书来加密音频和视频流。The Audio/Video Authentication service should not be confused with the A/V Edge service which does not use a certificate to encrypt the audio and video streams. 内部边缘服务器接口可以使用从内部 (到组织) CA 或来自公共 CA 的证书的证书。The internal Edge Server interface can use a certificate from an internal (to your organization) CA or a certificate from a public CA. 内部接口证书仅使用 SN,无需或不会使用 SAN 条目。The internal interface certificate uses only the SN and does not need or use SAN entries.

备注

下表显示了使用者替代名称列表中的第二个 SIP 条目 (sip.fabrikam.com) 以供参考。对于组织中的每个 SIP 域,需要添加证书使用者替代名称列表中列出的对应 FQDN。The following table shows a second SIP entry (sip.fabrikam.com) in the subject alternative name list for reference. For each SIP domain in your organization, you need to add a corresponding FQDN listed in the certificate subject alternative name list.

使用公共 IP 地址的单个合并边缘所需的证书Certificates Required for Single Consolidated Edge with Public IP Addresses

组件Component 使用者名称 (SN)Subject name (SN) 使用者替代名称 (SAN)/顺序Subject alternative names (SAN)/Order CommentsComments

单个合并边缘(外部边缘)Single consolidated Edge (External Edge)

sip.contoso.comsip.contoso.com

webcon.contoso.comwebcon.contoso.com

sip.contoso.comsip.contoso.com

sip.fabrikam.comsip.fabrikam.com

如果要部署与 AOL 的公共 IM 连接,则证书必须来自公共 CA,并且必须具有服务器 EKU 和客户端 EKU。证书将分配给以下组件的外部边缘接口:Certificate must be from a Public CA, and must have the server EKU and client EKU if public IM connectivity with AOL is to be deployed. The certificate is assigned to the external Edge interfaces for:

  • 访问边缘Access Edge

  • 会议边缘Conferencing Edge

  • A/V 边缘A/V Edge

请注意,SAN 将基于拓扑生成器中的定义自动添加到证书中。您可以根据需要为其他 SIP 域添加 SAN 条目以及需要支持的其他条目。Note that SANs are automatically added to the certificate based on your definitions in Topology Builder. You add SAN entries as needed for additional SIP domains and other entries that you need to support. The subject name is replicated in the SAN and must be present for correct operation.

单个合并边缘(内部边缘)Single consolidated Edge (Internal Edge)

lsedge.contoso.netlsedge.contoso.net

不需要 SANNo SAN required

证书可由公共或私有 CA 颁发,且必须包含服务器 EKU。证书将分配给内部边缘接口。Certificate can be issued by a public or private CA, and must contain the server EKU. The certificate is assigned to the internal Edge interface.

证书摘要 – 公共即时消息连接Certificate Summary – Public Instant Messaging Connectivity

组件Component 使用者名称Subject name 使用者替代名称 (SAN)/顺序Subject alternative names (SAN)/Order CommentsComments

访问/边缘外部External/Access Edge

sip.contoso.comsip.contoso.com

sip.contoso.comsip.contoso.com

webcon.contoso.comwebcon.contoso.com

sip.fabrikam.comsip.fabrikam.com

如果要部署与 AOL 的公共 IM 连接,则证书必须来自公共 CA,并且必须具有服务器 EKU 和客户端 EKU。证书将分配给以下组件的外部边缘接口:Certificate must be from a Public CA, and must have the server EKU and client EKU if public IM connectivity with AOL is to be deployed. The certificate is assigned to the external Edge interfaces for:

  • 访问边缘Access Edge

  • 会议边缘Conferencing Edge

  • A/V 边缘A/V Edge

请注意,根据拓扑生成器中的定义,SAN 将自动添加到证书中。根据需要为其他 SIP 域和其他需要支持的条目添加 SAN 条目。将在 SAN 中复制使用者名称,并且该名称必须在正确的操作中显示。Note that SANs are automatically added to the certificate based on your definitions in Topology Builder. You add SAN entries as needed for additional SIP domains and other entries that you need to support. The subject name is replicated in the SAN and must be present for correct operation.

可扩展消息传递和状态协议的证书摘要Certificate Summary for Extensible Messaging and Presence Protocol

组件Component 使用者名称Subject name 使用者替代名称 (SAN)/顺序Subject alternative names (SAN)/Order CommentsComments

分配到边缘服务器或边缘池的访问边缘服务Assign to Access Edge service of Edge Server or Edge pool

sip.contoso.comsip.contoso.com

webcon.contoso.comwebcon.contoso.com

sip.contoso.comsip.contoso.com

sip.fabrikam.comsip.fabrikam.com

xmpp.contoso.comxmpp.contoso.com

\*. contoso.com\*.contoso.com

前三个 SAN 条目是完整边缘服务器的常规 SAN 条目。The first three SAN entries are the normal SAN entries for a full Edge Server. contoso.com 是在根域级别与 XMPP 合作伙伴联盟所需的条目。The contoso.com is the entry required for federation with the XMPP partner at the root domain level. 此条目将允许所有后缀为 \*.contoso.com 的域使用 XMPP。This entry will allow XMPP for all domains with the suffix \*.contoso.com.