在 Skype for Business Server 中部署边缘服务器Deploy Edge Servers in Skype for Business Server

摘要: 了解如何将边缘服务器部署到 Skype for Business Server 环境中。Summary: Learn how to deploy Edge Servers into your Skype for Business Server environment.

以下各节包含一些步骤,这些步骤是在查看 Skype for Business Server 文档中的 Skype for Business Server 边缘服务器部署计划后要遵循的步骤。The following sections contain steps that are meant to be followed after the Skype for Business Server Plan for Edge Server deployments in Skype for Business Server documentation has been reviewed. 部署步骤如下所示:The deployment steps are as follows:

  • 网络接口Network interfaces

  • 安装Installation

  • 证书Certificates

  • 启动边缘服务器Starting the Edge Servers

网络接口Network interfaces

如规划中已指出,您将在托管边缘服务器的外围网络中使用 DNS 配置网络接口,或在外围网络中配置 DNS。As noted in Planning, you will either be configuring your network interface with DNS in the perimeter network hosting your Edge Servers, or without DNS in the perimeter network.

外围网络中 DNS 服务器的接口配置Interface configuration with DNS servers in the perimeter network

  1. 为每台边缘服务器安装两个网络适配器,一个适用于面向内部的接口,另一个适用于面向外部的接口。Install two network adapters for each Edge Server, one for the internal-facing interface, and one for the external-facing interface.

    备注

    内部子网和外部子网不得相互路由。The internal and external subnets must not be routable to each other.

  2. 在外部接口上,将配置 以下项 之一:On your external interface, you'll configure one of the following:

    a.a. 外部外围网络子网上的三个静态 IP 地址,将默认网关指向外部防火墙的内部接口。Three static IP addresses on the external perimeter network subnet, and point the default gateway to the internal interface of the external firewall. 将适配器 DNS 设置配置为指向一对外围 DNS 服务器。Configure the adapter DNS settings to point to a pair of perimeter DNS servers.

    b.b. 外部外围网络子网上的一个静态 IP 地址,将默认网关指向外部防火墙的内部接口。One static IP address on the external perimeter network subnet, and point the default gateway to the internal interface of the external firewall. 将适配器 DNS 设置配置为指向一对外围 DNS 服务器。Configure the adapter DNS settings to point to a pair of perimeter DNS servers. 只有在之前将拓扑配置为在端口分配中具有非标准值时,此配置才可接受,如"为 Skype for Business Server 创建边缘拓扑"一文所介绍。This configuration is ONLY acceptable if you have previously configured your topology to have non-standard values in the port assignments, which is covered in the Create your Edge topology for Skype for Business Server article.

  3. 在内部接口上,在内部外围网络子网上配置一个静态 IP,不设置默认网关。On your internal interface, configure one static IP on the internal perimeter network subnet, and don't set a default gateway. 将适配器 DNS 设置配置为指向至少一台 DNS 服务器,但最好是一对外围 DNS 服务器。Configure the adaptor DNS settings to point to at least one DNS server, but preferably a pair of perimeter DNS servers.

  4. 在内部接口上创建到客户端、Skype for Business Server 和 Exchange 统一消息服务器所在的所有内部网络的 (UM) 路由。Create persistent static routes on the internal interface to all internal networks where clients, Skype for Business Server, and Exchange Unified Messaging (UM) servers reside.

外围网络中没有 DNS 服务器的接口配置Interface configuration without DNS servers in the perimeter network

  1. 为每台边缘服务器安装两个网络适配器,一个适用于面向内部的接口,另一个适用于面向外部的接口。Install two network adapters for each Edge Server, one for the internal-facing interface, and one for the external-facing interface.

    备注

    内部子网和外部子网不得相互路由。The internal and external subnets must not be routable to each other.

  2. 在外部接口上,将配置 以下项 之一:On your external interface, you'll configure one of the following:

    a.a. 外部外围网络子网上的三个静态 IP 地址。Three static IP addresses on the external perimeter network subnet. 您还需要在外部接口上配置默认网关,例如,将面向 Internet 的路由器或外部防火墙定义为默认网关。You'll also need to configure the default gateway on the external interface, for example, defining the internet-facing router or the external firewall as the default gateway. 将适配器 DNS 设置配置为指向外部 DNS 服务器,最好是一对外部 DNS 服务器。Configure the adapter DNS settings to point to an external DNS server, ideally a pair of external DNS servers.

    b.b. 外部外围网络子网上的一个静态 IP 地址。One static IP address on the external perimeter network subnet. 您还需要在外部接口上配置默认网关,例如,将面向 Internet 的路由器或外部防火墙定义为默认网关。You'll also need to configure the default gateway on the external interface, for example, defining the internet-facing router or the external firewall as the default gateway. 将适配器 DNS 设置配置为指向外部 DNS 服务器,或最好是一对外部 DNS 服务器。Configure the adapter DNS settings to point to an external DNS server, or ideally a pair of external DNS servers. 只有在之前将拓扑配置为在端口分配中具有非标准值时,此配置才可接受,如"为 Skype for Business Server 创建边缘拓扑"一文所介绍。This configuration is ONLY acceptable if you have previously configured your topology to have non-standard values in the port assignments, which is covered in the Create your Edge topology for Skype for Business Server article.

  3. 在内部接口上,在内部外围网络子网上配置一个静态 IP,不设置默认网关。On your internal interface, configure one static IP on the internal perimeter network subnet, and don't set a default gateway. 此外,将适配器 DNS 设置留空。Also leave the adapter DNS settings empty.

  4. 在内部接口上创建到客户端、Skype for Business Server 和 Exchange 统一消息服务器所在的所有内部网络的 (UM) 路由。Create persistent static routes on the internal interface to all internal networks where clients, Skype for Business Server, and Exchange Unified Messaging (UM) servers reside.

  5. 编辑每台边缘服务器上主机文件,以包含下一个跃点服务器或虚拟 IP (VIP) 。Edit the HOST file on each Edge Server to contain a record for the next hop server or virtual IP (VIP). 此记录将是在拓扑生成器中配置为边缘服务器下一跃点地址的控制器、Standard Edition Server 或前端池。This record will be the Director, Standard Edition server or Front End pool you configured as the Edge Server next hop address in Topology Builder. 如果使用的是 DNS 负载平衡,请为下一个跃点池的每个成员包括一行。If you're using DNS load balancing, include a line for each member of the next hop pool.

安装Installation

若要成功完成这些步骤,你需要遵循"为 Skype for Business Server 创建边缘拓扑"一文中的步骤。To complete these steps successfully, you will need to have followed the steps in the Create your Edge topology for Skype for Business Server article.

  1. 使用本地管理员组的帐户登录到为边缘服务器角色配置的服务器。Log onto the server you've been configuring for the Edge Server role with an account that's in the local Administrator's group.

  2. 您需要在此计算机上边缘服务器拓扑文档末尾复制的拓扑配置文件。You'll need the topology configuration file you copied out at the end of the Edge Server Topology documentation on this machine. 访问你放置该配置文件的外部媒体, (U 盘或共享) 。Access the external media you placed that configuration file on (like a USB drive or share).

  3. 启动 部署向导Start the Deployment Wizard.

  4. 打开向导后,单击 "安装或更新 Skype for Business Server 系统"。Once the wizard opens, click Install or Update Skype for Business Server System.

  5. 向导将运行检查以查看是否已安装任何内容。The wizard will run checks to see if anything's already installed. 由于这是第一次运行向导,因此您需要从步骤 1 开始。安装本地配置存储。As this is the first time running the wizard, you'll want to start at Step 1. Install Local Configuration Store.

  6. 将显示 "配置中央管理存储的本地副本" 对话框。The Configure Local Replica of Central Management store dialog will appear. 你需要单击"从 建议用于边缘服务器 (文件导入) 。You need to click Import from a file (Recommended for Edge Servers).

  7. 从此处浏览到之前导出的拓扑的位置,选择 .zip 文件,单击"打开",然后单击"下一 步"。From here, browse to the location of the topology you exported previously, select the .zip file, click Open, and then click Next.

  8. 部署向导将读取配置文件,将 XML 配置文件写入本地计算机。The Deployment Wizard will read the configuration file and write the XML configuration file to the local computer.

  9. “正在执行命令”过程完成后,单击“完成”。After the Executing Commands process is finished, click Finish.

  10. 在部署向导中,单击 "步骤 2"。安装或删除 Skype for Business Server 组件In the Deployment Wizard, click Step 2. Setup or Remove Skype for Business Server Components. 然后,该向导将安装本地计算机上存储的 XML 配置文件中指定的 Skype for Business Server 边缘组件。The wizard will then install the Skype for Business Server Edge components specified in the XML configuration file that's been stored on the local computer.

  11. 安装完成后,可以继续下面的"证书 "部分中的步骤Once the installation's complete, you can move onto the steps in the Certificates section below.

证书Certificates

边缘服务器的证书要求可在边缘证书规划文档中找到。The certificate requirements for the Edge Server can be found in the Edge Certificate Planning documentation. 以下是设置证书的步骤。The steps for setting up certificates are below.

备注

运行证书向导时,您需要以帐户身份登录,该帐户对将使用的证书模板类型具有正确的权限。When running the Certificate Wizard, you need to be logged in as an account with the correct permissions for the type of certificate template you're going to use. 默认情况下,Skype for Business Server 证书请求将使用 Web 服务器证书模板。By default, a Skype for Business Server certificate request is going to use the Web Server certificate template. 如果使用 RTCUniversalServerAdmins 组的成员帐户登录,以通过此模板请求证书,请仔细检查以确保该组已分配有使用该模板的注册权限。If you're logged in with an account that's a member of the RTCUniversalServerAdmins group to request a certificate via this template, double-check to make sure the group's been assigned the Enroll permissions to use that template.

内部边缘接口证书Internal Edge interface certificates

1. 下载或导出 CA 认证链1. Download or export the CA certification chain

    a.    a. 使用 certsrv 网站下载Download using certsrv web site

      i.      i. 以本地用户帐户的一员登录到内部网络的 Skype for Business 管理员组。Log into a Skype for Business Server in your internal network as a member of the local Administrators group.

      ii.      ii. 打开"开始****"、 (****或" 搜索和) ,然后键入以下内容:Open up Start, and Run (or Search and Run ), and then type the following:

https://<NAME OF YOUR ISSUING CA SERVER>/certsrv

      例如:      For example:

https://ca01/contoso.com/certsrv

      iii.      iii. 在颁发 CA 的 certsrv 网页上,在"选择任务"下,单击"下载 CA 证书、证书链或 CRL"。On the issuing CA's certsrv web page, under Select a task, click Download a CA certificate, certificate chain, or CRL.

      iv.      iv. "下载 CA 证书、证书链或 CRL" 下,单击 "下载 CA 证书链"。Under Download a CA certificate, certificate chain, or CRL, click Download CA certificate chain.

      v.      v. 在"文件下载" 框中,单击"保存 "。In the File Download box, click Save.

      vi.      vi. 将 .p7b 文件保存到服务器的硬盘驱动器,然后将该文件复制到每台边缘服务器的文件夹中。Save the .p7b file to the hard disk drive on the server, and then copy it to a folder on each of your Edge Servers.

   b.   b. 使用 MMC 导出Export using MMC

      i.      i. 可以使用 MMC 从任何加入域的计算机上导出 CA 根证书。You can export the CA root certificate from any domain joined machine using the MMC. 转到"开始 " 和" 运行",或打开 "搜索",然后键入 MMC 以打开。Either go to Start and Run, or open Search, and type MMC to open.

      ii.      ii. 在 MMC 控制台中,单击 " 文件",然后单击"添加/删除管理单元"。In the MMC console, click File, and then click Add/Remove Snap-In.

      iii.      iii. "添加或删除管理单元"对话框 列表中,选择"证书",然后单击"添加"。From the Add or Remove Snap-ins dialog list, choose Certificates, and then click Add. 当系统提示时,选择 "计算机帐户",然后选择"下 一步"。When prompted, select Computer Account, and then Next. 在“选择计算机”对话框中,选择“本地计算机”。On the Select Computer dialog, select Local Computer. 单击 "完成",然后单击 "确定"。Click Finish, and then OK.

      iv.      iv. 展开 本地 (证书) 。Expand Certificates (Local computer). 展开 “受信任的根证书颁发机构”Expand Trusted Root Certification Authorities. 选择 "证书"。Select Certificates.

      v.      v. 单击由 CA 颁发的根证书。Click the root certificate issued by your CA. 右键单击证书 ,在菜单 上选择"所有任务",然后选择"导出 "。Right-click the certificate, choose All Tasks on the menu, and then select Export.

      vi.      vi. 证书 导出向导将 打开。The Certificate Export Wizard opens. 单击“下一步”。Click Next.

      。      vii. "导出文件格式" 对话框中,选择要导出到的格式。On the Export File Format dialog, choose the format you want to export to. 我们的建议是 加密邮件语法标准 - PKCS #7证书 (P7b) 。Our recommendation is Cryptographic Message Syntax Standard - PKCS #7 Certificates (P7b). 如果这也是你的选择,请记住,如果可能,还要选中"在证书路径中包括所有证书"复选框,因为这也将导出证书链,包括根 CA 证书和任何中间证书。If that's your choice as well, remember to also select the Include all certificates in the certification path if possible checkbox, as this will also export the certificate chain, including the root CA certificate and any Intermediate certificates. 单击“下一步”。Click Next.

      。      viii. 在" 导出的文件"对话框的文件名条目中,键入路径和文件名 (导出证书的默认扩展名为 .p7b) 。On the File to Export dialog, in the file name entry, type a path and file name (the default extension would be .p7b) for the exported certificate. 如果更轻松,请选择"浏览"按钮以转到想要将导出的证书保存到的位置,并在此处命名导出的证书。If it's easier on you, choose the Browse button to go to the location you want to save the exported certificate to, and name the exported certificate here. 单击 " 保存 ",然后在 准备就绪时单击"下一步"。Click Save, and then Next when you're ready.

      ix.      ix. 查看操作摘要,然后单击" 完成 "完成证书导出。Review the summary of your actions, and click Finish to complete the export of the certificate. 单击“确定”确认导出成功。Click OK to confirm the successful export.

      x.      x. 将 .p7b 文件复制到每台边缘服务器。Copy the .p7b file to each of your Edge Servers.

2. 导入 CA 认证链2. Import the CA certification chain

   a.   a. 在每个边缘服务器上,打开 MMC (选择"****开始"和"运行"或 " 搜索",然后键入 MMC 以打开) 。On each Edge Server, open the MMC (choose Start and Run, or Search, and type MMC to open).

   b.   b. 在"文件"菜单上,单击 "添加/删除管理单元", 然后选择"添加 "。On the File menu, click Add/Remove Snap-in, and then choose Add.

   c.   c. "添加或删除管理单元"框中 ,单击" 证书",然后单击"添加 "。In the Add or Remove Snap-ins box, click Certificates, and then click Add.

   d.   d. “证书管理单元” 对话框中,单击 “计算机帐户”,然后单击 “下一步”In the Certificate snap-in dialog box, click Computer account, and then click Next.

   e.   e. "选择 计算机"对话框中,确保选中"本地计算机 : ( 运行此控制台的计算机) 复选框,然后单击"完成 "。In the Select Computer dialog box, ensure that the Local Computer: (the computer this console is running on) check box is selected, and then click Finish.

   f.   f. 单击 "关闭",然后单击 "确定"。Click Close, and then OK.

   g.   g. 在控制台树中,展开"本地 (证书) ,右键单击"受信任的根证书颁发机构",转到"所有任务",然后单击"导入"。 ****In the console tree, expand Certificates (Local Computer), right-click Trusted Root Certification Authorities, go to All Tasks, and then click Import.

   h.   h. 在出现的向导中,在"要导入的文件"文本框中,指定证书的文件名 (指定在上一部分中为 .p7b 文件指定) 。In the wizard that appears, in the File to Import textbox, specify the file name of the certificate (the name you gave the .p7b file in the previous section). 单击“下一步”。Click Next.

   i.   i. 将单选按钮保留为将 所有证书放在 以下存储中,因为应选择受信任的根证书颁发机构。Leave the radio button on Place all certificates in the following store, as Trusted Root Certification Authorities should be selected. 单击“下一步”。Click Next.

   j.   j. 查看摘要,然后单击" 完成 "完成导入。Review the summary, and click Finish to complete the import.

   k.   k. 这将需要为要部署的每台边缘服务器完成。This will need to be done for every Edge Server you're deploying.

3. 创建证书请求3. Create the certificate request

   a.   a. 登录到其中一台边缘服务器,启动部署向导,在步骤 3: 请求、安装或分配证书上,单击"运行 (" 或"再次运行"(如果已运行此向导) )。Log on to one of your Edge Servers, start the Deployment Wizard, and on Step 3: Request, Install, or Assign Certificates, click Run (or Run Again, if you've already run this wizard).

   b.   b. 在"证书请求" 页上,确保 选择了内部边缘证书,然后单击"请求 "。On the Certificate Request page, ensure Internal Edge Certificate is selected, and click Request.

   c.   c. 在"延迟 请求"或"即时请求"页上,选择"如果可以从边缘环境访问联机证书颁发机构,则立即将请求发送到联机证书颁发机构",或立即准备请求,但稍后以其他 方式发送。On the Delayed or Immediate Requests page, choose Send the request immediately to an online certification authority if you have access to one from your Edge environment, or Prepare the request now, but send it later otherwise.

   d.   d. 在" 证书 请求文件"页上,输入文件保存位置的完整部分和文件名 (如 c:\SkypeInternalEdgeCert.cer) 。On the Certificate Request File page, enter the full part and file name for where the file will be saved (such as c:\SkypeInternalEdgeCert.cer). 单击“下一步”。Click Next.

   e.   e. "指定备用证书 模板"页上,若要使用默认 WebServer 模板外的其他模板,请选中"使用所选证书颁发机构的替代证书模板"复选框。On the Specify Alternate Certificate Template page, to use a template other than the default WebServer template, check the Use alternative certificate template for the selected Certificate Authority check box. 否则,不执行任何操作。Otherwise, do nothing.

   f.   f. 在“名称和安全设置”页上,执行以下操作:On the Name and Security Settings page, do the following:

       i.       i. 友好名称 中,为证书显示名称一个 (,如内部边缘) 。In Friendly name, enter a display name for the certificate (such as Internal Edge).

       ii.       ii. 长度中,选择位长度 (默认值为 2048,可以更高、更安全,但会使性能降低) 。In Bit length, choose your bit length (the default is 2048, you can go higher and be more secure, but it will make performance slow down).

       iii.       iii. 如果需要可导出的证书,则必须选中"将 证书私钥标记为可导出" 复选框。If you need an exportable certificate, you must check the Mark certificate private key as exportable check box.

       iv.       iv. 单击“下一步”。Click Next.

   g.   g. 在" 组织信息 "页上,输入 OU 组织中组织 (单位) 。On the Organization Information page, enter the name for your organization and organizational unit (OU). 你可以向 IT 部门或 (部门,例如) 。You might enter your division or department (IT, for example).

   h.   h. "地理信息" 页上,输入位置信息。On the Geographical Information page, enter your location information.

   i.   i. "主题名称/主题备用 名称"页上,向导应自动填充此名称。On the Subject Name/Subject Alternate Names page, this should be auto-populated by the wizard.

   j.   j. 在" 配置其他主题替代 名称"页上,需要添加所需的任何其他主题替代名称。On the Configure Additional Subject Alternate Names page, you need to add any additional subject alternative names that you need.

   k.   k. "请求摘要 "页上,查看将用于生成请求的证书信息。On the Request Summary page, look over the certificate information that's going to be used to generate your request. 如果需要进行更改,请返回并现在执行。If you need to make changes, go back and do so now.

   l.   l. 然后单击 " 下一步"生成需要向 CA 提供的 CSR 文件 (还可以单击"查看日志"查看日志中的证书请求) 。Then click Next to generate the CSR file you'll need to provide to the CA (you can also click View Log to look at the log for the certificate request).

   m.   m. 生成请求后,可以单击 " 查看"查看证书,然后 完成以关闭 窗口。Once the request has been generated, you can click View to look at the certificate, and Finish to close out the window. CSR 文件的内容需要给定给 CA,以便他们可以生成证书,以便您可以在下一节中导入到此计算机。The contents of the CSR file need to be given to your CA, so they can generate a certificate for you to import to this computer in the next section.

4. 导入证书4. Import the certificate

   a.   a. 以本地证书颁发机构管理员组登录到上一过程中您提出证书请求的边缘服务器。Log on, as a member of the local Administrators group, to the Edge Server you made your certificate request from in the last procedure.

   b.   b. 在部署向导中,在步骤 3 旁边。请求、安装或分配证书, 单击"再次运行"。In the Deployment Wizard, next to Step 3. Request, Install or Assign Certificates, click Run Again.

   c.   c. 在" 可用证书任务 "页上,单击 "从 "导入证书"。P7b、.pfx 或 .cer 文件On the Available Certificates Tasks page, click Import a certificate from a .P7b, .pfx or .cer file.

   d.   d. 在"导入证书"页上,键入在上一部分中获得的证书的完整路径和文件名 (或者您可以单击"浏览"以查找并选择该文件) 。On the Import Certificate page, type the full path and file name of the certificate you got in the previous section (or you can click Browse to find and choose the file that way).

   e.   e. 如果要为边缘池的其他成员导入证书,并且证书包含私钥,请务必选中包含证书私钥的证书文件复选框,并指定密码。If you're importing certificates for other members of your Edge pool, and your certificate contains a private key, be sure to select the Certificate file that contains certificate's private key check box, and specify the password. 单击“下一步”即可继续。Click Next to continue.

   f.   f. "摘要" 页上,确认信息后单击"下一步",在成功导入证书后完成。On the Summary page, click Next once you've confirmed the information, and Finish once the certificate is successfully imported.

5. 导出证书5. Export the certificate

   a.   a. 确保你已以本地证书组的成员身份登录到之前将证书导入管理员组。Make sure you've logged onto the Edge Server you imported the certificate to previously, as a member of the local Administrators group.

   b.   b. 单击 "开始****" ( 或打开 " 搜索) ,然后键入 MMC。Click Start, Run (or open Search ), and type MMC.

   c.   c. 在 MMC 控制台中,单击 "文件",然后单击 "添加/删除管理单元"。From the MMC console, click File, and click Add/Remove Snap-in.

   d.   d. "添加或删除管理单元" 框中 ,单击" 证书",然后单击"添加"。From the Add or Remove Snap-ins box, click Certificates, and click Add.

   e.   e. "证书"管理单元对话框中,选择 "计算机帐户"。In the Certificates snap-in dialog box, choose Computer account. 单击“下一步”。Click Next.

   f.   f. "选择计算机 "对话框中,选择"本地计算机 : ( 运行此控制台的计算机) 。On the Select Computer dialog, select Local computer: (the computer this console is running on). 单击“完成”。Click Finish. 单击 " 确定",MMC 控制台的配置已完成。Click OK, and the configuration of the MMC console is completed.

   g.   g. 双击“证书(本地计算机)”扩展证书存储。Double-click Certificates (Local Computer) to expand the certificate stores. 双击"个人",然后单击"证书 "。Double-click Personal, and then click Certificates.

备注

您可能在此处,并且在本地计算机的证书个人存储中看不到任何证书。You may be here, and you don't see any certificates in the Certificates Personal store for the local computer. 无需四处搜寻,如果密钥不存在,则导入的证书没有与之关联的私钥。You don't need to hunt around, if the key's not there, the imported certificate didn't have a private key associated with it. 再尝试一次上述请求和导入步骤,如果确定正确,请与 CA 管理员或提供商联系。Try the request and import steps above one more time, and if you're sure you got all that right, talk to your CA administrator or provider.

   h.   h. 在本地 计算机的证书 个人存储中,右键单击要导出的证书。In the Certificates Personal store for the local computer, right-click the certificate that you're exporting. 生成的菜单中 选择"所有任务",然后单击"导出 "。Select All Tasks from the resulting menu, and then click Export.

   i.   i. 在“证书导出向导”中,单击“下一步”。In the Certificate Export Wizard, click Next. 选择“是,导出私钥”。Select Yes, export the private key. 单击“下一步”。Click Next.

   j.   j. "导出文件格式" 对话框中,选择" 个人信息交换 - PKCS#12" (。PFX) , 然后选择以下选项:On the Export File Formats dialog, select Personal Information Exchange - PKCS#12 (.PFX), and then select the following:

       i.       i. 如果可能,在证书路径中包括所有证书。Include all certificates in the certification path, if possible.

       ii.       ii. 导出所有扩展属性。Export all extended properties.

备注

如果****导出成功,从不选择"删除私钥"。NEVER select Delete the private key if the export is successful. 这意味着您必须将证书和私钥重新导入回此边缘服务器。It'll mean you have to reimport the certificate and private key back to this Edge Server.

   k.   k. 如果要分配密码来保护私钥,可以键入私钥的密码。If you want to assign a password to protect the private key, you can type a password for the private key. 重新输入密码以确认,然后单击"下一 步"。Reenter the password to confirm, and then click Next.

   l.   l. 使用文件扩展名 .pfx 键入导出证书的路径和文件名。Type a path and file name for the exported certificate, using a file extension of .pfx. 该路径需要由池中的其他边缘服务器访问,或者你需要通过外部媒体传输(如 USB 驱动器 (移动) 。The path either needs to be accessible by the other Edge Servers in the pool, or you'll need to move the file by means of external media (such as a USB drive). 做出 选择 后单击"下一步"。Click Next when you've made your choice.

   m.   m. 查看"正在完成证书导出向导"对话框上的摘要,然后单击"完成 "。Review the summary on the Completing the Certificate Export Wizard dialog, and then click Finish.

   n.   n. 在成功导出对话框中单击“确定”。Click OK in the successful export dialog.

6. 分配证书6. Assign the certificate

   a.   a. 在每个边缘服务器上,在部署向导中,在步骤 3 旁边。请求、安装或分配证书,单击"再次运行"。On EACH Edge Server, in the Deployment Wizard, next to Step 3. Request, Install or Assign Certificates, click Run again.

   b.   b. 在"可用证书任务"页上,单击"分配现有证书"。On the Available Certificates Tasks page, click Assign an existing certificate.

   c.   c. 在“证书分配”页上,选择列表中的“边缘内部”。On the Certificate Assignment page, select Edge Internal in the list.

   d.   d. "证书存储 "页上,从上一部分中选择为内部边缘 (导入的证书) 。On the Certificate Store page, select the certificate you've imported for the internal Edge (from the previous section).

   e.   e. "证书分配摘要" 页上,查看设置,然后单击"下一步 "分配 证书。On the Certificate Assignment Summary page, look over the settings, and then click Next to assign the certificate.

   f.   f. 在向导完成页上,单击 “完成”On the wizard completion page, click Finish.

   g.   g. 完成此过程后,在每台边缘服务器上打开证书 MMC 管理单元、展开证书 (本地计算机 ) 、 展开"个人"、单击"证书"并确认内部边缘证书在详细信息窗格中列出是一个不错的主意。Once you've completed this procedure, it's a really good idea to open the Certificates MMC snap-in on each Edge Server, expand Certificates (Local computer), expand Personal, click Certificates, and confirm that the internal Edge certificate is listed in the details pane.

外部边缘接口证书External Edge interface certificates

1. 创建证书请求1. Create the certificate request

   a.   a. 登录到其中一台边缘服务器,启动部署向导,在"步骤 3: 请求、安装或分配证书"上,单击"运行 ("或"再次运行"(如果已运行此向导) )。Log on to one of your Edge Servers, start the Deployment Wizard, and on Step 3: Request, Install, or Assign Certificates, click Run (or Run Again, if you've already run this wizard).

   b.   b. 在“可用的证书任务”页上,单击“创建新的证书请求”。On the Available Certificate Tasks page, click Create a new certificate request.

   c.   c. 在"证书请求" 页上,确保 已选择外部边缘证书,然后单击"下一 步"。On the Certificate Request page, ensure External Edge Certificate is selected, and click Next.

   d.   d. 在“延迟的请求或即时请求”页上,单击“现在准备请求,但稍后发送”。On the Delayed or Immediate Requests page, click Prepare the request now, but send it later.

   e.   e. 在" 证书 请求文件"页上,输入文件保存位置的完整部分和文件名 (如 c:\SkypeInternalEdgeCert.cer) 。On the Certificate Request File page, enter the full part and file name for where the file will be saved (such as c:\SkypeInternalEdgeCert.cer). 单击“下一步”。Click Next.

   f.   f. "指定备用证书 模板"页上,若要使用默认 WebServer 模板外的其他模板,请选中"使用所选证书颁发机构的替代证书模板"复选框。On the Specify Alternate Certificate Template page, to use a template other than the default WebServer template, check the Use alternative certificate template for the selected Certificate Authority check box.

   g.   g. 在“名称和安全设置”页上,执行以下操作:On the Name and Security Settings page, do the following:

       i.       i. 友好名称 中,显示名称外部边缘 (,例如外部边缘) 。In Friendly name, enter a display name for the certificate (such as External Edge).

       ii.       ii. 长度中,选择位长度 (默认值为 2048,可以更高、更安全,但会使性能降低) 。In Bit length, choose your bit length (the default is 2048, you can go higher and be more secure, but it will make performance slow down).

       iii.       iii. 如果需要可导出的证书,则必须选中"将 证书私钥标记为可导出" 复选框。If you need an exportable certificate, you must check the Mark certificate private key as exportable check box.

       iv.       iv. 单击“下一步”。Click Next.

   h.   h. 在" 组织信息 "页上,输入 OU 组织中组织 (单位) 。On the Organization Information page, enter the name for your organization and organizational unit (OU). 你可以向 IT 部门或 (部门,例如) 。You might enter your division or department (IT, for example).

   i.   i. "地理信息" 页上,输入位置信息。On the Geographical Information page, enter your location information.

   j.   j. "主题名称/主题备用 名称"页上,向导应自动填充所需信息。On the Subject Name/Subject Alternate Names page, the needed information should be auto-populated by the wizard.

   k.   k. "主题备用名称"和 " (的 SIP 域) ,选中域复选框以添加 sip。On the SIP Domain Setting on Subject Alternate Names (SANs) page, check the domain checkbox to add a sip. 条目。entry to the subject alternative names list.

   l.   l. 在" 配置其他主题替代 名称"页上,需要添加所需的任何其他主题替代名称。On the Configure Additional Subject Alternate Names page, you need to add any additional subject alternative names that you need.

   m.   m. "请求摘要 "页上,查看将用于生成请求的证书信息。On the Request Summary page, look over the certificate information that's going to be used to generate your request. 如果需要进行更改,请返回并现在执行。If you need to make changes, go back and do so now.

   n.   n. 准备就绪后,单击"下一步"生成需要向 CA 提供的 CSR 文件 (还可以单击"查看日志"来查看日志中的证书请求) 。When you're ready, click Next to generate the CSR file you'll need to provide to the CA (you can also click View Log to look at the log for the certificate request).

   o.   o. 生成请求后,可以单击 " 查看"查看证书,然后 完成以关闭 窗口。Once the request has been generated, you can click View to look at the certificate, and Finish to close out the window. CSR 文件的内容需要给定给 CA,以便他们可以生成证书,以便您可以在下一节中导入到此计算机。The contents of the CSR file need to be given to your CA, so they can generate a certificate for you to import to this computer in the next section.

   p.   p. (可选) 在提交 CSR 内容时,可能会要求你提供某些信息,如下所示 (AA 差异很大,因此在提交 CSR 时可能) :(OPTIONAL) You may, when submitting the contents of the CSR, be asked for certain information, as follows (CAs vary greatly, so this may not be required):

  • Microsoft 作为服务器平台Microsoft as the server platform

  • IIS 作为版本IIS as the version

  • 用作 使用类型的 Web 服务器Web Server as the usage type

  • 作为响应格式的 PKCS7PKCS7 as the response format

2. 导入证书2. Import the certificate

   a.   a. 以本地证书颁发机构管理员组登录到上一过程中您提出证书请求的边缘服务器。Log on, as a member of the local Administrators group, to the Edge Server you made your certificate request from in the last procedure.

   b.   b. 在部署向导中,在步骤 3 旁边。请求、安装或分配证书, 单击"再次运行"。In the Deployment Wizard, next to Step 3. Request, Install or Assign Certificates, click Run Again.

   c.   c. 在" 可用证书任务 "页上,单击 "从 "导入证书"。P7b、.pfx 或 .cer 文件On the Available Certificates Tasks page, click Import a certificate from a .P7b, .pfx or .cer file.

   d.   d. 在"导入证书"页上,键入在上一部分中获得的证书的完整路径和文件名 (或者您可以单击"浏览"以查找并选择该文件) 。On the Import Certificate page, type the full path and file name of the certificate you got in the previous section (or you can click Browse to find and choose the file that way). 如果证书包含私钥,请确保选择证书文件 包含 证书的私钥,并输入私钥的密码。If your certificate contains a private key, make sure to select Certificate file contains certificate's private key, and enter the password for the private key. 准备就绪 单击"下一步"。Click Next when ready.

   e.   e. 在"导入证书摘要" 页上,查看摘要信息,然后单击"下一 步"。On the Import Certificate Summary page, review the summary information, and click Next.

   f.   f. "正在执行命令 "页上,可以通过单击"查看日志"查看导入完成后 的结果On the Executing Commands page, you can review the result of the import when it's complete by clicking View Log. 单击 " 完成"完成证书导入。Click Finish to complete the certificate import.

   g.   g. 如果池中有其他边缘服务器,则还需要执行以下两个过程。If you have other Edge Servers in a pool, you'll need to follow the next two procedures as well. 如果这是独立的边缘服务器,则使用外部证书完成。If this is a standalone Edge Server, you're done with external certificates.

3. 导出证书3. Export the certificate

   a.   a. 确保已以本地管理员身份登录到将证书导入到的边缘服务器。Make sure you've logged onto the Edge Server you imported the certificate to as a local Administrator.

   b.   b. 单击 "开始****" ( 或打开 " 搜索) ,然后键入 MMC。Click Start, Run (or open Search ), and type MMC.

   c.   c. 在 MMC 控制台中,单击 " 文件",然后单击 "添加/删除管理单元"。From the MMC console, click File, and then click Add/Remove Snap-in.

   d.   d. "添加或删除管理单元" 框中 ,单击" 证书",然后单击"添加"。From the Add or Remove Snap-ins box, click Certificates, and click Add.

   e.   e. "证书"管理单元对话框中,选择 "计算机帐户"。In the Certificates snap-in dialog box, choose Computer account. 单击“下一步”。Click Next.

   f.   f. "选择计算机 "对话框中,选择"本地计算机 : ( 运行此控制台的计算机) 。On the Select Computer dialog, select Local computer: (the computer this console is running on). 单击“完成”。Click Finish. 单击 " 确定",MMC 控制台的配置已完成。Click OK, and the configuration of the MMC console is completed.

   g.   g. 双击“证书(本地计算机)”扩展证书存储。Double-click Certificates (Local Computer) to expand the certificate stores. 双击"个人", 然后单击"证书 "。Double-click Personal, and then click Certificates.

备注

您可能在此处,并且在本地计算机的证书个人存储中看不到任何证书。You may be here, and you don't see any certificates in the Certificates Personal store for the local computer. 无需四处搜寻,如果密钥不存在,则导入的证书没有与之关联的私钥。You don't need to hunt around, if the key's not there, the imported certificate didn't have a private key associated with it. 再尝试一次上述请求和导入步骤,如果确定正确,请与 CA 管理员或提供商联系。Try the request and import steps above one more time, and if you're sure you got all that right, talk to your CA administrator or provider.

   h.   h. 在本地 计算机的证书 个人存储中,右键单击要导出的证书。In the Certificates Personal store for the local computer, right-click the certificate that you're exporting. 从生成的菜单中 选择"所有任务",然后单击"导出 "。Select All Tasks from the resulting menu, and then click Export.

   i.   i. 在“证书导出向导”中,单击“下一步”。In the Certificate Export Wizard, click Next. 选择“是,导出私钥”。Select Yes, export the private key. 单击“下一步”。Click Next.

备注

如果是 ,导出私钥 不可用,那么在获得该证书之前,该证书的私钥未标记为导出。If Yes, export the private key isn't available, then the private key for this certificate wasn't marked for export before you got it. 您需要再次从提供程序请求证书,将私钥设置为导出,然后才能成功执行此操作。You need to request the certificate from the provider again, with the private key set to export, before doing this successfully.

   j.   j. 在"导出文件格式"对话框中,选择"个人信息交换 - PKCS#12" (。PFX) ,然后选择以下内容:On the Export File Formats dialog, select Personal Information Exchange - PKCS#12 (.PFX) and then select the following:

    i.    i. 如果可能,在证书路径中包括所有证书。Include all certificates in the certification path, if possible.

    ii.    ii. 导出所有扩展属性。Export all extended properties.

备注

如果****导出成功,从不选择"删除私钥"。NEVER select Delete the private key if the export is successful. 这意味着您必须将证书和私钥重新导入回此边缘服务器。It'll mean you have to reimport the certificate and private key back to this Edge Server.

   k.   k. 如果要分配密码来保护私钥,可以键入私钥的密码。If you want to assign a password to protect the private key, you can type a password for the private key. 重新输入密码以确认,然后单击"下一 步"。Reenter the password to confirm, and then click Next.

   l.   l. 使用文件扩展名 .pfx 键入导出证书的路径和文件名。Type a path and file name for the exported certificate, using a file extension of .pfx. 该路径需要由池中的其他边缘服务器访问,或者你需要通过外部媒体传输(如 USB 驱动器 (移动) 。The path either needs to be accessible by the other Edge Servers in the pool, or you'll need to move the file by means of external media (such as a USB drive). 做出 选择 后单击"下一步"。Click Next when you've made your choice.

   m.   m. 查看"正在完成证书导出向导"对话框上的摘要,然后单击"完成 "。Review the summary on the Completing the Certificate Export Wizard dialog, and then click Finish.

   n.   n. 在成功导出对话框中单击“确定”。Click OK in the successful export dialog.

   o.   o. 您现在需要返回到之前"导入证书"部分,并将证书导入到所有剩余边缘服务器,然后继续进行分配,如下所示。You'll now need to go back to the Import the certificate section prior to this and import the certificate to all your remaining Edge Servers, then proceed with assigning, below.

4. 分配证书4. Assign the certificate

   a.   a. 在每个 边缘 服务器上,在部署向导中,在步骤 3 旁边。请求、安装或分配证书,单击"再次运行"。On EACH Edge Server, in the Deployment Wizard, next to Step 3. Request, Install or Assign Certificates, click Run again.

   b.   b. 在"可用证书任务"页上,单击"分配现有证书"。On the Available Certificates Tasks page, click Assign an existing certificate.

   c.   c. 在" 证书分配" 页上, 选择列表中的"边缘 外部"。On the Certificate Assignment page, select Edge External in the list.

   d.   d. "证书存储 "页上,从上一部分中选择为外部边缘 (导入的证书) 。On the Certificate Store page, select the certificate you've imported for the external Edge (from the previous section).

   e.   e. "证书分配摘要" 页上,查看设置,然后单击"下一步 "分配 证书。On the Certificate Assignment Summary page, look over the settings, and then click Next to assign the certificate.

   f.   f. 在向导完成页上,单击 “完成”On the wizard completion page, click Finish.

   g.   g. 完成此过程后,在每个服务器上打开"证书 MMC"管理单元,展开"证书 " (本地计算机) , 展开"个人",单击"证书"并确认内部边缘证书在详细信息窗格中列出是一个不错的主意。Once you've completed this procedure, it's a really good idea to open the Certificates MMC snap-in on each server, expand Certificates (Local computer), expand Personal, click Certificates, and confirm that the internal Edge certificate is listed in the details pane.

备注

您还需要为反向代理服务器设置证书。You will also have needed to set up the certificates for your reverse proxy server.

启动边缘服务器Starting the Edge Servers

设置完成后,需要在部署中的每台边缘服务器上启动服务:Once the setup is complete, you'll need to start the services on each Edge server in your deployment:

  1. 在每台边缘服务器的部署 向导中,单击"步骤 4: 启动服务"旁边的"运行 "。On each Edge Server, in the Deployment Wizard, next to Step 4: Start Services, click Run.

  2. "启动 Skype for Business Server 服务"页上,查看服务列表,然后单击"下一步"以启动服务。 On the Start Skype for Business Server Services page, review the list of services, and then click Next to start the services.

  3. 启动服务后,可以单击" 完成 "关闭向导。After the services are started, you can click Finish to close the wizard.

  4. (可选) 步骤 4:启动服务 下,单击"服务状态"。(Optional) Still under Step 4: Start Services, click Services Status.

  5. 在每台服务器的"服务 MMC" 中,验证所有 Skype for Business Server 服务是否正在运行。In the Services MMC on each server, verify that all the Skype for Business Server services are running.