Lync Server 2013 中的憑證摘要-單一合併 edge (使用 NAT 透過私人 IP 位址)Certificate summary - Single consolidated edge with private IP addresses using NAT in Lync Server 2013

 

主題上次修改日期: 2012-10-22Topic Last Modified: 2012-10-22

Microsoft Lync Server 2013 使用憑證對其他伺服器進行相互驗證,以及將從伺服器到伺服器及伺服器的資料加密至用戶端。Microsoft Lync Server 2013 uses certificates to mutually authenticate other servers and to encrypt data from server to server and server to client. 憑證必須進行伺服器關聯網域名稱系統 (DNS) 記錄與憑證上的主體名稱 (SN) 和主體替代名稱 (SAN) 的名稱比對。Certificates require name matching of the domain name system (DNS) records associated with the servers and the subject name (SN) and subject alternative name (SAN) on the certificate. 若要成功對應伺服器、DNS 記錄和憑證項目,您必須依據 DNS 中的註冊以及憑證上的 SN 和 SAN 項目,仔細規劃所要的伺服器完整名稱。To successfully map servers, DNS records and certificate entries, you must carefully plan your intended server fully qualified domain names as registered in DNS and the SN and SAN entries on the certificate.

指派給 Edge Server 外部介面的憑證是從公用憑證授權單位單位 (CA) 所要求。The certificate assigned to the external interfaces of the Edge Server is requested from a public certification authority (CA). 下列文章所列的公用 Ca 在提供憑證以實現整合通訊的目的時已成功示範: https://go.microsoft.com/fwlink/p/?linkid=3052&kbid=929395Public CAs that have demonstrated success in supplying certificates for the purposes of Unified Communications are listed in the following article: https://go.microsoft.com/fwlink/p/?linkid=3052&kbid=929395. 要求憑證時,您可以使用 Lync Server 部署嚮導所產生的憑證要求,或是使用 Lync Server 管理命令介面 Cmdlet 或公用 CA 所提供的程式手動建立要求。When requesting the certificate, you can use the certificate request generated by the Lync Server Deployment Wizard or create the request manually using Lync Server Management Shell cmdlets or by a process provided by a public CA. 如需有關憑證管理的 Lync Server 管理命令介面 Cmdlet 的詳細資訊,請參閱 憑證和驗證 Cmdlet In Lync server 2013 在指派憑證時,會將憑證指派給 Access Edge service 介面、Web 會議 Edge service 介面及 Audio/Video 驗證服務。For details on Lync Server Management Shell cmdlets for certificate management, see Certificate and authentication cmdlets in Lync Server 2013 When assigning the certificate, the certificate is assigned to the Access Edge service interface, the Web Conferencing Edge service interface, and the Audio/Video Authentication service. Audio/Video 驗證服務不應該與 A/V Edge service 混淆,它不會使用憑證來加密音訊和影片資料流程。The Audio/Video Authentication service should not be confused with the A/V Edge service which does not use a certificate to encrypt the audio and video streams. 內部 Edge Server 介面可使用來自內部 (的憑證) CA 或公用 CA 的憑證。The internal Edge Server interface can use a certificate from an internal (to your organization) CA or a certificate from a public CA. 內部介面憑證僅可使用 SN,且不需要也不會使用 SAN 項目。The internal interface certificate uses only the SN and does not need or use SAN entries.

注意

下表在主體替代名稱清單中顯示第二個 SIP 項目 (sip.fabrikam.com) 供您參考。針對組織中的每個 SIP 網域,您需要新增憑證主體替代名稱清單中列出的對應 FQDN。The following table shows a second SIP entry (sip.fabrikam.com) in the subject alternative name list for reference. For each SIP domain in your organization, you need to add a corresponding FQDN listed in the certificate subject alternative name list.

具有使用 NAT 的私人 IP 位址之單一合併式 Edge 所需的憑證Certificates Required for Single Consolidated Edge with Private IP Addresses using NAT

元件Component 主體名稱 (SN)Subject name (SN) 主體替代名稱 (SAN)/順序Subject alternative names (SAN)/Order 註解Comments

單一合併式 Edge (外部 Edge)Single consolidated Edge (External Edge)

sip.contoso.comsip.contoso.com

webcon.contoso.comwebcon.contoso.com

sip.contoso.comsip.contoso.com

sip.fabrikam.comsip.fabrikam.com

若要部署與 AOL 的公用 IM 連線,憑證必須來自公用 CA,且必須具有伺服器 EKU 和用戶端 EKU。系統會針對下列項目將憑證指派給外部 Edge 介面:Certificate must be from a Public CA, and must have the server EKU and client EKU if public IM connectivity with AOL is to be deployed. The certificate is assigned to the external Edge interfaces for:

  • Access EdgeAccess Edge

  • Conferencing EdgeConferencing Edge

  • A/V EdgeA/V Edge

請注意,系統會根據您在拓撲產生器中的定義,將 SAN 自動新增至憑證。您可以視需要為其他 SIP 網域新增 SAN 項目,或新增其他必須支援的項目。SAN 中的主體名稱會複寫,且必須存在才能正常運作。Note that SANs are automatically added to the certificate based on your definitions in Topology Builder. You add SAN entries as needed for additional SIP domains and other entries that you need to support. The subject name is replicated in the SAN and must be present for correct operation.

單一合併式 Edge (內部 Edge)Single consolidated Edge (Internal Edge)

lsedge.contoso.netlsedge.contoso.net

不需要 SANNo SAN required

憑證可由公用或私人 CA 來核發,且必須包含伺服器 EKU。系統會將憑證指派給內部 Edge 介面。Certificate can be issued by a public or private CA, and must contain the server EKU. The certificate is assigned to the internal Edge interface.

憑證摘要 - 公用立即訊息連線Certificate Summary – Public Instant Messaging Connectivity

元件Component 主體名稱Subject name 主體替代名稱 (SAN)/順序Subject alternative names (SAN)/Order 註解Comments

外部/Access EdgeExternal/Access Edge

sip.contoso.comsip.contoso.com

sip.contoso.comsip.contoso.com

webcon.contoso.comwebcon.contoso.com

sip.fabrikam.comsip.fabrikam.com

若要部署與 AOL 的公用 IM 連線,憑證必須來自公用 CA,且必須具有伺服器 EKU 和用戶端 EKU。系統會針對下列項目將憑證指派給外部 Edge 介面:Certificate must be from a Public CA, and must have the server EKU and client EKU if public IM connectivity with AOL is to be deployed. The certificate is assigned to the external Edge interfaces for:

  • Access EdgeAccess Edge

  • Conferencing EdgeConferencing Edge

  • A/V EdgeA/V Edge

請注意,系統會根據您在拓撲產生器中的定義,將 SAN 自動新增至憑證。您可以視需要為其他 SIP 網域新增 SAN 項目,或新增其他必須支援的項目。SAN 中的主體名稱會複寫,且必須存在才能正常運作。Note that SANs are automatically added to the certificate based on your definitions in Topology Builder. You add SAN entries as needed for additional SIP domains and other entries that you need to support. The subject name is replicated in the SAN and must be present for correct operation.

可延伸訊息和顯示狀態通訊協定的憑證摘要Certificate Summary for Extensible Messaging and Presence Protocol

元件Component 主體名稱Subject name 主體替代名稱 (SAN)/順序Subject alternative names (SAN)/Order 註解Comments

指派給 Edge Server 或 Edge 集區的 Access Edge serviceAssign to Access Edge service of Edge Server or Edge pool

sip.contoso.comsip.contoso.com

webcon.contoso.comwebcon.contoso.com

sip.contoso.comsip.contoso.com

sip.fabrikam.comsip.fabrikam.com

xmpp.contoso.comxmpp.contoso.com

contoso.com\*.contoso.com

前三個 SAN 專案是完整 Edge Server 的一般 SAN 專案。The first three SAN entries are the normal SAN entries for a full Edge Server. contoso.com 是在根網域層級與 XMPP 協力廠商同盟的必要項目。The contoso.com is the entry required for federation with the XMPP partner at the root domain level. 此項目可允許所有包含尾碼 \*.contoso.com 之網域使用 XMPP。This entry will allow XMPP for all domains with the suffix \*.contoso.com.