Reference Architecture 1: Certificate Summary for Single Consolidated Edge
Topic Last Modified: 2012-08-08
Before proceeding, take a minute to map the entries in the following table with the fully qualified domain names (FQDNs)/IP addresses shown in the figure in Reference Architecture 1: Single Consolidated Edge so that the relationships are clear. For example, notice there is no certificate assigned to the A/V Edge external interface (av.contoso.com), but there is an A/V related certificate (avauth.contoso.net) assigned to the Media Authentication Service.
The certificates listed in the following table are required to support the edge topology shown in the Single Consolidated Edge Topology figure. There are three certificates shown for the reverse proxy server to highlight the certificate requirements for dedicated simple URLs (for example, https://dial-in.contoso.com). For deployments that have a single pool or where multiple pools share the same dial-in conferencing and meeting simple URLs, you could create a single publishing rule and corresponding certificate. For example, URLs defined in Topology Builder such as cs.contoso.com/dialin and cs.contoso.com/meet could share a single publishing rule and certificate with a subject name of cs.contoso.com. For details, see Simple URL Options.
Note
The following table shows a second SIP entry in the subject alternative name list for reference. For each SIP domain in your organization, you need a corresponding FQDN listed in the certificate subject alternative name list.
Certificates Required for Single Consolidated Edge Topology
Component | Subject name | Subject alternative Name entries/Order | Certification authority (CA) | Enhanced key usage (EKU) | Comments |
---|---|---|---|---|---|
Single consolidated Edge |
sip.contoso.com |
webcon.contoso.com sip.contoso.com sip.fabrikam.com |
Public |
Server* |
Assign to the following Edge Server roles: External interface: SIP Access Edge Web Conferencing Edge A/V Edge |
Single consolidated Edge |
lsedge.contoso.net |
N/A |
Private |
Server |
Assign to the following Edge Server roles: Internal interface: Edge |
Reverse proxy |
lsweb-ext.contoso.com |
lsweb-ext.contoso.com dialin.contoso.com meet.contoso.com lyncdiscover.contoso.com lyncdiscover.fabrikam.com (Optional approach using wildcard certificate): *.contoso.com *.fabrikam.com |
Public |
Server |
Address Book Service, distribution group expansion and Lync IP Device publishing rules. Subject alternative name includes: External Web Services FQDN Dial-in conferencing Online meeting publishing rule Mobility The wildcard replaces both meet and dialin SAN |
Next hop pool (on Front End 01) |
pool01.contoso.net (on Front End 01) |
sip.contoso.com sip.fabrikam.com lsweb.contoso.net admin.contoso.com dialin.contoso.com meet.contoso.com fe01.contoso.net pool01.contoso.net lyncdiscoverinternal.contoso.com lyncdiscoverinternal.fabrikam.com (Optional approach using wildcard certificate): *.contoso.com *.fabrikam.com |
Private |
Server |
Assign to the following servers and roles in the next hop pool: Front End 01 in Pool01 The wildcard replaces admin, meet and dialin SAN |
Next hop pool (on Front End 02) |
pool01.contoso.net (on Front End 02) |
sip.contoso.com sip.fabrikam.com lsweb.contoso.net admin.contoso.com dialin.contoso.com meet.contoso.com fe02.contoso.net pool01.contoso.net lyncdiscoverinternal.contoso.com lyncdiscoverinternal.fabrikam.com (Optional approach using wildcard certificate): *.contoso.com *.fabrikam.com |
Private |
Server |
Assign to the following servers and roles in the next hop pool: Front End 02 in Pool01 The wildcard replaces admin, meet and dialin SAN |
* Client EKU is required if public internet connectivity with AOL is enabled.