Reference Architecture 1: Certificate Summary for Single Consolidated Edge

 

Topic Last Modified: 2012-08-08

Before proceeding, take a minute to map the entries in the following table with the fully qualified domain names (FQDNs)/IP addresses shown in the figure in Reference Architecture 1: Single Consolidated Edge so that the relationships are clear. For example, notice there is no certificate assigned to the A/V Edge external interface (av.contoso.com), but there is an A/V related certificate (avauth.contoso.net) assigned to the Media Authentication Service.

The certificates listed in the following table are required to support the edge topology shown in the Single Consolidated Edge Topology figure. There are three certificates shown for the reverse proxy server to highlight the certificate requirements for dedicated simple URLs (for example, https://dial-in.contoso.com). For deployments that have a single pool or where multiple pools share the same dial-in conferencing and meeting simple URLs, you could create a single publishing rule and corresponding certificate. For example, URLs defined in Topology Builder such as cs.contoso.com/dialin and cs.contoso.com/meet could share a single publishing rule and certificate with a subject name of cs.contoso.com. For details, see Simple URL Options.

Note

The following table shows a second SIP entry in the subject alternative name list for reference. For each SIP domain in your organization, you need a corresponding FQDN listed in the certificate subject alternative name list.

Certificates Required for Single Consolidated Edge Topology

Component Subject name Subject alternative Name entries/Order Certification authority (CA) Enhanced key usage (EKU) Comments

Single consolidated Edge

sip.contoso.com

webcon.contoso.com

sip.contoso.com

sip.fabrikam.com

Public

Server*

Assign to the following Edge Server roles:

External interface:

SIP Access Edge

Web Conferencing Edge

A/V Edge

Single consolidated Edge

lsedge.contoso.net

N/A

Private

Server

Assign to the following Edge Server roles:

Internal interface:

Edge

Reverse proxy

lsweb-ext.contoso.com

lsweb-ext.contoso.com

dialin.contoso.com

meet.contoso.com

lyncdiscover.contoso.com

lyncdiscover.fabrikam.com

(Optional approach using wildcard certificate):

*.contoso.com

*.fabrikam.com

Public

Server

Address Book Service, distribution group expansion and Lync IP Device publishing rules. Subject alternative name includes:

External Web Services FQDN

Dial-in conferencing

Online meeting publishing rule

Mobility

The wildcard replaces both meet and dialin SAN

Next hop pool (on Front End 01)

pool01.contoso.net (on Front End 01)

sip.contoso.com

sip.fabrikam.com

lsweb.contoso.net

admin.contoso.com

dialin.contoso.com

meet.contoso.com

fe01.contoso.net

pool01.contoso.net

lyncdiscoverinternal.contoso.com

lyncdiscoverinternal.fabrikam.com

(Optional approach using wildcard certificate):

*.contoso.com

*.fabrikam.com

Private

Server

Assign to the following servers and roles in the next hop pool:

Front End 01 in Pool01

The wildcard replaces admin, meet and dialin SAN

Next hop pool (on Front End 02)

pool01.contoso.net (on Front End 02)

sip.contoso.com

sip.fabrikam.com

lsweb.contoso.net

admin.contoso.com

dialin.contoso.com

meet.contoso.com

fe02.contoso.net

pool01.contoso.net

lyncdiscoverinternal.contoso.com

lyncdiscoverinternal.fabrikam.com

(Optional approach using wildcard certificate):

*.contoso.com

*.fabrikam.com

Private

Server

Assign to the following servers and roles in the next hop pool:

Front End 02 in Pool01

The wildcard replaces admin, meet and dialin SAN

* Client EKU is required if public internet connectivity with AOL is enabled.