Certificate Requirements for Mobility
Topic Last Modified: 2011-11-14
If you deploy the mobility feature and support automatic discovery for mobile clients, you need to include certain subject alternative name entries on certificates to support secure connections from the mobile clients.
You need to include subject alternative name entries for automatic discovery on the following certificates:
Director pool
Front End pool
Reverse proxy
This section describes the subject alternative name entries that are required on your certificates for automatic discovery.
Note
Reissuing certificates by using an internal certificate authority is typically a simple process, but adding multiple subject alternative name entries to public certificates used by the reverse proxy can be expensive. If you have many SIP domains, making the addition of subject alternative names very expensive, you can configure the reverse proxy to use HTTP for the initial Autodiscover Service request, instead of using HTTPS (the default configuration). For details, see Technical Requirements for Mobility.
Director Pool Certificate Requirements
| Description | Subject alternative name entry |
|---|---|
Internal Autodiscover Service URL |
SAN=lyncdiscoverinternal.<sipdomain> |
External Autodiscover Service URL |
SAN=lyncdiscover.<sipdomain> |
Note
Alternatively, you can use SAN=*.<sipdomain>
Front End Pool Certificate Requirements
| Description | Subject alternative name entry |
|---|---|
Internal Autodiscover Service URL |
SAN=lyncdiscoverinternal.<sipdomain> |
External Autodiscover Service URL |
SAN=lyncdiscover.<sipdomain> |
Note
Alternatively, you can use SAN=*.<sipdomain>
Reverse Proxy (Public CA) Certificate Requirements
| Description | Subject alternative name entry |
|---|---|
External Autodiscover Service URL |
SAN=lyncdiscover.<sipdomain> |
Note
You assign this certificate to the SSL Listener on the reverse proxy.
Note
The Autodiscover Service also requires subject alternative names on the reverse proxy certificates for your external Web Services URL (for example, SAN=lyncwebextpool01.contoso.com).