Understand which types of certificates are required for Lync Server 2013 internal deployment. See how you can manage internal certificate. Learn how to plan and do consulting for Lync related certificates. (17. April 2014, Update to Document Version 1.5) (27. August 2014, Update to Document Version 1.7) - Bug in Lync Certificate Deployment Wizard. Here I described how to work around.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Demystify Lync 2013 Server internal certificate requirements
Components in a certificate .......................................................................................................................... 5
Cryptographic Algorithms and hash .............................................................................................................. 6
Certificate for Internal Servers, planning and design ......................................................................................... 7
Open Authentication Protocol ....................................................................................................................... 8
Server and service certificate requirements: .............................................................................................. 10
How to request certificates ................................................................................................................... 19
Manually with the Request-CsCertificate ps-command ................................................................................... 19
Using the Lync 2013 Server Wizard .................................................................................................................. 19
Staging AV and OAuth certificate with automated activation ......................................................................... 20
Requesting the special certificate for OAuth (Open Authentication) .............................................................. 21
Requesting the Server Default Certificate ........................................................................................................ 23
Requesting the Web Services internal certificate ....................................................................................... 26
Requesting the Web Services external certificate ....................................................................................... 29
Consider Public Certificates for internal Deployment ........................................................................... 30
The technical level of this document is 400. This article requires knowledge about certificate authorities, TLS encryption and identity authorization.
Lync relay on several external components, as network or certificate authority, especially the CA is an important component for TLS encryption. We need to understand how Lync make use of certificates for authentication, identity authorization and encryption. It also makes differences between Lync service and its related web service, which are even segregated into internal and external site.
Note: This document is neither a sizing nor a configuration guide. You should use this document only for your environment planning’s purposes and security considerations. In lager environments you should spend some time to evaluate the optimal path of your certificate deployment.
Introduction
Within one of my last blogs I wrote about the external, or Edge server certificate requirements. In this article
mentioned, the Revers Proxy server certificate requirements where discussed too.
For few, especially those who are new to Lync and mostly haven’t have any experiences regarding certificate
deployments, it’s mostly difficult to understand what and moreover, why Lync has those requirements.
Well coming back to the IP communication within the Lync environment. Most and that’s one of the Best
Practices, Lync 2013 is used for internal communication. This communication needs to be secured too. In our
Lync case, we talk about TLS encryption. TLS stands for Transport Layer Security. Meaning, we need to secure
the entire IP traffic, SIP (TLS) and Web (SSL) based. That’s while we call those transmission SIP over TLS and
HTTPS.
Another point where certificates are used, the AV authentication service in Lync, here, based on the assigned
certificate and its attributes, tokens are generated and distributed to the communication partner (client or
application).
We still have the opportunity to change how this communication could behave. The entire SIP traffic can be run
over the IP channel 5060 and the web traffic can run over port 80/8080. But this is only halve of the story.
There is also Server-to-Server communication and this traffic cannot be changed. Therefor Lync need the
certificates at least to authenticate and secure this traffic. And, truly if we are aware of this, why not running
the entire traffic secure. So much to this point of view.
But whatever decision we make, there is, since we understood the need of certificates right now, one part
which always is unencrypted. Within the certificates, a link is provide to the internal or external CRL (Certificate
Revocation List) and that always clear text. (Beside, have a look into a certificate and you will find this link. If
you now use a browser connecting to, you will receive this CRL over port 80.
(Picture: CRL Distribution Point)
Client requiring an internal certificate
Lync clients also make use of certificate, as well Lync Phone Edition. While we are taking here about
the certificates issued by an internal or external certificate authority, those certificate are issued by
Lync server.
There is one issue I quickly highlight here again.
English:
Lync cannot verify that the server is trusted for your sign-in address. Connect anyway?
German:
Lync kann nicht überprüfen, ob der Server für Ihre Anmeldeadresse vertrauenswürdig ist. Trotzdem
verbinden?
What’s happened here is, as said, Lync is really designed to act secure. Therefor if you have different
DNS domains for Lync communication and Active Directory, as also in the server certificate
explanation later in this article, Lync client will not automatically trust the internal Lync Server
Default Certificate. This is because the Lync Server ending part of its FQDN is AD.INT and the user SIP
address end with @sipdom01.com. This both domains are not matching, so Lync issues a warning,
which can safely be ignored or you make this via GPO trusted.
First some generic words about the Lync specific certificate requirements and afterwards the planning process. Beside, just be informed, if you are using Load Balancers, as I blog about before (based on the KEMP Best Practice) you need to consider all the infrastructure logical design too (see 1-amred vs. 2-armed LB deployment)
Certificate requirements (infrastructure)
The certificate requirements are very clearly defined in Microsoft Technet:
I reflect only certain important requirements here again to make the next section more clear, where we are
designing the certificate and its request.
Mainly and an easy way is, if you are using Microsoft CA, using the Webserver template. It includes all
necessary requirement for the Lync certificates. Which are:
Server EKU – Server Authorization
CDP- http access to the CRL distribution point (with in the internal deployment, the ldap base, AD
integrated solution is supported too. But I recommend the http based distribution, so you are able
checking the CRL in support cases more easy.
Signing algorithm must SHA-1, SHA-2 or SHA-256 with digest size of (224, 256, 384 and 512 bits)
http://go.microsoft.com/fwlink/?LinkId=287002
Auto-enrolment is supported internally on all DOMAIN JOINT Servers (not Edge).
But it would require, you configure your CA according this requirement.
Encryption Key of 1024, 2048 and 4096
Do not user 4096 in Lync environment, if you size a huger amount of and concurrently active users, it
has an massive impact on your CPU utilization. (and if so, make use of an ASIC for the IIS service!)
Default hash signing is RAS, which his sufficient.
Cryptographic Algorithms and hash
Depending with OS is used, where the Lync clients are running on and additionally, which system Lync must communicate with (e.g. OCS 2007) we need to care internally, as externally about the cryptographic hash, the algorithm and also with cryptographic hash the CA is using.
Older OS, before server 2012 and Windows 8, can also be signed by a SHA-256 cryptographic hash, even if it’s not required.
On the external Edge server the issuing CA must also support SHA-256.
Elliptic curve and others
The most secure algorism available for CA’s are supported with Lync 2013. The ECDH_P256, ECDH_P384, and ECDH_P521 algorithms. Also here, remember the impact you generate on Server and Client loads.
SAN Note: If only a single SIP Domain is used no SAN is needed
SAN Default SIP domain
SAN Any additional SIP domain
If you are aware, you need to add more SIP domains later, you can added them earlier, manually into the
certificate, so you don’t need to reissue a certificate later.
Certificate Common Name is the SIP Domain certificate.
Server and service certificate requirements:
In our examples I’m using the following definition:
Active Directory Domain: AD.INT
First SIP Domain: SIPDOM01.COM
Second SIP Domain: SIPDOM02.DE
I will not discuss the Wildcard certificate option here again, so if you are going to make use of wildcard, simple
keep in mind you should only use “*” for simple URLs.
Standard Server
A Standard server can have two different approaches. One is, if it is a smaller Deployment with single server
only. If this is the case, you can simply use a full consolidated certificate. But I urge you only doing so if this the
case. The consolidated certificate is simple the combination of all tables below, where just the SN must be the
server FQDN.
If you Standard Server is part of an enterprise deployment, e.g. as backup registrar or a single site server,
please start here separating the certificates as mentioned above.
Therefore the requirement are:
Default Certificate
If this server is your auto-logon server, the server where the SIP.<sipdomain> will point too, you must
include the SAN’s too
Common /Subject Name
SAN Comment Example
Server FQDN All SIP Domains Server FQDN
You can use this certificate for OAuth too, but add the <sip-domain> FQDN in manually If it is your server connection point for SIP auto-logon add the sip. <sip-domain> FQDN
Within a simple deployment you might include the external FQDNs within your internal web service
certificate, meaning, setup a consolidated certificate for both internal and external web services.
Common /Subject Name
SAN Comment Example
Server internal FQDN
Server FQDN Web Service external FQDN MEET ULR DIALIN URL External MOBILE Client URL
All external simple URLs The admin URL is optional and not required. (I would not recommend administering your Lync environment from outsite your organization) Make sure only one a single DIALIN URL is in the certificate
Option: use wildcard, e.g. *.SIPDOM01.COM *.SIPDOM2.DE
Web Service External
Within a simple deployment you might include the external FQDNs within your internal web service
certificate, meaning, setup a consolidated certificate for both internal and external web services.
Common /Subject Name
SAN Comment Example
internal Pool FQDN
Internal Pool FQDN Web Service external FQDN MEET ULR DIALIN URL External MOBILE Client URL
All external simple URLs The admin URL is optional and not required. (I would not recommend administering your Lync environment from outside your organization) Make sure only one a single DIALIN URL is in the certificate
Option: use wildcard, e.g. *.SIPDOM01.COM *.SIPDOM2.DE
If you are going to create this certificate, you must either generate this certificate manually or you
request this certificate as “Lync Default” Certificate, set the friendly name to e.g. WebServiceInternal
and ensure the SIP Domain is not included. The Web Service FQDN must be part of the SAN.
Therefore carefully plan this certificate and ensure twice you used the “Lync Default” certificate
request process correctly.
While you assign this certificate, Warning will be raised. This warning must be ignored.
Web Service External
Within a simple deployment you might include the external FQDNs within your internal web service
certificate, meaning, setup a consolidated certificate for both internal and external web services.
Common /Subject Name
SAN Comment Example
internal Pool FQDN
Internal Pool FQDN Web Service external FQDN MEET ULR DIALIN URL External MOBILE Client URL
All external simple URLs The admin URL is optional and not required. (I would not recommend administering your Lync environment from outside your organization) Make sure only one a single DIALIN URL is in the certificate