Understanding Lync Security – Part 2

Howdy,

this is Part 2 of understanding Lync Security, you can find part 1 here

Certificates:

As you already know, SSL certificates are a method of establishing trust between the client and the server so both are sure they are talking to the correct end.

As mentioned in Part-1, servers and clients uses Certificate to encrypt the communications, for that you need to consider the following:

  1. You must have a CRL      (certificate revocation list) configured.
  2. You must have EKU (Enhanced      Key Usage) configured  for your      certificate,  All Lync certificate      must support EKU which is important for MTLS

The Edge Server certificate:

On the Edge server a certificate is used on both network interface of the server, but in the external Interface the certificate used need to be issued by a trusted public CA.

Good thing about Lync is that you can use one certificate with all Edge roles as long as it has the correct names in it.

Two things to consider when ordering your Public Certificate:

  • Subject name of the certificate need to be the name of the Access edge service e.g. access.lyncdude.net or sip.lyncdude.net
  • The first SAN  should be also the name of the Access Edge service, then the other services follows.
  • Create the certificate with Exportable private Key
  • Make sure to include each sip.domain.com to the certificate for each SIP domain you have in your deployment

The following photo is taken from my Lab, I have an Edge Pool called Lync-pool02.lyncdude.net with two Edge servers deployed in it.

I have ordered one certificate with one SN of Access edge server, and all other web services required as a SAN in the certificate.

 

Internal Certificate:

edge-int

 

External Certificate

edge-ext

 

Your certificates should be something similar to those two :)

Firewall:

So what do you need to tell your network team to open for the remote users is always a pain in the ***.

So the following Diagram isolate the required ports for the external access:

BlOG_FW

 

Note that it’s best practice to open the TCP ports 50.000 to 59.999 for the AV service. While the UDP ports 50.000 to 59.999 are required to enable communication with OCS 2007 clients.

The use of the IPsec on Network effect the Lync Media traffic by creating a delay because packages need to be inspected, so to use IPsec you will need to turn it off for

The media traffic.

About these ads
About

Mostafa Tohamey is a Senior Unified Communications & Messaging Engineer specialized in working with Microsoft Exchange and Microsoft Lync Server”, lives and works in Germany by 1&1 Internet AG taking care of the Microsoft Lync & Exchange Infrastructures. Worked Closely with Microsoft Dubai for 3 years designing , building and supporting Exchange and Lync Infrastructures. A Microsoft Certified ITP in Lync, Exchange and also attended Microsoft Partner Primer Filed Support Engineer T1 Training for Microsoft Lync 2010.

Tagged with: , ,
Posted in Microsoft Lync 2010, Microsoft Lync 2013, Unified Communication
One comment on “Understanding Lync Security – Part 2
  1. […] Understanding Lync Security – Part 2 […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow me on Twitter
Contact me
contact@lyncdude.net
JC's Blog-O-Gibberish

Microsoft Lync and Exchange info, and things I can't remember

Just a Lync Guy

Guy Bachar's IT blog

dmunified

UC and beyond

Mastering Lync

Yet another Lync blog but this one by Masters & MVP's

UC Ninjas

By the UC Community, for the UC Community!

ariprotheroe

Random collection of thoughts that are more than 140 characters

EighTwOne (821)

If you can't explain it simply, you don't understand it well enough.

Lync is not a thing, Lync is the "Thing" that connect you with Everything

Lync is not a thing, Lync is the "Thing" that connect you with Everything

VoIPNorm's Unified Communications Blog

Lync is not a thing, Lync is the "Thing" that connect you with Everything

Site Home

Lync is not a thing, Lync is the "Thing" that connect you with Everything

Lync is not a thing, Lync is the "Thing" that connect you with Everything

Chad McGreanor's Blog

Engineers Notebook

Thoughtsofanidlemind's Blog

Exchange, Office 365, technology, and anything else really...

Richard Hicks' Forefront TMG Blog

Microsoft Forefront TMG 2010 and ISA Server 2004/2006 News and Information

Hany George's Blog - The Old one

Day to Day from the Battlefield

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: