this is Part 2 of understanding Lync Security, you can find part 1 here
As you already know, SSL certificates are a method of establishing trust between the client and the server so both are sure they are talking to the correct end.
As mentioned in Part-1, servers and clients uses Certificate to encrypt the communications, for that you need to consider the following:
- You must have a CRL (certificate revocation list) configured.
- You must have EKU (Enhanced Key Usage) configured for your certificate, All Lync certificate must support EKU which is important for MTLS
The Edge Server certificate:
On the Edge server a certificate is used on both network interface of the server, but in the external Interface the certificate used need to be issued by a trusted public CA.
Good thing about Lync is that you can use one certificate with all Edge roles as long as it has the correct names in it.
Two things to consider when ordering your Public Certificate:
- Subject name of the certificate need to be the name of the Access edge service e.g. access.lyncdude.net or sip.lyncdude.net
- The first SAN should be also the name of the Access Edge service, then the other services follows.
- Create the certificate with Exportable private Key
- Make sure to include each sip.domain.com to the certificate for each SIP domain you have in your deployment
The following photo is taken from my Lab, I have an Edge Pool called Lync-pool02.lyncdude.net with two Edge servers deployed in it.
I have ordered one certificate with one SN of Access edge server, and all other web services required as a SAN in the certificate.
Your certificates should be something similar to those two
So what do you need to tell your network team to open for the remote users is always a pain in the ***.
So the following Diagram isolate the required ports for the external access:
Note that it’s best practice to open the TCP ports 50.000 to 59.999 for the AV service. While the UDP ports 50.000 to 59.999 are required to enable communication with OCS 2007 clients.
The use of the IPsec on Network effect the Lync Media traffic by creating a delay because packages need to be inspected, so to use IPsec you will need to turn it off for
The media traffic.