Lync 2013 External connectivity certificate

Question

I have been struggling a few days with connectivity on my external sip domains.

My Setup is as follows: I have 1 standard FE server not publicly accessible.

I have an Edge Server that is publicly exposed but the IP is translated by NAT.

my primary SIP domain is company1.co.za ---> users of this SIP domain can connect internal and external without any issues. all my other SIP domains are giving certificate issues - they are included in the self signed certificate that company1.co.za connects to.

so: company2.co.za company3.co.za ... company15.co.za

none of them can connect.

exporting the certificate with the private key and importing on any of company 2 - 15 then they can connect.

Will buying a DIGICERT certificate be worthwhile or am I missing something.

this Lync development is rapidly expanding so the adding SAN's to the primary cert is going to be an administrative nightmare.

can someone please shed some light on this and give me some pointers...

Answer 1

The client establishes a TLS connection with the external edge of the edge server, so there are two requirements:

1. The client must be able to verify the authenticity of the certificate.
2. The certificate must contain the FQDN that the client used to reach the edge server.

In general, you will always have to obtain a certificate from a public CA for your external edge. This is a requirement for federation as well - for example, to federate with Lync Online or Skype.

Supporting multiple domains requires the certificate to contain multiple domains. If there is a common root domain then you can use a wildcard in your certificate. For example, if you have two domains "hr.contoso.com" and "eng.contoso.com" then you can put "*.contoso.com" in your certificate.