UCPrimer
  • Tech Blog
  • About UCPrimer.com

Forefront TMG Certs for Lync

8/27/2012

0 Comments

 
To recap, in Lync Server Edge Server deployments, an HTTPS reverse proxy in the perimeter network is required for external clients to access the Lync Server Web Services on the Director and the user's home pool. Some of the features that require external access through a reverse proxy include the following:

Enabling external users to download meeting content for your meetings.
Enabling external users to expand distribution groups.
Enabling remote users to download files from the Address Book service.
Accessing the Microsoft Lync Web App client.
Accessing the Dial-in Conferencing Settings webpage.
Accessing the Location Information service.
Enabling external devices to connect to Device
Update web service and obtain updates.

There's not much documentation on how to create and install the proper certficates on the Reverse Proxy so I'd like to share the steps that I took for setting up a Lync Reverse Proxy using Forefront Threat Management Gateway (TMG) 2010. The technet documentation at http://technet.microsoft.com/en-us/library/gg429704.aspx explains what the subject name and SAN's need to be for the certificate, but
does not actually tell you how to request and install the certificate in order to get it working. So here goes:

1. First and foremost, after installing TMG2010, if you are not using a public CA then you need to import the Root CA Certificate into the TMG Server's Trusted Root Certificate Authorities. This is because the TMG Server is not joined to the AD Domain since it sits in the perimeter network. To do this, navigate to http://<CAServerFQDN>/certsrv and click on Download a "CA Certificate, Certificate Chain or CRL" and then click on "Download CA
Certificate". Save the file with a .cer extension on the Reverse Proxy server then open it. Click on "Install Certificate" and follow the wizard, making sure you put the certificate into the "Trusted Root Certificate Authorities" Certificate Store.

2. Since there's no certificate wizard in TMG, you have to use Lync server to create the certificate on behalf of the Reverse Proxy. On the Lync Management Powershell, type the following:

> Request-CsCertificate -New -Type WebServicesExternal -PrivateKeyExportable $True -FriendlyName "RP Cert" -Organization "Polycom" -OU "APAC" -KeySize 2048 -City "SG" -State "SG" -Country "SG" -Output c:\rpcert.req

The parameters I used are for my environment so you have to substitute them with your own. Note we have to specify that the private key must be exportable. The advantage of using Lync is that it also generates the necessary SANs in the CSR for the certificate to work properly with all the Lync web services. You also need to make sure the External Web Services FQDN for the Lync Pool is defined as this
will be included in the SAN. If you have not yet defined this, open the Lync Topology builder and define it, then publish the topology before running this command.

3. Next, copy the rpcert.req to the CA and start the Certification Authority mmc from the adminstrative tools. Right-Click on the CA
server and choose "All Tasks" and then "Submit New Request". Choose the rpcert.req file and then select a location to save the cert, for eg. c:\rpcert.cer

4. With the rpcert.cer issued by the CA, you now need to copy this file back to the Lync server for import. Why not just import it into
the Reverse proxy server? Because the CSR was generated by Lync server which means the Private Key only resides there. By importing the certificate back into Lync, you can then export the entire certificate along with the Public and Private keys. On the Lync Management Shell, type the following:

> Import-CsCertificate -Path c:\rpcert.cer -PrivateKeyExportable %True

This will put the certificate into the Lync servers certificate store.

5. Now, start the Certificates MMC on the Lync server. To do this, run mmc from the Start menu and then click on File->Add Remove Snapin and choose Certificates and select the Local Computer Account. Expand Certificates->Personal->Certificates on the left navigation pane and you should see the newly imported cert, with the SN being the FQDN of the Reverse Proxy server. Right-Click on the certificate, select All Tasks and then Export. In the Export wizard, select "Yes, Export the Private Key" and you will be forced to export as a PKCS #12 .pfx file. Select "Include all certificates in the certification path if possible" and "Export all extended properties". Next you will be prompted to enter a password twice, and the complete the wizard by saving the file to a location you specify.

6. Finally, copy the newly exported .pfx file back to the Reverse Proxy server. Then start the Certificates MMC and choose the Computer Account. Expand Personal->Certificates and then Right-Click and choose All Tasks->Import. In the wizard, select the .pfx file and then enter the password in step 5. The certificate is now stored in the Reverse Proxy server's certificate store and ready for use.

As you configure TMG2010 to create the web publishing rule for Lync web services, follow the instructions given in the documentation and when creating a web listener, you can now select the imported certificate.

That's all for this post and hope this has been useful for you.
0 Comments
    Picture
    Picture

    Important Links

    Microsoft Teams Docs
    Microsoft Learn

    ​Microsoft MVP Blogs

    Michael Tressler’s Blog
    Michael’s MTR Quick Tip Videos
    Jimmy Vaughan’s Blog
    Jeff Schertz
    Adam Jacobs
    James Cussen
    ​Damien Margaritis

    Archives

    September 2022
    August 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    June 2021
    April 2021
    March 2021
    December 2020
    October 2020
    September 2020
    August 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    March 2019
    November 2018
    October 2018
    September 2018
    August 2018
    June 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    August 2017
    July 2017
    April 2017
    March 2017
    February 2017
    January 2017
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    January 2016
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    September 2012
    August 2012

    Categories

    All
    Edge
    Exchange 2013
    Hybrid
    Lpe
    Lync 2010
    Lync 2013
    Mobility
    Oauth
    Office365
    Polycom
    Ucs

    RSS Feed

    This website uses marketing and tracking technologies. Opting out of this will opt you out of all cookies, except for those needed to run the website. Note that some products may not work as well without tracking cookies.

    Opt Out of Cookies