lync 2013 wildcard certificate support - …dbmanagement.info/books/mix/lync_2013_wildcard... lync...
TRANSCRIPT
www.mvatcybernet.com
www.mvatcybernet.com
LYNC 2013 WILDCARD CERTIFICATE
SUPPORT Lync Server 2013
Lync Server 2013 uses certificates to provide communications encryption and server identity authentication. In some cases, such as web publishing through the reverse proxy, strong subject alternative name (SAN) entry matching to the fully qualified domain name (FQDN) of the server presenting the service is not required. In these cases, you can use certificates with wildcard SAN entries (commonly known as “wildcard certificates”) to reduce the cost of a certificate requested from a public certification authority and to reduce the complexity of the planning process for certificates.
WARNING:
To retain the functionality of Unified Communications (UC) devices (for example, desk phones), you should test the deployed certificate carefully to ensure that devices function properly after you implement a wildcard certificate.
There is no support for a wildcard entry as the subject name (also referred to as the common name or CN) for any role. The following server roles are supported when using wildcard entries in the SAN:
Reverse proxy: Wildcard SAN entry is supported for simple URL publishing certificate.
Director: Wildcard SAN entry is supported for simple URLs in Director web components.
Front End Server (Standard Edition) and Front End pool (Enterprise Edition): Wildcard SAN entry is supported for simple URLs in Front End web components.
Exchange Unified Messaging (UM): The server does not use SAN entries when deployed as a stand-alone server.
www.mvatcybernet.com
www.mvatcybernet.com
Microsoft Exchange Server Client Access server: Wildcard entries in the SAN are supported for internal and external clients.
Exchange Unified Messaging (UM) and Microsoft Exchange Server Client Access server on same server: Wildcard SAN entries are supported.
SERVER ROLES THAT ARE NOT ADDRESSED IN THIS TOPIC:
Internal server roles (including, but not limited to the Mediation Server, Archiving and Monitoring Server, Survivable Branch Appliance, or Survivable Branch Server)
External Edge Server interfaces
Internal Edge Server
NOTE:
For the internal Edge Server interface, a wildcard entry can be assigned to the SAN, and is supported. The SAN on the internal Edge Server is not queried, and a wildcard SAN entry is of limited value.
CERTIFICATE REQUIREMENTS FOR INTERNAL SERVERS
LYNC SERVER 2013
Internal servers that are running Lync Server and that require certificates include Standard Edition server, Enterprise Edition Front End Server, Mediation Server, and Director. The following table shows the certificate requirements for these servers. You can use the Lync Server certificate wizard to request these certificates.
TIP:
Wildcard certificates are supported for the subject alternative names associated with the simple URLs on the Front End pool, Front End Server, or Director. For details about wildcard certificate support, see Wildcard Certificate Support.
www.mvatcybernet.com
www.mvatcybernet.com
Although an internal enterprise certification authority (CA) is recommended for internal servers, you can also use a public CA. For a list of public CAs that provide certificates that comply with specific requirements for unified communications (UC) certificates and have partnered with Microsoft to ensure they work with the Lync Server Certificate Wizard, see article Microsoft Knowledge Base 929395, "Unified Communications Certificate Partners for Exchange Server and for Communications Server," at http://go.microsoft.com/fwlink/p/?linkId=202834.
Many public certification authorities have created Exchange-specific websites that provide relevant documentation about their service. The documentation that is provided includes steps to complete the following tasks:
To complete the certificate enrollment process
To deploy the Domain Security feature
To enable secure client access from the Internet The following table includes the name and the website for the certification authorities that issue Unified Communications certificates for Microsoft Exchange and for Communications Server. Collapse this table Expand this table
CERTIFICATION AUTHORITY
WEBSITE
Entrust http://www.entrust.net/microsoft/ (http://www.entrust.net/microsoft/)
Comodo http://www.comodo.com/msexchange (http://www.comodo.com/msexchange)
DigiCert http://www.digicert.com/unified-communications-ssl-tls.htm (http://www.digicert.com/unified-communications-ssl-tls.htm)
GlobalSign http://www.globalsign.com/ssl/buy-ssl-certificates/unified-communications-ssl/ (http://www.globalsign.com/ssl/buy-ssl-certificates/unified-communications-ssl/)
WISeKey http://www.wisekey.com/en/Products/digital-identities/Pages/ssl-solutions.aspx (http://www.wisekey.com/en/Products/digital-identities/Pages/ssl-solutions.aspx)
GeoTrust http://www.geotrust.com/ssl/ssl-certificates-san-uc/
www.mvatcybernet.com
www.mvatcybernet.com
(http://www.geotrust.com/ssl/ssl-certificates-san-uc/)
Thawte http://www.thawte.com/ssl/san-uc-ssl-certificates/index.html (http://www.thawte.com/ssl/san-uc-ssl-certificates/index.html)
Symantec (formerly VeriSign)
https://www.symantec.com/theme.jsp?themeid=san-ssl-certificates
Communication with other applications and servers, such as Exchange 2013, requires a certificate that is supported by the other applications and products. For the 2013 release, Lync Server 2013 and other Microsoft server products, including Exchange 2013 and SharePoint Server, support the Open Authorization (OAuth) protocol for server-to-server authentication and authorization. For details, see Managing Server-to-Server Authentication (Oauth) and Partner Applications in the Deployment documentation or the Operations documentation.
For connections from clients running Windows 7 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Vista operating system, and Microsoft Office Communicator 2007 Phone Edition, Lync Server 2013 includes support for (but does not require) certificates signed using the SHA-256 cryptographic hash function. To support external access using SHA-256, the external certificate is issued by a public CA using SHA-256.
The following tables show certificate requirements by server role for Front End pools and Standard Edition servers. All these are standard web server certificates, private key, non-exportable.
Note that server enhanced key usage (EKU) is automatically configured when you use the certificate wizard to request certificates.
www.mvatcybernet.com
www.mvatcybernet.com
CERTIFICATES FOR STANDARD EDITION SERVER
CERTIFICATE
SUBJECT NAME/
COMMON NAME
SUBJECT ALTERNATIVE
NAME EXAMPLE COMMENTS
Default
Fully Qualified Domain Name (FQDN) of the Pool
FQDN of the pool and the FQDN of the server
If you have multiple SIP domains and have enabled automatic client configuration, the certificate wizard detects and adds each supported SIP domain FQDNs.
If this pool is the auto-logon server for clients and strict Domain Name System (DNS) matching is required in group policy, you also need entries for sip.sipdomain (for each SIP domain you have).
SN=se01.contoso.com; SAN=se01.contoso.com
If this pool is the auto-logon server for clients and strict DNS matching is required in group policy, you also need SAN=sip.contoso.com; SAN=sip.fabrikam.com
On Standard Edition server, the server FQDN is the same as the pool FQDN.
The wizard detects any SIP domains you specified during setup and automatically adds them to the subject alternative name.
You can also use this certificate for Server-to-Server Authentication.
Web internal FQDN of the Server
Each of the following:
Internal web FQDN (which is the same
SN=se01.contoso.com; SAN=se01.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com; SAN=admin.contoso.com
Internal web FQDN cannot be overwritten in Topology Builder.
If you have multiple Meet
www.mvatcybernet.com
www.mvatcybernet.com
as the FQDN of the server)
Meet simple URLs
Dial-in simple URL
Admin simple URL
Or, a wildcard entry for the simple URLs
Using a wildcard certificate:
SN=se01.contoso.com; SAN=se01.contoso.com; SAN=*.contoso.com
simple URLs, you must include all of them as subject alternative names.
Wildcard entries are supported for the simple URL entries.
Web external FQDN of the Server
Each of the following:
External web FQDN
Dial-in simple URL
Admin simple URL
Or, a wildcard entry for the simple URLs
SN=se01.contoso.com; SAN=webcon01.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com
Using a wildcard certificate:
SN=se01.contoso.com; SAN=webcon01.contoso.com; SAN=*.contoso.com
If you have multiple Meet simple URLs, you must include all of them as subject alternative names.
Wildcard entries are supported for the simple URL entries.
www.mvatcybernet.com
www.mvatcybernet.com
CERTIFICATES FOR FRONT END SERVER IN A FRONT END POOL
CERTIFICATE
SUBJECT NAME/
COMMON NAME
SUBJECT ALTERNATIVE
NAME EXAMPLE COMMENTS
Default FQDN of the Pool
FQDN of the pool and FQDN of the server.
If you have multiple SIP domains and have enabled automatic client configuration, the certificate wizard detects and adds each supported SIP domain FQDNs.
If this pool is the auto-logon server for clients and strict DNS matching is required in group policy, you also need entries for sip.sipdomain (for each SIP domain you have).
SN=eepool.contoso.com; SAN=eepool.contoso.com; SAN=ee01.contoso.com
If this pool is the auto-logon server for clients and strict DNS matching is required in group policy, you also need SAN=sip.contoso.com; SAN=sip.fabrikam.com
The wizard detects any SIP domains you specified during setup and automatically adds them to the subject alternative name.
You can also use this certificate for Server-to-Server Authentication.
Web Internal FQDN of the Server
Each of the following:
Internal web FQDN (which is the same as the FQDN of the server)
SN=ee01.contoso.com; SAN=ee01.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com; SAN=admin.contoso.com
Using a wildcard certificate:
SN=ee01.contoso.com; SAN=ee01.contoso.com; SAN=*.contoso.com
Internal web FQDN cannot be overwritten in Topology Builder.
If you have multiple Meet simple URLs, you must include all of them as
www.mvatcybernet.com
www.mvatcybernet.com
Meet simple URLs
Dial-in simple URL
Admin simple URL
Or, a wildcard entry for the simple URLs
subject alternative names.
Wildcard entries are supported for the simple URL entries.
Web external FQDN of the Server
Each of the following:
External web FQDN
Dial-in simple URL
Admin simple URL
Or, a wildcard entry for the simple URLs
SN=ee01.contoso.com; SAN=webcon01.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com
Using a wildcard certificate:
SN=ee01.contoso.com; SAN=webcon01.contoso.com; SAN=*.contoso.com
If you have multiple Meet simple URLs, you must include all of them as subject alternative names.
Wildcard entries are supported for the simple URL entries.
www.mvatcybernet.com
www.mvatcybernet.com
CERTIFICATES FOR DIRECTOR
CERTIFICATE
SUBJECT NAME/
COMMON NAME
SUBJECT ALTERNATIVE NAME
EXAMPLE
Default FQDN of the Director Pool
FQDN of the Director, FQDN of the Director pool
If this pool is the auto-logon server for clients and strict DNS matching is required in group policy, you also need entries for sip.sipdomain (for each SIP domain you have).
SN=dir-pool.contoso.com; SAN=dir-pool.contoso.com; SAN=dir01.contoso.com
If this Director pool is the auto-logon server for clients and strict DNS matching is required in group policy, you also need SAN=sip.contoso.com; SAN=sip.fabrikam.com
Web Internal FQDN of the Server
Each of the following:
Internal web FQDN (which is the same as the FQDN of the server)
Meet simple URLs
Dial-in simple URL
Admin simple URL
Or, a wildcard entry for the simple URLs
SN=dir01.contoso.com; SAN=dir01.contoso.com; SAN=meet.contoso.com; SAN=meet.fabrikam.com; SAN=dialin.contoso.com; SAN=admin.contoso.com
SN=dir01.contoso.com; SAN=dir01.contoso.com SAN=*.contoso.com
Web external FQDN of the Server
Each of the following:
External web FQDN
Dial-in simple URL
The Director external web FQDN must be different from the Front End pool or Front End Server.
SN=dir01.contoso.com; SAN=directorwebcon01.contoso.com SAN=meet.contoso.com;
www.mvatcybernet.com
www.mvatcybernet.com
Admin simple URL
Or, a wildcard entry for the simple URLs
SAN=meet.fabrikam.com; SAN=dialin.contoso.com
SN=dir01.contoso.com; SAN=directorwebcon01.contoso.com SAN=*.contoso.com
If you have a stand-alone Mediation Server pool, the Mediation Servers in it each need the certificates listed in the following table. If you collocate Mediation Server with the Front End Servers, the certificates listed in the “Certificates for Front End Server in Front End Pool” table earlier in this topic are sufficient.
CERTIFICATES FOR STAND-ALONE MEDIATION SERVER
CERTIFICATE SUBJECT NAME/ COMMON NAME
SUBJECT ALTERNATIVE
NAME EXAMPLE
Default FQDN of the Pool
FQDN of the pool
FQDN of pool member server
SN=medsvr-pool.contoso.net; SAN=medsvr-pool.contoso.net; SAN=medsvr01.contoso.net
CERTIFICATES FOR SURVIVABLE BRANCH APPLIANCE
CERTIFICATE SUBJECT NAME/ COMMON NAME
SUBJECT ALTERNATIVE NAME
EXAMPLE
Default FQDN of the Appliance SIP.<sipdomain> (need one entry per SIP domain)
SN=sba01.contoso.net; SAN=sip.contoso.com; SAN=sip.fabrikam.com
CERTIFICATE REQUIREMENTS FOR EXTERNAL USER ACCESS
LYNC SERVER 2013
Microsoft Lync Server 2013 communications software supports the use of a single public certificate for access and web conferencing Edge external
www.mvatcybernet.com
www.mvatcybernet.com
interfaces, plus the A/V Authentication service. The Edge internal interface typically uses a private certificate issued by an internal certification authority (CA), but can also use a public certificate, provided that it is from a trusted public CA. The reverse proxy in your deployment uses a public certificate and encrypts the communication from the reverse proxy to clients and the reverse proxy to internal servers by using HTTP (that is, Transport Layer Security over HTTP).
Following are the requirements for the public certificate used for access and web conferencing Edge external interfaces, and the A/V authentication service:
The certificate must be issued by an approved public CA that supports subject alternative name. For details, see Microsoft Knowledge Base article 929395, "Unified Communications Certificate Partners for Exchange Server and for Communications Server," at http://go.microsoft.com/fwlink/p/?linkId=202834.
If the certificate will be used on an Edge pool, it must be created as exportable, with the same certificate used on each Edge Server in the Edge pool. The exportable private key requirement is for the purposes of the A/V Authentication service, which must use the same private key across all Edge Servers in the pool.
If you want to maximize the uptime for your Audio/Video services, review the certificate requirements for implementing a decoupled A/V Edge service certificate (that is, a separate A/V Edge service certificate from the other External Edge certificate purposes). For details, see Changes in Lync Server 2013 That Affect Edge Server Planning, Plan for Edge Server Certificates and Staging AV and OAuth Certificates Using -Roll in Set-CsCertificate.
The subject name of the certificate is the Access Edge service external interface fully qualified domain name (FQDN) or hardware load balancer VIP (for example, access.contoso.com).
NOTE:
For Lync Server 2013, this is no longer a requirement, but it is still recommended for compatibility with Office Communications Server.
www.mvatcybernet.com
www.mvatcybernet.com
The subject alternative name list contains the FQDNs of the following:
The Access Edge service external interface or hardware load balancer VIP (for example, sip.contoso.com).
NOTE:
Even though the certificate subject name is equal to the access Edge FQDN, the subject alternative name must also contain the access Edge FQDN because Transport Layer Security (TLS) ignores the subject name and uses the subject alternative name entries for validation.
The web conferencing Edge external interface or hardware load balancer VIP (for example, webcon.contoso.com).
If you are using client auto-configuration or federation, also include any SIP domain FQDNs used within your company (for example, sip.contoso.com, sip.fabrikam.com).
The A/V Edge service does not use the subject name or the subject alternative names entries.
NOTE:
The order of the FQDNs in the subject alternative names list does not matter.
If you are deploying multiple, load-balanced Edge Servers at a site, the A/V authentication service certificate that is installed on each Edge Server must be from the same CA and must use the same private key. Note that the certificate's private key must be exportable, regardless of whether it is used on one Edge Server or many Edge Servers. It must also be exportable if you request the certificate from any computer other than the Edge Server. Because the A/V authentication service does not use the subject name or subject alternative name, you can reuse the access Edge certificate as long as the subject name and subject alternative name
www.mvatcybernet.com
www.mvatcybernet.com
requirements are met for the access Edge and the web conferencing Edge and the certificate’s private key is exportable.
REQUIREMENTS FOR THE PRIVATE (OR PUBLIC) CERTIFICATE USED FOR THE EDGE INTERNAL INTERFACE ARE AS FOLLOWS:
The certificate can be issued by an internal CA or an approved public certificate CA.
The subject name of the certificate is typically the Edge internal interface FQDN or hardware load balancer VIP (for example, lsedge.contoso.com). However, you can use a wildcard certificate on the Edge internal.
No subject alternative name list is required.
THE REVERSE PROXY IN YOUR DEPLOYMENT SERVICES REQUESTS FOR:
External user access to meeting content for meetings
External user access to expand and display members of distribution groups
External user access to downloadable files from the Address Book Service
External user access to the Lync Web App client
External user access to the Dial-in Conferencing Settings web page
External user access to the Location Information Service
External device access to the Device Update Service and obtain updates
The reverse proxy publishes the internal server Web Components URLs. The Web Components URLs are defined on the Director, Front End Server or Front End pool as the External web services in Topology Builder.
Wildcard entries are supported in the subject alternative name field of the certificate assigned to the reverse proxy. For details about how to configure the certificate request for the reverse proxy, see Request and Configure a Certificate for Your Reverse HTTP Proxy.
www.mvatcybernet.com
www.mvatcybernet.com
CERTIFICATE SUMMARY - DNS AND HLB LOAD BALANCED
LYNC SERVER 2013
Certificate requirements for a Director with DNS load balancing and a hardware load balancer will use a default certificate that has a subject name and subject alternative names for services that the Director can receive. A certificate is requested for each Director in the pool. It is important to remember that the hardware load balancer is load balancing only the traffic from the reverse proxy. Additionally, there is an OAuth Token certificate for server to server authentication purposes that is installed on each server.
CERTIFICATES FOR DIRECTOR
COMPONENT SUBJECT NAME
(SN) SUBJECT ALTERNATIVE
NAMES (SAN) COMMENTS
Default dirpool01.contoso.net
dirpool01.contoso.net
dir01.contoso.net
dialin.contoso.com
meet.contoso.com
lyncdiscoverinternal.contoso.com
lyncdiscover.contoso.com
(Optionally) *.contoso.com
Director certificates can be requested from either an internally managed certification authority (CA) or from a public CA.
The Director responds to requests from the reverse proxy in the perimeter or from the Edge Server. Internal clients will not use the Director.
Or, a wildcard entry for the simple URLs
OAuthTokenIssuer dir01.contoso.net No Entry Important:
www.mvatcybernet.com
www.mvatcybernet.com
Note that the minimum key length is 1024, but you may receive a warning that the minimum recommended key length is 2048 bits.
The OAuthTokenIssuer certificate is a single-purpose certificate for the purpose of authenticating servers in a large-scale environment, and can be requested from an internal CA or from a public CA. The certificate is required.
CERTIFICATE SUMMARY - SINGLE DIRECTOR
LYNC SERVER 2013
Certificate requirements for a single Director consist of a default certificate that has a subject name and subject alternative names for services that the Director can receive. Additionally, there is an OAuth Token certificate for server to server authentication purposes.
CERTIFICATES FOR DIRECTOR
COMPONENT SUBJECT NAME
(SN) SUBJECT ALTERNATIVE
NAMES COMMENTS
Default dir01.contoso.net dir01.contoso.net Director certificates
can be requested
www.mvatcybernet.com
www.mvatcybernet.com
dialin.contoso.com
meet.contoso.com
lyncdiscoverinternal.contoso.com
lyncdiscover.contoso.com
(Optionally) *.contoso.com
from either an internally managed certification authority (CA) or from a public CA.
The Director responds to requests from the reverse proxy in the perimeter or from the Edge Server. Internal clients will not use the Director.
Or, a wildcard entry for the simple URLs
OAuthTokenIssuer dir01.contoso.net No Entry
Important:
Note that the minimum key length is 1024, but you may receive a warning that the minimum recommended key length is 2048 bits.
The OAuthTokenIssuer certificate is a single-purpose certificate for the purpose of authenticating servers in a large-scale environment, and can be requested from an internal CA or from a public CA. The certificate is required.
www.mvatcybernet.com
www.mvatcybernet.com
CERTIFICATE SUMMARY - SCALED DIRECTOR POOL, HARDWARE LOAD BALANCER
LYNC SERVER 2013
Certificate requirements for a Director with a hardware load balancer will use a default certificate that has a subject name and subject alternative names for services that the Director pool can receive. A certificate is requested for each Director in the pool. Additionally there is an OAuth Token certificate for server to server authentication purposes that is installed on each server.
CERTIFICATES FOR A SCALED DIRECTOR USING A HARDWARE LOAD BALANCER
COMPONENT SUBJECT NAME SUBJECT ALTERNATIVE
NAMES (SAN) COMMENTS
Default dirpool01.contoso.net
dirpool01.contoso.net
dir01.contoso.net
dialin.contoso.com
meet.contoso.com
lyncdiscoverinternal.contoso.com
lyncdiscover.contoso.com
(Optionally) *.contoso.com
Director certificates can be requested from either an internally managed certification authority (CA) or from a public CA.
The Director responds to requests from the reverse proxy in the perimeter or from the Edge Server.
Or, a wildcard entry for the simple URLs
OAuthTokenIssuer dir01.contoso.net No Entry
Important:
Note that the minimum key length is 1024,
www.mvatcybernet.com
www.mvatcybernet.com
but you may receive a warning that the minimum recommended key length is 2048 bits.
The OAuthTokenIssuer certificate is a single-purpose certificate for the purpose of authenticating servers in a large-scale environment, and can be requested from an internal CA or from a public CA. The certificate is required.
CERTIFICATE SUMMARY - REVERSE PROXY
LYNC SERVER 2013
Certificate requirements for the reverse proxy are much simpler than that for the Edge Servers. The provided flowchart presents the requirements necessary. The accompanying table presents typical certificate subject name and subject alternative names in relation to the scenarios that we have been reviewed in the Edge Server discussions. For more details on the Edge Server scenarios, see Scenarios for External User Access.
www.mvatcybernet.com
www.mvatcybernet.com
www.mvatcybernet.com
www.mvatcybernet.com
REVERSE PROXY: EXTERNAL INTERFACE
COMPONENT SUBJECT NAME SUBJECT ALTERNATIVE
NAME (SAN)/ORDER COMMENTS
Reverse Proxy webext.contoso.com
webext.contoso.com
webdirext.contoso.com
dialin.contoso.com
meet.contoso.com
lyncdiscover.contoso.com
(Optional):*.contoso.com
Certificate must be issued by a public CA and with the server EKU. Services include Address Book Service, distribution group expansion and Lync IP Device publishing rules. Subject alternative name includes:
External Web Services FQDN for Front End Server or Front End pool
External Web Services FQDN for Director or Director pool
Dial-in conferencing
Online meeting publishing rule
Lyncdiscover (Autodiscover)
The optional wildcard replaces both meet and dialin SAN
www.mvatcybernet.com
www.mvatcybernet.com
GUIDELINES FOR INTEGRATING ON-PREMISES UNIFIED MESSAGING AND LYNC SERVER 2013
LYNC SERVER 2013
The following are guidelines and best practices to consider when you deploy Enterprise Voice:
IMPORTANT:
Exchange Unified Messaging (UM) supports IPv6 only if you are also using UCMA 4.
Deploy a Lync Server 2013 Standard Edition server or a Front End pool. For details about installation, see Deploying Lync Server 2013 in the Deployment documentation.
Work with Exchange administrators to confirm which tasks each of you will perform to assure a smooth and successful integration.
Deploy the Exchange Mailbox server roles in each Exchange Unified Messaging (UM) forest where you want to enable users for Exchange UM. For details about installing Exchange server roles, see the Microsoft Exchange Server 2013 documentation.
IMPORTANT:
When Exchange Unified Messaging (UM) is installed, it is configured to use a self-signed certificate. The self-signed certificate, however, does not enable Lync Server 2013 and Exchange UM to trust each other, which is why it is necessary to request a separate certificate from a certification authority that both servers trust.
If Lync Server 2013 and Exchange UM are installed in different forests, configure each Exchange forest to trust the Lync Server 2013 forest and the Lync Server 2013 forest to trust each Exchange forest. Also, set the users’ Exchange UM settings on the user objects in the Lync Server 2013 forest, typically by using a script or a cross-forest tool, such as Identity Lifecycle Manager (ILM).
www.mvatcybernet.com
www.mvatcybernet.com
If necessary, install the Exchange Management Console to manage your Unified Messaging servers.
Obtain valid phone numbers for Outlook Voice Access and auto attendant.
If you are using a version of Exchange UM earlier than Microsoft Exchange Server 2010 Service Pack 1 (SP1), coordinate names for Exchange UM SIP URI dial plans and Enterprise Voice dial plans.
DEPLOYING REDUNDANT EXCHANGE UM SERVERS
IMPORTANT:
We recommend that you deploy a minimum of two servers on which Exchange UM services is running for each Exchange UM SIP URI dial plan that you configure for your organization. In addition to providing expanded capacity, deploying redundant servers provides high availability. In the event of a server failure, Lync Server 2013 can be configured to fail over to another server.
The following example configurations provide Exchange UM resiliency.
www.mvatcybernet.com
www.mvatcybernet.com
In Example 1, Exchange UM servers 1 and 2 are enabled in the Tukwila data center, and Exchange UM servers 3 and 4 are enabled in the Dublin data center. In the event of an Exchange UM outage in Tukwila, the Domain Name System (DNS) A records for servers 1 and 2 should be configured to point to servers 3 and 4, respectively. In the event of an Exchange UM outage in Dublin, the DNS A records for servers 3 and 4 should be configured to point to servers 1 and 2, respectively.
NOTE:
For Example 1, you should also assign one of following certificate on each Exchange UM server:
Use a certificate with a wildcard in the Subject Alternative Name (SAN).
www.mvatcybernet.com
www.mvatcybernet.com
Put the fully qualified domain name (FQDN) of each of the four Exchange UM servers in the SAN.
In Example 2, under ordinary operating conditions Exchange UM servers 1 and 2 are enabled in the Tukwila data center, and Exchange UM servers 3 and 4 are enabled in the Dublin data center. All four servers are included in the Tukwila users' SIP URI dial plan; however, servers 3 and 4 are disabled. In the event of an Exchange UM outage in Tukwila, for example, Exchange UM servers 1 and 2 should be disabled and Exchange UM servers 3 and 4 should be enabled so the Tukwila Exchange UM traffic will be routed to the servers in Dublin.
For details about how to enable or disable Unified Messaging on Exchange 2013, see “Integrate Exchange 2013 UM with Lync Server” at http://go.microsoft.com/fwlink/p/?LinkId=265372.
For details about how to enable or disable Unified Messaging on Microsoft Exchange Server 2010, see:
www.mvatcybernet.com
www.mvatcybernet.com
"Enable Unified Messaging on Exchange 2010" at http://go.microsoft.com/fwlink/p/?LinkId=204418.
"Disable Unified Messaging on Exchange 2010" at http://go.microsoft.com/fwlink/p/?LinkId=204416.