Tag Archive: certificate


I am going to glaze over the beginning processes, because I have already performed and documented them here.
This is a Lync Server 2010 install on a domain member server running Windows Server 2008 R2 Enterprise.

I will pick up: Prepare First Standard Edition Server.

This goes through the process, and completes this time, installing SQL 2008 Express and an instance named RTC, which is started and running.

Next, select Install Topology Builder, and let the tool complete.

Topology Builder
Topology Builder

Now let’s do some prep. First, add the account you are using to DomainAdmins and RTCUniversalServerAdmins groups. You can do this via ADUC, by double clicking the group, selecting the members tab, and adding the name of your account.

RTCUniversalServerAdmin

RTCUniversalServerAdmin

Next, create the share you will be using during your topology setup. The default sharename is share, on the server you are installing Lync 2010 on. I will name it LyncShare, as this server has little else to do besides Lync, and no other shares. I create a new folder on any drive, right-click it and select share with, specific people. I then add Domain Users and Everyone with read/write permissions. We can change these to least access later on.
File Sharing

File Sharing

Make sure the account you are using is in there as well- and this should be a domain account.
DNS Records for your Server Pool need to exist, as well as simple URL’s. We will add those after we build the topology, before we publish it.

Now, go to Start>All Programs>Lync Server 2010, and select Topology Builder.

Click on New Topology.

The Primary SIP Domain can be any domain name that you use, I leave mine set to my internal domain name. For this example, I will use company.local.

Primary SIP Domain

Primary SIP Domain

Click Next. I am not adding any added domains, so click Next again.

Under Site Name, name your site something nice, like CompanyLync.

First Site

First Site

Click Next. Enter your City, State, and Country.

Check the box: Open the New Front End Wizard… and click Finish.

New Front End Wizard

New Front End Wizard

Click Next.

Select Standard Edition Server, and enter the domain member server’s FQDN.

Front End FQDN

Front End FQDN

Click Next. Check no boxes, click Next.

Select Features

Select Features

Uncheck Mediation Server, and hit Next.

Collocated Server Roles

Collocated Server Roles

Enable anything you want, I leave all unchecked. Click Next.

Associated Server Roles

Associated Server Roles

Click Next on the grayed out options screen for SQL Store, to leave them at the default settings for new.

Select the name of a File Share, leave File Server alone or set to your company’s file server- in this case it is all on one server, so enter that servers FQDN. Click Next.

File Share

File Share

Leave Web Services URL alone- remember this is going to be used for internal IM only. You can change this as you see fit, if you will be hosting external access.

Web Services URL
Web Services URL

I named my External URL ExternalPool.company.local. I will now create DNS records for both pools. Open up DNS MMC, and add an Alias(CNAME) entry for both internal and external base urls, pointing to the correct FQDN address of the server.

DNS Alias for Pool

DNS Alias for Pool

You can now view the properties of everything you have configured.

Properties
Properties

Click Edit Properties from the menu on the right. Click Simple URLs on the left of the window that opens.

Add an Administrative access URL. I did mine to match the other too, changing the first word to admin.
Click Central Management Server and select the only option.
Simple URLs

Simple URLs

Now let’s add DNS entries for these three Simple URLs.
Back in the DNS MMC, add a Alias(CNAME) for dialin, meet, and admin.

In the menu on the right, click Publish Topology.

Read the requirements, and when ready, click Next.

Leave this to default and click Next.

Central Management Server

Central Management Server

Now I decided to change my pool name, and I got all sorts of problems. If you get warning messages about your pool not existing in AD, then you can use Lync Management Shell to remove the pool, and redo the set up. The post on how to do this is here.

Now when I hit Publish, it completed successfully.

Publish Progress

Publish Progress

Publish Success
Publish Success

Nice, but we still have more to do. Microsoft says that this is the point in which you rerun the setup on all servers that will be handling Lync. Since I am only using one, we do not need to do this. Go back to the Lync Server Deployment Wizard. This time click on the link to the left- Install or Update Lync Server System.

Install or Update Lync Server System

Install or Update Lync Server System

Click Run next to Install Local Configuration Store. Leave the default options on both screens, and click next.
Let the Wizard complete. Hopefully you will receive success on all the prerequisites.
NOTE: Make sure to always expand the prerequisites tab before each item and make sure you are in compliance.
Installing Local

Installing Local

Once complete, click Run next to the next item, Lync Server Components.

Click Next.

IIS Roles

IIS Roles

I get an error about IIS features. I remember when I added the Feature IIS, I left most of the boxes cleared by default. Lets enable all of that now.

Click Server Manager, and select Roles. At this point you will have IIS installed, so click on the link. Scroll down a bit and click Add Role Services. I then added all of the roles that the error message mentioned. I suppose you could add all, but why add extra stuff that you do not need?

IIS Role Services

IIS Role Services

Click Next, click Install.

It will complete (no reboot needed), and go back to your Lync Deployment screen, and re-run Setup Lync Server Components.

Click Finish once that completes without errors.

Run the next task: Request, Install, or Assign Certificates.

A box appears with a Default Certificate, which is unassigned. Click Request next to it. You could also click request, and formulate a CSR to an Offline CA. I will select send the request immediately to an online CA, and click Next.

Certificate Wizard
Certificate Wizard

It should automatically pull up your CA server, which in my case is my DC. I will click Next if this is correct. You can then specify alternate credentials, if you are not signed in as a domain admin account. I am, so I will leave this alone. Click Next.

Click Next pas the Alternate Template page.
Specify a friendly name. I used lyncfriendly
Ill let you decide what to put here, for OU and Organization. Consult the Lync Documentation if you need help with this. Click Next and fill out your locale.
Click Next twice.
Check the box next to your SIP Domain, and click Next.
SIP Domain

SIP Domain

Click Next.

Click Next again.

And Again, and let the wizard do it’s thing.

Certificate Request Completed

Certificate Request Completed

You will get a message about thumbprints, make sure the box is checked, and click Finish.

Online Certificate Request Status

Online Certificate Request Status

Now you will be ported to the Assignment screen. Click Next.

Click Next again- I won’t show you all of my company internal information. Once the wizard completes, click Finish.

Click Close, and select Run on the next object: Start Services.

On the wizard that opens, click Next.

Cross your fingers! Yay! It completed successfully. Click Finish.

Click on Service status to see if they are all running.

Lync Services

Lync Services

Close out everything, and open Lync Control Panel from the Start Menu. It should open and look like this.

Lync Control Panel

Lync Control Panel

Now I am going to end this God awful long post, and go about adding my users. If there is an area I could be clearer, please comment. If I did something wrong, please let me know! I posted this mainly for my own documentation purposes, and to help out the next guy who is not comfortable with certificates, pools, SIP domains, etc. Thanks for reading!

Update: I stumbled across this post, by Jeff Guillet. He is the author of some of the books I have read, and this post and tool are amazing. Thanks for the GREAT contribution Jeff!

http://www.expta.com/2011/01/introducing-lyncaddcontacts.html

A tool to add contacts to a users Lync over and over. Say you have a domain of 20 users who will use Lync (as I did). Adding 20 people, 20 times (as I did) takes forever. Use this tool to set up one client once, and then re-run it to perform the same actions on other clients. Ingenious.

 

UPDATE: When you first install the client, the initial sync can take a while. If you are like me, you need to get it up an running quick so you do not further disturb the network or desktops. There is a registry entry you can add. What I do is install Lync Client. Then I import the company contacts from the GAL to the users contacts list. Then exit the client.

Now open an elevated command prompt. Type this command:

reg add hklm\software\policies\microsoft\communicator /v GalDownloadInitialDelay /t REG_DWORD /d 0 /f             (And that is a zero at the end).

Now wait one minute, and restart the Lync Client. It will now have all of the users contacts synced up and ready to add.

I used to use Register.com as my trusted certificate provider. They issue a certificate which you install on the server. This certificate lets users connecting to remote web workplace that your server is legitimate, secure, and trustable. Without this certificate, users can sometimes get security warnings that vary by web browser. The IE error looks like this:

SSL Error IE

SSL Error

This is only a warning, and can be disregarded in cases where we know the server is safe. the problem with this is that end-users often do not understand the massage, or even do not read it. When they see this page they call support and complain about the internet being broken. Another bad thing about this error page is that to continue on to the site, you need to hit the red button. Be design, we associate red with stop, not continue.It is easy to get a certificate. We turn in some paperwork to a trusted authority, and they send us a certificate, which we then install. You server, upon creation, generates a private key. This key is what the trusted authority generates your SSL certificate on.My problem with Register.com is that I reinstalled my server. even though I have the same exact configuration, my private key was changed. Which means that my SSL was invalid. And Register.com was reluctant to issue me a new key. They had the special of $15 when I first bought it, though it is now $24. You get what you pay for, but in this case the simplest and cheapest the best. So after shopping around I see Comodo’s Positive SSL, only $9.95.So go to the Comodo website, and click to purchase a 1-year Positive SSL.
You will notice the address bar, displaying both a green color, https and a locked symbol. this is what we will achieve with the SSL.
Alright, lets generate our CSR for this website. On your server, open Windows SBS Console. Navigate to Network>Connectivity, and click Add a Trusted Certificate on the left.
SSL Choice

SSL Choice

There is a little disclaimer, click next. Select that you wish to buy a certificate from a certificate provider. The other option is for if you already have your certificate, and just need to install it. Click next.

Fill in the correct info in all of the boxes. This is an important step, and wrong information here might very well ruin the validity of a SSL Certificate. Enter all fields correctly, and write it down for later. Remember that the SSL is accompanying your domain name, which is mycompany.mysuffix. Mine is blankhealthcare.org, and my server added the prefix remote for my RWW and remote services. So I will enter remote.blankhealthcare.org in the Issued To: box, because this is the site I am securing. I blanked out the field to preserve confidentiality.
Verify SSL

Verify SSL

On the next screen, your CSR is generated. You need to copy all of that information that is in the gray box, including the title “—–BEGIN NEW CERTIFICATE REQUEST—–“. Hit the copy button. To be on the safe side, I also save it to a file, and put that file in a safe backup location.
CSR

CSR

In the next window, it asks if you have the cert, or will add it later. I just leave this box open. Now go back to the Comodo site and paste your CSR in the box they request it in. Select your software from the drop down box. In the case of SBS 2008 it will most likely be IIS 7.x and greater. Click one year.
I left the first 3 free upgrades in effect, and did not check the last one. No one will be purchasing on my site. Total cost is $9.95, excellent. Hit next.
This next step can be tricky. If you use an external domain to host your website, which then forwards email to your box using MX, the associated email accounts can be tricky. I do a little tricking myself. There is no address admin@mydomain.org, but Ill create a user really fast. then I grant myself full access permissions, and have the email sent there. I access it, and then shut down the account. You can have it sent to any of the other addresses in the list, though I would not suggest messing around with any important emails accounts such as postmaster, hostmaster, or webmaster.
Fill in your info. I am going to glaze over this part- if you don’t know how to fill in your own company information in a webform, press Ctrl-Alt-Del, select lock workstation, and go home for the afternoon.
Fill in credit info.
Click make payment.
 
 
 
 
 
 
 
 
 
 
They will confirm, and send out a few emails. One email is important. They mail a validation code to the mailbox you specified during set up. Go to Exchange Management Console. Expand user configuration, mailbox. Right click on the account for Admin (or whichever you specified. Click Full Access Permissions. Add yourself. You must be an Exchange Admin to do this. Now log into OWA, in in the top right corner, click your user name. in the box that appears, enter the name of the account you wish to open. Then read the email.
Copy down the validation code.
 
Click the link to enter the code, and paste it into the box. You will receive a confirmation.
Wait for the email to be sent. It can take a little while to arrive.
 
EDIT: At this point, after I validated I waited for one hour. I know the process takes a while, but I was eager to apply the certificate. So I entered a live chat on the Comodo website. After being transferred to a tech named “Jake”, he stopped responding. I gave him 8 minutes to reply to my question, before I hung up and emailed EVValidation. They received my ticket at 12PM….
 
Go back to the Add a Trsuted Certificate Wizard, and click next. You will see boxes to enter your certificate information.
Import Certificate
 
I open the email from Comodo that states my cert is attached, and save the zip file to my desktop. I then extract the folder to my desktop. Again, I blanked out my external domain name. The files inside of the zip are here:
Certificate Files

Certificate Files

I then follow a link in my email, oto make sure I am adding these correctly. I am not sure which cert is which, so Ill read up. The how to is here.
So I open IIS 7, click Server Certificates, and browse to my new files on the desktop. They are not in .cer format, so the wizard does not see them.
Wait a minute…. forget Comodo’s how to guide. Let’s go back to the Add a Trusted Certificate Wizard from the SBS console. Select Locate file. Click on the correct cert. this cert will be your domain name .crt. Mine is remote_blankhealthcare_org.crt.
Click that file, click next, and watch the wizard complete. Alternately you can copy the certificate text from the end of the email, and place it into the box provided instead of choosing the file.
Add Completion

Add Completion

When you head back to the connectivity tab of the SBS console, you will now see your certificate status as trusted- that means it is working correctly. There are 3 other certificates included in the zip file, let’s add those now. To do this, click Start>Run. type mmc.exe. When the MMC opens up, click file, Add/Remove snap-in.
Select Certificates, click add.
Click Computer account and Finish.
Click ok.
Expand Certificates.
Right click Intermediate Certificates, and select All Tasks>Import.
You will now select and Import two of the certificates in the zip file. the one titled
  • Intermediate CA Certificate – UTNAddTrustServerCA.crt -and-
  • Intermediate CA Certificate – PositiveSSLCA.crt
  • Once selected hit next until the wizard finishes, you shouldn’t have to change anything.

    You will also import your Root CA certificate, but instead of into Intermediate Certificates, Import this one into Trusted Root Certification Authorities.

    Now reset IIS and lets check it. Start>Run>type in iisreset. Now navigate to your site. Once on the site, click the lock next to the address bar. Click view certificate. the certificate should be listed as issued by Comodo and should be named PositiveSSL.

    Browser Certificate

    Browser Certificate

    Your done!

    Now Comodo offers some other stuff with the certificate for free, let’s set that up quickly, and also backup our certs and private keys so that if we crash we can reset this.

    You can sign up for HackerProof on the site linked in your email. I will opt to not sign up, as it seems a PC scan. I do not want a web service scanning my server, which already has antivirus anyhow.

    Lets backup our Private Key, then our Certificates. To back up your certificates, I suggest adding them to a zip file. Encrypting that zipfile with a backup. Then placing this zipfile on an encrypted and secure drive, preferrably offsite.

    To export your private key, go to certificates mmc. Drill down to the certificate you just installed. Right click and select Export. Include private key and anything else you wish. Password protect it, and save it in a secure location.

    You can insert the SSL Site Seal into your web site if you wish. I added mine to my background image, and disabled the link.

    EDIT: The SSL package that we just installed is the positiveSSL, which is the basic package for a SSL Certificate. Included in the $9.95 purchase is the EVSSL, Extended Validation. This must be completed by printing the two forms in the email. You must sign and enter your incorporation data, then fax them to Comodo. They will then validate your company, and issue you another more secure SSL, which can be installed the same way. This will give you the green security bar and lock icon.

    %d bloggers like this: