It is important to remember that Microsoft do not support certificates with a wildcard Subject Name for any Skype for Business work load. The other stream handles SIP and real time communication traffic including all audio and video payloads.įor Web Services work stream you can either use a SAN certificate with all FQDNs defined or a SAN certificate with a wildcard as a SAN. This handles Skype for Business Autodiscovery, Web, Meeting and Dial-in web services that are required for connectivity to your Skype for Business modalities from external sources. You have web services that are handled by your reverse proxy solution. So what types of certificates can be used for external services? In Skype for Business you have 2 main communication streams. For these reasons using internal certificates for external services are not supported. Connecting to Office 365 for hybrid or Skype consumer for Public IM services will certainly never work. However, in reality this is not scalable, manageable and you will find that your partners will refuse to do this.
#REQUIREMENTS FOR SKYPE NAME INSTALL#
You could in theory publish your root certificate and ask them to install it to each device or system and then technically internal certificates could be used. You cannot use internally signed certificates for external services because the users or systems that are trying to connect to your service will not support your internal root certificate. Using Trusted SSL Certificates for External ServicesĪbsolutely this is required for publishing Skype for Business services to the internet for external access, communication and federation. Therefore, you will need to create a new certificate request and purchase a new certificate to match the required FQDNs etc. Once you add this, your current certificates on many of your servers are no longer valid. You add an additional SIP address to your topology. Consider acquiring another company, you need to provide the new company users with Skype for Business accounts for communication. For some Skype for Business Servers like the Front Ends, they require numerous Subject Alternative Names (SANs) which can add hundreds of pounds per server to your certificate.Īnother reason not to use external certificates for internal servers, is that your deployment is scalable and as such you may need to change your certificate when you add additional services to your Skype for Business deployment. For instance, if your Active Directory domain is not a publically routable domain such as domain.local, then you are not going to be able to use public certificates for internal servers anyway due to the fact public providers can no longer sign internal domains in their certificates by law.
In some cases you will not be able to use these anyway. There are several reasons why using these certificates can be preventative to your deployment and you should use your internal certificate authority for internal servers as best practice. Using public SSL certificates from GoDaddy and the likes for internal Skype for Business servers is supported, but isn’t cost effective for large scale deployments. Using Trusted SSL Certificates for Internal Servers The justification for doing it the right way and not trying to cut costs on certificates is simple you’ve spent £30K on servers, £100K on licencing Skype for Business, £50k on peripherals, £30K on SBCs for your Skype for Business deployment without worry, so why try so hard to save £50 on a certificate? So there is no argument or justification for not doing it right in my opinion. In so doing wasted about £200 in the process. If you ignore the requirements and purchase a wildcard certificate, you will end up having to purchase a SAN certificate in the end to get your services working. The justification for using a wildcard is to save money. These are not supported for non web traffic whether you use Skype for Business or not, these are not intended for Unified Communications across all vendors. The temptation is to try and save money on certificates, the most common error I see is people trying to use wildcard certificates. Before we start delving into the details, it is important to understand from the outset that Skype for Business has very strict certificate requirements and should you attempt to deviate from the supported model, then you will find that certain modalities will not work at all. In this post we will discover what is and is not supported, what certificates we need for each server and their requirements. I wanted to address this topic because it appears to be cropping up on TechNet regularly.
0 kommentar(er)
