My simple URL’s and Web service are specified in the topology as shown:
Because the task is related to external access, I need to make sure internet users resolve those to my TMG’s Public IP address, assigned to the External Interface. I have already created A Records for “meet”, “dialin” and “webext”…
Next, I need to request and receive a SSL certificate for my TMG server. I personally use http://www.startssl.com. As with everything else, this has ups and downs. The good part – for $50 per year I get unlimited certificates, unlimited domains, unlimited SAN certificates – the whole nine yards. StartSSL is trusted by almost any web browser (I am yet to find one that does not work)… The bad – while included in the Trusted Root store of Windows Vista and Windows 7, it is not by default in Windows Server OS.
If you install any Update for Root Certificates dated 2010 and later, (http://www.microsoft.com/downloads/en/details.aspx?familyid=19C4AE49-1127-4537-9E91-35F81D20BCE6&displaylang=en) for example, StartCom will be included.
Another down side – the Root CA is not included in the Trusted Root of the mobile devices and so, unless you manually import it to your smart phone, Exchange Sync will fail.
When we create a certificate request via IIS or Lync, the mechanism is as follow – the utility generates private key (kept on the local computer) and CSR (Certificate Signing Request), which we then ask a Certificate Authority to sign with the their key. Once done, we “Process Pending Request” which actualy joins the Private Key and signed certificate in single entity. Because if this, if you use Lync server to generate CSR, later you MUST process the request on this same server and import it in the Personal Certificate Store. Then, export it with the private key (.pfx file), and import it in TMG’s Private store.
One thing I like with StartCom is that their wizard could process a CSR or we could generate private key there, get a certificate and finally create .pfx file all in one place. I will not explain the actual steps here because you might decide to approach the Certificate step different way…
Finally, my certificate is imported and good to go.
I used SAN certificate where my URL’s are in the SAN list. Just curious if will work…
My TMG is already installed and ready to go. First, I will create a listener to be used for my publishing rules.
Next, the publishing rules.
Even thou the rule has been created, I will go over the settings one more time to make sure it is exactly as required for Lync 2010.
***Note here that we brigge the request that originaly will come on port 443 to port 4443. This is because we want requests from public internet to be served by webext web site.
What left now is to test the functionality from a computer on public internet.
Dialin worked. No number is shown yet because I have not provisioned one as of this time.
For the next test, I started a meeting from home
...and fired up the meeting URL from a "public" computer i.e. my school PC and joined just fine.
What left now is to check tomorrow morning in my office if the Aastra phone updated the firmware and Lync client can download the Address Book.
So far - another good day for my lab Lync deployment.