Wildcard Certificate Support
Topic Last Modified: 2012-10-18
Microsoft Lync Server 2010 uses certificates to provide communications encryption and server identity authentication. In some cases, such as web publishing through the reverse proxy, strong subject alternative name (SAN) entry matching to the fully qualified domain name (FQDN) of the server presenting the service is not required. In these cases, you can use certificates with wildcard SAN entries (commonly known as “wildcard certificates”) to reduce the cost of a certificate requested from a public certification authority and to reduce the complexity of the planning process for certificates.
Warning
To retain the functionality of unified communications (UC) devices (for example, desk phones), you should test the deployed certificate carefully to ensure that devices function properly after you implement a wildcard certificate.
There is no support for a wildcard entry as the subject name (also referred to as the common name or CN) for any role. The following server roles are supported when using wildcard entries in the SAN:
Reverse proxy. Wildcard SAN entry is supported for simple URL publishing certificate.
Director. Wildcard SAN entry is supported for simple URLs in Director web components.
Front End Server (Standard Edition) and Front End pool (Enterprise Edition). Wildcard SAN entry is supported for simple URLs in Front End web components.
Exchange Unified Messaging (UM). The server dos not use SAN entries when deployed as a stand-alone server.
Microsoft Exchange Server Client Access server. Wildcard entries in the SAN are supported for internal and external clients.
Exchange Unified Messaging (UM) and Microsoft Exchange Server Client Access server on same server. Wildcard SAN entries are supported.
Server roles that are not addressed in this topic:
Internal server roles (including, but not limited to the Mediation Server, Archiving and Monitoring Server, Survivable Branch Appliance, or Survivable Branch Server)
External Edge Server interfaces
Internal Edge Server
Note
For the internal Edge Server interface, a wildcard entry can be assigned to the SAN, and is supported. The SAN on the internal Edge Server is not queried, and a wildcard SAN entry is of limited value.
To describe the possible wildcard certificate usages, the certificate guidance used for the Reference Architectures in the Planning documentation is replicated here to retain consistency. For details, see Reference Architecture. As mentioned previously, UC devices rely on strong name matching and will fail to authenticate if a wildcard SAN entry is presented before the FQDN entry. By following the order presented in the following tables, you limit the potential problems with a UC device and wildcard entries in the SAN.
Wildcard Certificate Configurations for Lync Server 2010
Component | Subject name | SAN entries/Order | Certification authority (CA) | Enhanced key usage (EKU) | Comments |
---|---|---|---|---|---|
Reverse proxy |
lsrp.contoso.com |
lsweb-ext.contoso.com *.contoso.com |
Public |
Server |
Address Book Service, distribution group expansion and Lync IP device publishing rules. Subject alternative name includes: External Web Services FQDN The wildcard replaces both meet and dialin SAN where the meet and dialin simple URLs use the following formats: <FQDN>/meet <FQDN>/dialin OR meet.<FQDN> dialin.<FQDN> |
Director |
dirpool01.contoso.net |
sip.contoso.com sip.fabrikam.com dirweb.contoso.net dirweb-ext.contoso.com <hostname>.contoso.net, for example <hostname> is director01 for a Director in a pool dirpool.contoso.net *.contoso.com |
Private |
Server |
Assign to the following servers and roles in the Director pool: Each Director in the pool or to the stand-alone Director when a Director pool is not deployed. The wildcard replaces both meet and dialin SAN where the meet and dialin simple URLs use the following formats: <FQDN>/admin <FQDN>/meet <FQDN>/dialin OR admin.<FQDN> meet.<FQDN> dialin.<FQDN> |
Enterprise Edition Front End |
pool01.contoso.net (For a load balanced pool) |
sip.contoso.com sip.fabrikam.com lsweb.contoso.net lsweb-ext.contoso.com <hostname>.contoso.net, for example <hostname> is fe01 for a front end server in a pool pool01.contoso.net *.contoso.com |
Private |
Server |
Assign to the following servers and roles in the next hop pool: Front End in Pool01 The wildcard replaces both meet and dialin SAN where the meet and dialin simple URLs use the following formats: <FQDN>/admin <FQDN>/meet <FQDN>/dialin OR admin.<FQDN> meet.<FQDN> dialin.<FQDN> |
Standard Edition Front End |
se01.contoso.net |
sip.contoso.com sip.fabrikam.com lsweb.contoso.net lsweb-ext.contoso.com se01.contoso.net *.contoso.com |
Private |
Server |
Assign to the following servers and roles in the next hop pool: The wildcard replaces both meet and dialin SAN where the meet and dialin simple URLs use the following formats: <FQDN>/admin <FQDN>/meet <FQDN>/dialin OR admin.<FQDN> meet.<FQDN> dialin.<FQDN> |
Microsoft Exchange Server 2007 and Exchange Server 2010
When you install and configure Microsoft Exchange Server, self-signed certificates are created and implemented. When you add a CA provided certificate to the server, we recommend that you do not delete the self-signed certificate until you have reconfigured all services and web services to successfully use the new certificate. In the event that something does not work correctly, the self-signed certificate will still be available so that you can reconfigure the original settings and restore the original functions, although the self-signed certificate will not allow all of the features that you need. This provides you with additional time to resolve the configurations without affecting all production functions.
For details about certificate use in Exchange, see the following:
Understanding Digital Certificates and SSL: https://go.microsoft.com/fwlink/p/?LinkId=218233
Understanding Client Access server Namespaces: https://go.microsoft.com/fwlink/p/?LinkId=218234
Understanding the Autodiscover Service: https://go.microsoft.com/fwlink/p/?LinkId=217012
For Microsoft Exchange Server deployed with the Exchange Unified Messaging (UM) and Exchange Client Access server, there are four possible deployment scenarios:
Scenario 1: Exchange Unified Messaging (UM) and Exchange Client Access server are deployed on different servers and Client Access server is Internet facing.
Scenario 2: Exchange Unified Messaging (UM) and Exchange Client Access server are collocated on the same server and are Internet facing.
Scenario 3: Exchange Unified Messaging (UM) and Exchange Client Access server are deployed on different servers with a reverse proxy for publishing.
Scenario 4: Exchange Unified Messaging (UM) and Exchange Client Access server are collocated on the same server with a reverse proxy for publishing.
Scenario 1: Exchange Unified Messaging (UM) & Exchange Client Access Server Deployed on Different Servers (Client Access Server is Internet Facing)
Microsoft Exchange component | Subject name | SAN entries/Order | Certification authority (CA) | Enhanced key usage (EKU) | Comments |
---|---|---|---|---|---|
Exchange Unified Messaging (UM) Server name: exchum01.contoso.com |
exchum01.contoso.com |
Exchange UM role should not contain a SAN entry |
Private |
Server |
Exchange UM server communicates only with internal clients and servers. Import private CA root certificate onto each Exchange UM server. Create and assign unique certificate for each Exchange UM server. Subject Name must match server name. You must enable Transport Layer Security (TLS) on the Exchange UM server before you can assign a certificate to the Exchange UM role. Assign this certificate for use on the Exchange Client Access server for integration with Outlook Web Access and instant messaging (IM). |
Exchange Client Access server Internet-facing Active Directory site Client Access server Server name: exchcas01.contoso.com |
mail.contoso.com |
mail.contoso.com autodiscover.contoso.com *.contoso.com |
Public |
Server |
Subject Name and SAN entry must match to support external UC devices. Subject name and SAN entry mail.contoso.com is an example name used to refer to Outlook Web Access, Outlook Anywhere, EWS, and the Offline Address Book. The only requirements are that the entry must match a DNS record and that the ExternalURL and other service entries can be referenced by the given name. autodiscover SAN entry is required to support external UC devices. |
Exchange Client Access server Non-Internet-facing Active Directory site Client Access server Server name: internalcas01.contoso.net |
internalcas01.contoso.com |
internalcas01.contoso.com *.contoso.com |
Private |
Server |
Non-Internet facing Active Directory site Client Access server communicates only with internal clients and servers. The Internet facing Active Directory site Client Access server proxies communications to this Client Access server if the request comes from a user or service that is querying for services (for example, mailbox) that is hosted in this Active Directory site. EWS and Offline Address Book services on the non-Internet facing Active Directory site are configured to use the certificate deployed. This certificate can be from the internal private CA. The root certificate for the private CA must be imported into the Trusted Third Party Root Certificates store on the Internet-facing Active Directory site Client Access server. |
Scenario 2: Exchange Unified Messaging (UM) & Exchange Client Access Server Collocated on Same Server (Internet Facing)
Microsoft Exchange component | Subject name | SAN entries/Order | Certification authority (CA) | Enhanced key usage (EKU) | Comments |
---|---|---|---|---|---|
Exchange Unified Messaging (UM) Server name: exchcas01.contoso.com |
exchcas01.contoso.com |
Exchange UM role should not contain a SAN entry |
Private |
Server |
Exchange UM server communicates only with internal clients and servers. Import private CA root certificate onto each Exchange UM server. You must enable TLS on the Exchange UM server before you can assign a certificate to the Exchange UM role. Assign this certificate for use on the Client Access server for integration with Outlook Web Access and IM. |
Exchange Client Access server and Internet-facing Active Directory site Client Access server Server name: exchcas01.contoso.com |
mail.contoso.com |
mail.contoso.com autodiscover.contoso.com *.contoso.com |
Public |
Server |
Subject Name and SAN entry must match to support external UC devices. Subject name and SAN entry mail.contoso.com is an example name used to refer to Outlook Web Access, Outlook Anywhere, EWS, and the Offline Address Book. The only requirements are that the entry must match a DNS record and that the ExternalURL and other service entries can be referenced by the given name. autodiscover.<domain namespace> SAN entry is required to support external UC devices. |
Exchange Client Access server Non-Internet facing Active Directory site Client Access server Server name: internalcas01.contoso.net |
internalcas01.contoso.com |
internalcas01.contoso.com *.contoso.com |
Private |
Server |
Non-Internet facing Active Directory site Client Access server communicates only with internal clients and servers. The Internet-facing Active Directory site Client Access server proxies communications to this Client Access server if the request comes from a user or service that is querying for services (for example, mailbox) that is hosted in this Active Directory site. Exchange Web Services and Offline Address Book services on the non-Internet facing Active Directory site are configured to use the certificate deployed. This certificate can be from the internal private CA. The root certificate for the private CA must be imported into the Trusted Third Party Root Certificates store on the Internet-facing Active Directory site Client Access server. |
Scenario 3: Exchange Unified Messaging (UM)/Exchange Client Access Server Deployed on Different Servers with Reverse Proxy for Publishing
Microsoft Exchange component | Subject name | SAN entries/Order | Certification authority (CA) | Enhanced key usage (EKU) | Comments |
---|---|---|---|---|---|
Exchange Unified Messaging (UM) Server name: exchum01.contoso.com |
exchum01.contoso.com |
Exchange UM role should not contain a SAN entry |
Private |
Server |
Exchange UM server communicates only with internal clients and servers. Import Private CA Root certificate onto each Exchange UM server. Create and assign unique certificate for each Exchange UM server. Subject Name must match server name. You must enable TLS on the Exchange UM server before you can assign a certificate to the Exchange UM role. Assign this certificate for use on the Client Access server for integration with Outlook Web Access and IM. |
Exchange Client Access server Server name: exchcas01.contoso.com |
exchcas01.contoso.com |
exchcas01.contoso.com mail.contoso.com autodiscover.contoso.com *.contoso.com |
Private |
Server |
Subject Name and SAN entry must match to support external UC devices. Import private CA root certificate onto each Exchange Client Access server. Subject name and SAN entry mail.contoso.com is an example name used to refer to Outlook Web Access, Outlook Anywhere, EWS, and the Offline Address Book. The only requirements are that the entry must match a DNS record and that the ExternalURL and other service entries can be referenced by the given name. autodiscover SAN entry is required to support external UC devices. The entry for the machine name (in this example, exchcas01.contoso.com) must exist for integration with Outlook Web Access and IM. |
Reverse Proxy Server name : rp.contoso.com |
mail.contoso.com |
mail.contoso.com autodiscover.contoso.com *.contoso.com |
Public |
Server |
A matching entry for the subject name must also be in the SAN of the certificate. Terminating TLS or SSL at the reverse proxy and then reestablishing TLS or SSL to the Client Access server will cause UC devices to fail. A feature of some products such as Microsoft Internet Security and Acceleration (ISA) Server and Microsoft Forefront Threat Management Gateway and other third-party implementations, TLS or SSL termination cannot be used if you will be supporting UC devices. SAN entry for autodiscover must exist for UC devices to work correctly. |
Exchange Client Access server Non-Internet-facing Active Directory site Client Access server Server name: internalcas01.contoso.com |
internalcas01.contoso.com |
internalcas01.contoso.com *.contoso.com |
Private |
Server |
Non-Internet facing Active Directory site Client Access server communicates only with internal clients and servers. The Internet facing Active Directory site Client Access server proxies communications to this Client Access server if the request comes from a user or service that is querying for services (for example, mailbox) that is hosted in this Active Directory site. Exchange Web Services and Offline Address Book services on the non-Internet facing Active Directory site are configured to use the certificate deployed. This certificate can be from the internal private CA. The root certificate for the private CA must be imported into the Trusted Third Party Root Certificates store on the Internet facing Active Directory site Client Access server. |
Scenario 4: Exchange Unified Messaging (UM)/Exchange Client Access Server Collocated on Same Server with Reverse Proxy for Publishing
Microsoft Exchange component | Subject name | SAN entries/Order | Certification authority (CA) | Enhanced key usage (EKU) | Comments |
---|---|---|---|---|---|
Exchange Unified Messaging (UM) Server name: exchum01.contoso.com |
exchum01.contoso.com |
Exchange UM role should not contain a SAN entry |
Private |
Server |
Exchange UM server communicates only with internal clients and servers. Import private CA root certificate onto each Exchange UM server. Create and assign unique certificate for each Exchange UM server. Subject Name must match server name. SAN is not required. You must enable TLS on the Exchange UM server before you can assign a certificate to the Exchange UM role. |
Exchange Client Access server Exchange Unified Messaging (UM) Server name: exchcas01.contoso.com |
mail.contoso.com |
exchcas01.contoso.com mail.contoso.com autodiscover.contoso.com *.contoso.com |
Private |
Server |
Subject Name and SAN entry must match to support external UC devices. Import private CA root certificate onto each Exchange Client Access server. Subject name and SAN entry mail.contoso.com is an example name used to refer to Outlook Web Access, Outlook Anywhere, EWS, and the Offline Address Book. The only requirements are that the entry must match a DNS record and that the ExternalURL and other service entries can be referenced by the given name. autodiscover SAN entry is required to support external UC devices. The entry for the machine name (in this example, exchcas01.contoso.com) must exist for integration with Outlook Web Access and IM. |
Reverse Proxy Server name : rp.contoso.com |
mail.contoso.com |
mail.contoso.com autodiscover.contoso.com *.contoso.com |
Public |
Server |
A matching entry for the subject name must also be in the SAN of the certificate. Terminating TLS or SSL at the reverse proxy and then reestablishing TLS or SSL to the Client Access server will cause UC devices to fail. A feature of some products such as ISA Server and Forefront Threat Management Gateway (TMG) and other third-party implementations, TLS or SSL termination cannot be used if you will be supporting UC devices. SAN entry for autodiscover must exist for UC devices to work correctly. |
Exchange Client Access server Non-Internet-facing Active Directory site Client Access server Server name: internalcas01.contoso.com |
internalcas01.contoso.com |
internalcas01.contoso.com *.contoso.com |
Private |
Server |
Non-Internet facing Active Directory site Client Access server communicates only with internal clients and servers. The Internet-facing Active Directory site Client Access server proxies communications to this Client Access server if the request comes from a user or service that is querying for services (for example, mailbox) that is hosted in this Active Directory site. Exchange Web Services and Offline Address Book services on the non-Internet facing Active Directory site are configured to use the certificate deployed. This certificate can be from the internal private CA. The root certificate for the private CA must be imported into the Trusted Third Party Root Certificates store on the Internet-facing Active Directory site Client Access server. |