+ Post New Thread
Results 1 to 7 of 7
Enterprise Software Thread, Microsoft Lync 2010 (Office Communications Server) web service certificate in Technical; I have a Lync 2010 system with topology as follows: Microsoft Forefront TMG -> Kemp load balancer -> (2) Lync ...
  1. #1
    ronanian's Avatar
    Join Date
    Dec 2007
    Location
    Massachusetts, USA
    Posts
    88
    Thank Post
    18
    Thanked 2 Times in 2 Posts
    Rep Power
    14

    Exclamation Microsoft Lync 2010 (Office Communications Server) web service certificate

    I have a Lync 2010 system with topology as follows:
    Microsoft Forefront TMG -> Kemp load balancer -> (2) Lync Front End servers, (2) Lync Edge servers, (2) certificate servers, a monitoring server, and of course a few appliances to handle SIP and what not.

    I've been working on this problem for a while, trying to learn my way through it, but it has become more urgent so now it's time to ask for help.

    Users attempting to connect to Lync (using the soft client) from outside of our main employee network encounter SSL certificate errors ever since our old certificate expired. Using a web browser to connect to some of our Lync service host names, it is possible to see the old certificate still in place and expired. I cannot find the offending certificate; I believe I've replaced it everywhere with a new one.

    The Lync Web Service certificate is definitely where the problem is, although I can't say for sure if the problem is anywhere else also. When I run Get-CsCertificate | fl I see only up-to-date certificates. They are listed for Default, WebServicesInternal, and WebServicesExternal. Looking in the Certification Authority MMC and IIS Manager on all my servers and checking in the load balancer I cannot find the expired certificate.

    Where else should I look for it?
    Last edited by ronanian; 18th February 2013 at 03:49 PM.

  2. #2
    ronanian's Avatar
    Join Date
    Dec 2007
    Location
    Massachusetts, USA
    Posts
    88
    Thank Post
    18
    Thanked 2 Times in 2 Posts
    Rep Power
    14
    I fear that everybody here is in the same boat as me, woefully undereducated in the inner workings of Lync.

  3. #3

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,223
    Thank Post
    874
    Thanked 2,717 Times in 2,302 Posts
    Blog Entries
    11
    Rep Power
    780
    Look on the tmg if it is setup as an ssl listener

  4. #4


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,692
    Thank Post
    352
    Thanked 797 Times in 716 Posts
    Rep Power
    347
    @EduTech will likely know.

  5. Thanks to kmount from:

    ronanian (19th February 2013)

  6. #5

    EduTech's Avatar
    Join Date
    Aug 2007
    Location
    Reading
    Posts
    5,068
    Thank Post
    160
    Thanked 925 Times in 727 Posts
    Blog Entries
    3
    Rep Power
    273
    Hi,

    Can you run a Lync/OCS Remote Connectivity Test https://www.testexchangeconnectivity.com/ and just ensure what certificate it is showing here please.

    - Run Deployment Wizard on Edge Server, Check what Public Certificate is assigned.
    - Ensure that the certificate is not installed on the clients computer (doubtful..)

    The TMG should only be publishing web services and so if the correct certificate is shown on your meet. and dial. services then TMG Listeners are configured correctly.

    The only way the revoked cert would be provided by the client is if the edge certificates have not been configured correctly. That is the only scenario where I have seen this it's not generally due to it being on the client computer as you should be using a Public CA.

    If you could send me some further detail, and i'll see what i can do to help.

    Regards,
    James.

  7. Thanks to EduTech from:

    ronanian (19th February 2013)

  8. #6
    ronanian's Avatar
    Join Date
    Dec 2007
    Location
    Massachusetts, USA
    Posts
    88
    Thank Post
    18
    Thanked 2 Times in 2 Posts
    Rep Power
    14

    Thumbs up

    Deployment wizard shows only correct certificates, not the expired one.

    testexchangeconnectivity's Lync test passes with this one warning:
    Analyzing the certificate chains for compatibility problems with versions of Windows.
    Potential compatibility problems were identified with some versions of Windows.
    Additional Details
    ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
    I'm completely out of my element working with the TMG, so if you could point me at some basic instructions...no wait, I think I got it:
    Forefront TMG Management ->
    Firewall Policy ->
    Lync Web Services properties ->
    Listener tab ->
    Properties button ->
    Certificates tab ->
    Select Certificate... button ->
    Choose certificate (which of course must first have been imported using Certs mmc) ->
    Ok, Ok, until out of all dialog boxen
    Click "Apply" at top of Firewall Policy pane

    Man, that was pretty deep in the bowels of nested dialog boxes. If you had not said "TMG Listeners" I would never have found it.

    I think that was it. It seems to be working properly now! THANK YOU!!!!! I've been struggling with this for way too long, though at least I learned a lot in the process.

  9. #7

    Join Date
    Mar 2013
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by ronanian View Post
    I have a Lync 2010 system with topology as follows:
    Microsoft Forefront TMG -> Kemp load balancer -> (2) Lync Front End servers, (2) Lync Edge servers, (2) certificate servers, a monitoring server, and of course a few appliances to handle SIP and what not.

    I've been working on this problem for a while, trying to learn my way through it, but it has become more urgent so now it's time to ask for help.

    Users attempting to connect to Lync (using the soft client) from outside of our main employee network encounter SSL certificate errors ever since our old certificate expired. Using a web browser to connect to some of our Microsoft Lync service host names, it is possible to see the old certificate still in place and expired. I cannot find the offending certificate; I believe I've replaced it everywhere with a new one.

    The Lync Web Service certificate is definitely where the problem is, although I can't say for sure if the problem is anywhere else also. When I run Get-CsCertificate | fl I see only up-to-date certificates. They are listed for Default, WebServicesInternal, and WebServicesExternal. Looking in the Certification Authority MMC and IIS Manager on all my servers and checking in the load balancer I cannot find the expired certificate.

    Where else should I look for it?
    hm do you have still those problems? did u fix them?

SHARE:
+ Post New Thread

Similar Threads

  1. Microsoft Lync on Office 365 - Subdomains
    By DaveMurphy in forum Cloud Services
    Replies: 5
    Last Post: 2nd December 2012, 11:08 PM
  2. Office Communications Server 2007 R2
    By mb2k01 in forum Windows Server 2008 R2
    Replies: 10
    Last Post: 25th March 2010, 10:47 AM
  3. Replies: 0
    Last Post: 15th October 2009, 02:50 PM
  4. office communications server 2007
    By browolf in forum Windows
    Replies: 31
    Last Post: 26th August 2009, 11:09 PM
  5. Microsoft Office Live Communications Server 2005
    By liamw in forum How do you do....it?
    Replies: 2
    Last Post: 19th April 2007, 11:13 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •