Each reverse proxy server requires a web server

Info icon This preview shows pages 31–33. Sign up to view the full content.

View Full Document Right Arrow Icon
Each reverse proxy server requires a web server certificate. The SAN of the web server certificate must specify all Web external FQDNs (form all Front End pools and Directors) and all simple URLs, except the one for the Admin URL. This certificate must be issued by a public CA. 27
Image of page 31

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Microsoft Lync Server 2010 Security Guide For details about edge server certificate requirements and deployment, see the Certificate Requirements for External User Access in the Planning documentation, Request Edge Certificates in the Deployment documentation, and Set Up Edge Certificates in the Deployment documentation. Best Practice for Certificates To help ensure security when using the same certificate on multiple Edge servers, request a single certificate to be used for all Edge Servers and mark the private key as exportable, and then do the following: 1. On an Edge Server, request a certificate with an exportable private key. 2. Import the certificate to the first Edge Server. Include the root certificate chain, if necessary. 3. Export the certificate with its private key. The certificate must be marked to allow this. 4. Import the certificate you exported into the computer store on each Edge Server, but do not mark the private key of this certificate as exportable. Access Edge Service The Access Edge service provides a single connection point through which both inbound and outbound SIP traffic can cross firewalls, separating internal and external networks for federation and remote user access traffic. In addition, all SIP signaling traffic that is necessary to set up and tear down conferencing and media sessions with outside users passes through the Access Edge service. The Access Edge service is a specially configured proxy that was designed and tested to operate in the perimeter network. The Access Edge service enforces routing rules that separate the outside edge of the network from the inside edge and provides a central platform to manage and enable cross-organization, domain-based policies. This is an IP-based routing solution and does not imply that a physical firewall is not needed. We strongly recommend that you use one or more physical firewalls. The Access Edge service does not require Active Directory Domain Services, because it manages only SIP domains, not users. That is, the Access Edge service does not authenticate client connections, but it does validate inbound message headers, authorize remote federation servers, and authorize federation traffic. Using a configured internal next-hop address, the Access Edge service passes inbound remote user traffic unchallenged to an internal next hop SIP server (typically a Director) for authentication (because federation traffic is authenticated by the partner domain and is authorized at the Access Edge service, the internal server does no additional authentication). It is also recommended that the Access Edge service be run in a dedicated workgroup or domain that is not a part of the enterprise namespace.
Image of page 32
Image of page 33
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern