Share via


Certificate recommendations for Exchange 2016 and Lync Server deployments

 

You must have a certificate that's trusted by both the computers running Exchange and the computers running Lync Server. In an environment that has Lync Server and Unified Messaging, use the following guidelines for deploying a trusted certificate:

  • On your Lync servers, Client Access servers, Mailbox servers, Lync Server Mediation Server, and media gateways, import a certificate that's valid and signed by a private or public certification authority (CA). This should be a trusted third-party commercial certificate or a public key infrastructure (PKI) certificate.

     

  • It’s less complex if you import the same third-party commercial or PKI certificate to each Exchange server. Also, install this trusted certificate on each computer running Microsoft Lync Server and Lync Server Mediation Server. This will make your certificate deployment less complicated and reduce the administrative overhead associated with deploying certificates. However, make sure you obtain a trusted certificate that supports subject alternative names (SANs).

     

    When you’re deploying Transport Layer Security (TLS) with UM, the certificates that are used on the Client Access server and the Mailbox server both must contain the local computer's fully qualified domain name (FQDN) in the certificate’s Subject Name. To work around this issue, use a public certificate and import the certificate on all Client Access and Mailbox servers, any VoIP gateways, IP PBXs, and all the Lync servers.

     

    If your deployment includes VoIP gateways or IP PBXs, and if you use a SIP secured or Secured dial plan, a trusted certificate is required between the Client Access and Mailbox servers and the VoIP gateways or IP PBXs. A trusted certificate is also required if a direct SIP connection is used. If you use a SIP secured or Secured dial plan, you can use the same trusted certificate on your Lync and Exchange servers that’s used on your VoIP gateways or IP PBXs.

     

  • When you connect Exchange Client Access and Mailbox servers to Microsoft Lync servers or to third-party SIP gateways or Private Branch eXchange (PBX) telephony equipment, you must use a certificate that’s valid and signed by an internal or public third-party CA to establish secured sessions. You can use a single certificate on all the Client Access and Mailbox servers as long as the certificate has the FQDNs of all the Client Access and Mailbox servers in its SAN list. Or, you can generate a different certificate for each Client Access and Mailbox server, with the FQDN of the local computer present in the subject common name (CN) or SAN list of the certificate for that server. Exchange UM doesn't support wildcard certificates with Microsoft Lync Server.

     

    A non-wildcard Subject Name is required for Lync Server and Exchange to work together. UM and Lync Server use the Subject Name as a way to indicate that they’re trusted SIP peers. Lync Server also needs a non-wildcard Subject Name in some call-routing scenarios. The FQDN must be used as the “Issued to” value.

     

    For Exchange UM, it isn’t supported to put a wildcard in the Certificate Name. However, you can put a wildcard in the SAN.

The following table shows the certificate requirements for installing and configuring certificates for Exchange UM.

Topology Certificate configuration

Client Access and Mailbox on the same server:

  • Without Lync 2010 or Lync 2013

  • Non-SIP dial plans

A certificate is required between Client Access and Mailbox servers. This is the same certificate that’s used between the Client Access and Mailbox servers and the VoIP gateway, IP PBX, or SBC.

Client Access and Mailbox on different servers:

  • Without Lync 2010 or Lync 2013

  • Non-SIP dial plans

A certificate is required. The certificate must match on the Client Access and Mailbox servers. A certificate is also required between Client Access and Mailbox servers and the VoIP gateway, IP PBX, or SBC. This can be the same or a different certificate than the certificate that is used between the Client Access and Mailbox servers. For Client Access and Mailbox servers, you can run the Create-ExchangeCertificate cmdlet from either server.

Client Access and Mailbox on the same server:

  • With Lync 2010 or Lync 2013

  • SIP dial plans

A certificate is required. The Client Access and Mailbox servers must have the same certificate as the Lync 2010 or Lync 2013 servers.

Client Access and Mailbox on different servers:

  • With Lync 2010 or Lync 2013

  • SIP dial plans

A certificate is required. The Client Access and Mailbox servers must have the same certificate as the Lync 2010 or Lync 2013 servers.