#Lync Mobility and internal vs Public certificates
Posted by Chad McGreanor on January 13, 2012
Now that Microsoft has released the mobility solution for Lync we are finding that most customer environments would like to use the mobile client on the internal WiFi network. That is great! Now here is the issue. For that to work correctly you need to have the certificates that are on you Director and Front End Servers trusted by the mobile clients. So your internal CA is most likely out of the question. What that means is that you now need to purchase approved public certificates for those roles.
Since this has been an issue we have been running into we are now considering moving towards an all public certificate best practice for Lync server Front End, Director, and TMG servers. Anyone else running into this same scenario?
Gavin McClintock said
Have you considered pushing internal clients back through the TMG (eg using the DMZ address of the TMG in the lyncdiscoverinteral.sipdomain record) so that they connect to Lync Mobility that way – saves the cost of external certs for internal servers. This will require 443 from the internal network to the DMZ.
Ashwin Raj said
Hello Chad.
If you have a TMG with public certificate for mobility, wouldn’t that be good enough for Wifi connection as well. All you have to do is create a Host A record on your internal DNS pointing to public TMG Ip with name of external web service. But Hair Pinning on your firewall is to be considered.
Thanks
Chad McGreanor said
There have been several discussions regarding that configuration. There s no documentation saying that it is supported. I am testing it in my lab to see what type of traffic is generated.
Michael D'Angelo said
I decided to same myself the trouble of worrying about loading internal root CAs on Lync Phone Edition and non-domain devices and stuck with public certificates. I think it makes things easier in all cases (other than the cost of the certs.)