Overview of changes
- Add two new DNS records – one internal, one external
- Either A records or C-Names
- Patch everything to Lync RTM CU4
- Define the “Internal ports” used for mobile clients
- Install mobility bits on Front-Ends & Directors
- Enable Dynamic compression in IIS
- Re-request certificates to support new mobile DNS names
- Configure your reverse proxy
- Configure push notifications
- Test! (Kinda)
Sorting out Certificates
Note: If you are using internal certificates for your Lync servers & your wifi network (that mobile’s will connect to) is internal then you either need to make sure the mobile clients trust your internal PKI, or change to use “public” certificates.
Now we need to add the new SAN’s (Subject Alternative Name) – Lyncdiscoverinternal & Lyncdiscover to our Lync server certificate. There are lots of ways to do this but the simplest is probably to use the Lync certificate wizard
From the start menu run the “Lync Deployment Wizard”
Then under “Install or Update Lync Server System” re run “Step 3”
Walk through the wizard using the same parameters as when you first deployed Lync. On the last step check that the new names are part of the request
Complete the request & then run the “Assign certificate” wizard & make sure it’s completed successfully
To tidy things up you might want to go into the local certificate store and delete out the old certificate just so you don’t get confused in future
You can also go and check in IIS that the new certificate is being used against the internal & external site bindings
For good measure stop & restart the Lync services
(Stop-CsWindowsService & Start-CsWindowsService)
Configure the reverse proxy
In my topology my reverse proxy is an ISA server configured with a wildcard certificate for *.domain.com. I have a single listener for all Lync reverse proxy stuff so I should just need to add the new domain into the list of accepted names for the rule.
The official Lync mobility documentation makes no mention about whether wildcard certificates are supported or not includes a reference to *.domain.com being a suitable alternative so looks like wildcards are allowed.
Microsoft at least made allowanced for people who had already purchased expensive UC certificates by allowing the initial connection to the new DNS name over HTTP so the client can be redirected to another name that is covered by an SSL certificate.
Open the rule up and add-in the new “LyncDiscover” domain name
Apply the configuration changes
Continue to Part 4…