External DNS and Certificates Planning for Lync 2010 as Hosting Service

Microsoft released Lync Multi-Tenant Pack for hosting providers to offer Lync as a hosting service. Even before this pack, many companies were already offering Lync and OCS as hosting services to SMBs. The deployment guide for Multi-Tenant pack states to add few SAN entries for each new domain. If you try to login without adding SAN entry for the domain, login fails! This means that with every new customer, you will have to update your certificates, pay for any new SAN entries and then reassign the certificates. This does not seem to be a good idea in terms of cost and ease of provisioning a new tenant.

So, to help out those who are planning to offer Lync as a hosting service or those who already are, I suggest planning DNS and certificates as following:

Meet URL configuration:

For every hosted domain you will need meet URLs. These URLs are used to schedule online meetings. I would recommend first reading this article: Planning for Simple URL. For a hosting company, Option 3 mentioned in this article is best choice. Format for meet URL as per Option is:

https://lync.contoso.com/contosoSIPdomain/Meet

https://lync.contoso.com/fabrikamSIPdomain/Meet

Where lync.contoso.com is Provider’s domain and contosoSIPdomain and fabrikamSIPdomain are hosted domains. Following this format will minimize DNS and certificate requirements.

DNS for Hosted Domain:

External DNS and Certificates Planning for Lync 2010 as Hosting ServiceIf you have followed Option 3 for meet URL, you now only need three DNS records for every hosted organization. Frist one for client auto configuration; an SRV record _sip._tls.<hosteddomain> pointing to sip.<providerdomain>. Second, for federation; an SRV record _sipfederationtls._tcp.<hosteddomain> pointing to sip.<providerdomain>. Third one is for Lync Mobile Clients: ‘A’ record lyncdiscover.<hosteddomain> pointing to MCX Server.

Using such planning, there will be no need to update and reapply certificates. However, clients will display a pop up window while logging in, informing that you are being redirected to another server:

At this point user should check the box ‘Always trust this server’ (after seeing the certificate details and making sure that this is indeed service provider’s server).

Apart from being cost effective and easy, another advantage is that, if you expand the Certificate Details, your hosted organizations will not be exposed!

Related Posts:

Tags: , ,

StumbleUpon reddit Digg Facebook Mixx Twitter Spinn Mail

Comments are closed.