Request and Enroll Multi-SAN certificates on Windows Server 2012

In one of my recent deployments, the customer asked to keep the existing naming convention of his domain, keeping it as “SRV_SVC_01.domain.local”. If you’ve been around long enough, you know that names that contain underscores ( _ ) are a little frowned upon. Windows will ask you if you really want to use this name when you changed the machine’s name, but will let you go through with it.

The bigger issue started when I tried configuring an IIS ARR web farm on to publish an Office Web Apps Server for this one. IIS will not accept underscores in names so that presented an issue. Also, the Office Web Apps server was already configured and published in the topology so changing the name now wasn’t really an option. Usually I’ll just create some random name and add that to the host file on the IIS ARR box, but since we’re using HTTPS here, the published name (the name the IIS ARR machine is accessing) must natch the name on the certificate. The only solution I though of was to use a multi SAN certificate.

By default, requesting a domain certificate sing the IIS wizard will generate a certificate with the server’s CN and you’ll be able to bind this to the HTTPS port of the server. Unfortunately, there’s no way to add additional names to this request.

The workaround – Manually submit a Web Server certificate request.

Let’s cover these steps:

Open the local machine’s certificate console and request a new certificate:


Run through the next screens until you reach the certificate template choice. Most of the odds are you’ll see this:


Hit “Show all templates” and scroll down to “Web Server”, you won’t be happy to see the following:

WebServerWell, how do we do that now…

Log on to your CA and open the Certification Authority management console, scroll down to “Certificate Templates”, right-click it and choose “Manage”:

ManageOn the new “Certificate Template Console”, locate your Web Server template, right-click it and choose “Properties”:


On the Web Server window, click the Security tab. Add the Computer you’re trying to enroll the certificate for (user accounts can’t be used here since we’re enrolling on behalf of the machine), then tick the “Enroll” box:


Now go back to the machine and try to re-enroll the certificate; You’ll see that you now have the Web Server certificate template available:


Tick Web Server certificate box and click on the “More information required….” link.
In the new window, do the following:
For the Subject Name – choose “Common name” for “Type” and enter your server’s FQDN in the value field, than click “Add”.
For Alternative names – choose DNS and enter the FQDN (or FQDNs) you’d like to use in the value field and click “Add”:


When done, click OK and then “Enroll” on the next window. This will initiate the certificate request. When enrolled. you’ll see the following:


You’ll now see the certificate in the Personal certificate store of the machine:



Installing and configuring IIS ARR Reverse Proxy on Windows Server 2012 for Lync Server 2013 \ Skype for Business External access

As Forefront TMG 2010 is becoming end of life, Microsoft’s official and at the moment only supported Reverse Proxy solution for Lync Server 2013 is IIS ARR.
For Skype for Business Server the only supported solution is Server 2012 WAP, but IIS ARR 3.0 will also work for you.

Doing this is rather simple, and this post will demonstrate the steps to publish Lync 2013 External Web Services using IIS ARR on Windows Server 2012.

First things first, an installation and two downloads:

– OR –

  • Install IIS on Windows Server 2012 with all defaults, nothing too smart.
  • Download Hotfix for Microsoft Application Request Routing Version 2.5 for IIS7 (KB 2732764) (x64), we’ll use that later.
  • Use Microsoft Web Platform Installer to install IIS ARR 2.5.

Whichever platform you choose (ARR 2.5 or ARR 3.0), it’s an identical installation and configuration process:

You’ll get the first installation screen, telling you it will install 2 features:

first installation screen

Hitting “Install” will show you the features you’re about to install. That’s 4 components all together:

Installation list

Click “I Accept” and enjoy the commercial content from Microsoft whilst the installation is taking place:

Installation in progress

When the installation is finished, You’ll see it has installed four components:

Installation OK

If your server can’t access the internet for some reason, you’re up for a real treat:

Checking Windows 2012’s Programs and features will show you these exact 4 items. This is all you need for IIS ARR to work:

Installed components

Open IIS Manager, and you’ll see you have two new features:

  • “Server Farms” under the server node.
  • “Web Platform Installer” in the management node.

New IIS features

Configuring the website:

Import your Lync 2013 external certificate to the server:

Certificate list

Navigate to your default website in IIS Manager and click “Bindings”:

Website Bindings

You’ll see it has only the HTTP binding. Click “Add” to edit the HTTPS binding:

Add Bindings

In the next window, choose “HTTPS” from the drop down menu, then choose your Lync external certificate, and press “OK”:

Choose Certificate

This completes the configuration of the web site.

Create Server Farms:


  • We need to create a server farm for each name we’re publishing.
  • The Internal root CA (The one that’s used for signing the internal Lync certificates) must be placed in the “Trusted Root Certification Authorities” container in your IIS ARR machine.
  • The Internal names of your Lync servers and WAC servers must be resolvable from this server, so don’t forget to add them to your hosts file.

To build the first Server Farm, right click “Server Farms” and choose “Create Server Farm”:

Create server farm

In “Server Farm Name” enter the external FQDN of the service you want to publish.

This can be “”, “”. etc. After you enter the name of the server farm, click “Next”:

Meet Farm

On the “Add Server” window, type the name of the server you want to publish and then click “Advanced settings”:

Add Server and advanced settings

Remember to click “Advanced settings” BEFORE you click “Add”. You need to add the server to the farm only after you set the advanced settings for the server.

“Advanced settings” is where we set the port bridging rules from 443 to 4443, just like we used to do with TMG 2010.

Set the HTTP port to 8080 and the HTTPS port to 4443, then click “Add”:

*** For the Office Web Apps farm leave the ports 443 and 80, as these are redirected directly to the server’s website.

Advanced Settings

Now you can see the server in the server farm:

Server ok

Once you click “Finish”, you’ll get a prompt asking if you would like to create a URL rewrite rule:

Rewrite prompt

Choose “Yes”. This will come in very handy in just a few more moments.

Do the same steps for every external address you want to publish.

Eventually, you’ll end up with enough farms to publish all your external addresses:

All Farms

Now, a few adjustments to make this work right with Lync. For each server farm, do the following steps:

Step 1:

Click each server farm and choose “Caching”:

Meet Caching

In “Caching”, uncheck the “Enable disk cache” box:

Disable Caching

Step 2:

Click each server farm and choose “Proxy”:

Meet Proxy

In “Proxy”, change the Time-out to 200:


Step 3:

Click each server farm and choose “Routing Rules”:

Meet Routing

In “Routing Rules”, uncheck the “Enable SSL offloading” box:

Disable SSL offloading

After completing these three steps for all server farms, go to the IIS Server Home and click “URL Rewrite”:

URL Rewrite button

The next window will show you all the Server farms with the url rewrite rules that were created earlier (Remember that button?):

URL Rewrite main window

Clicking the ‘+’ sign on the left of each of the server farms will show you the existing URL Rewrite options. One of them is for HTTP, the other for HTTPS:

URL rewrite with HTTP

Since we are not using HTTP, you can remove the HTTP rule (the one that does NOT have the “_SSL” suffix). This will leave you with only the HTTPS rewrite rule.

Click “Add” to add a condition to the HTTPS rule:

URL rewrite only HTTPS

Start typing ‘{HTTP_‘ and choose the {HTTP_HOST} option from the drop-down menu. at the pattern, type the beginning of the FQDN followed by a star, e.g.: “Meet.*”, or “DialIn.*”:


The result should be like this:

URL Rewrite completed

Repeat these steps for each server farm on your list.

Important note regarding WAC:

One option is to publish it as a server farm as described above.

Another option is described in Koen Wagenveld’s great article on TechNet, to use a regular expression. Please refer to the article if you would like to use this option.

That’s about it! IIS ARR is now publishing your Lync 2013 services.

Lync 2013 Monitoring Server errors…

When you’re trying to view different reports in Lync Server 2013 monitoring, you might get the following error:

WebPage Error

“Report processing stopped because too many rows in summary tables are missing in the call detail recording (CDR) database. To resolve this issue, run dbo.RtcGenerateSummaryTables on the LcsCDR database.”

Additional parameters might appear instead of “dbo.RtcGenerateSummaryTables”, depending on the report you wish to view.

To fix this problem, start SQL Management Studio on your SQL server and choose the Lync Monitoring instance:

SQL Connection

Once connected, expand “Databases”->”LcsCDR”->”Programmability”:


In “Programmability”, expand “Stored Procedures”:

Stored Procedures

And scroll down until you find the procedure mentioned in the error:

Generate Summary

Right-click the procedure and choose “Execute Stored Procedure”:


A new “Execute Procedure” window will open, Press “OK”:

Execute Screen

A script will run and will (hopefully) return a ‘0’ value, meaning everything went ok:

Script ran

That’s it! Return to your reports webpage and refresh:

Reports OK

Good Luck!

Install Lync Server 2013 prerequisites on Windows Server 2008R2, Windows Server 2012 and Windows Server 2012R2

Updated: Dec 16, 2012

Lync 2013 is out, along with a new set of demands to install it right on your Windows Server.

Here’s how to get it done:

Windows Server 2008R2:

First, install the roles and features required:
Import-Module ServerManager
Add-WindowsFeature Web-Dyn-Compression,desktop-experience,RSAT-ADDS,Web-Server,Web-Scripting-Tools,Web-Windows-Auth,Web-Asp-Net,Web-Log-Libraries,Web-Http-Tracing,Web-Stat-Compression,Web-Default-Doc,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Http-Errors,Web-Http-Logging,Web-Net-Ext,Web-Client-Auth, Web-Filtering,Web-Mgmt-Console,Msmq-Server,Msmq-Directory

Then, Install .Net 4.5 Framework (Download).

Next, install Windows Identity Foundation (Download) and Windows Management Framework 3.0 (Download) that contains PowerShell 3.0.

You might also have to download and install KB2646886.

Windows Server 2012 and Windows Server 2012R2:

Make sure you have the Windows Server installation CD or source. It’s required to install ,Net 3.5 Framework.

Then, from an elevated PowerShell, run the following command:

Note: You don’t need to run “Import-Module ServerManager”, Windows 2012 loads the modules automatically

Add-WindowsFeature RSAT-ADDS, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Desktop-Experience, Windows-Identity-Foundation, Telnet-Client, BITS -Source D:\sources\sxs

If your Windows Server 2012 installation source is not your D drive, change it to your desired location.

On Windows Server 2012R2 you should install Lync Server 2013 with at least CU3 (Download the latest here).

To avoid Event IDs 32402, 61045 on Lync 2013 Front End Servers (See KB2901554), run the following from an elevated command prompt:

Reg Add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel" /V "EnableSessionTicket" /D 2 /T REG_DWORD /F

Now you’re all ready to install Lync Server 2013.