Request and Enroll Multi-SAN certificates on Windows Server 2012

In one of my recent deployments, the customer asked to keep the existing naming convention of his domain, keeping it as “SRV_SVC_01.domain.local”. If you’ve been around long enough, you know that names that contain underscores ( _ ) are a little frowned upon. Windows will ask you if you really want to use this name when you changed the machine’s name, but will let you go through with it.

The bigger issue started when I tried configuring an IIS ARR web farm on to publish an Office Web Apps Server for this one. IIS will not accept underscores in names so that presented an issue. Also, the Office Web Apps server was already configured and published in the topology so changing the name now wasn’t really an option. Usually I’ll just create some random name and add that to the host file on the IIS ARR box, but since we’re using HTTPS here, the published name (the name the IIS ARR machine is accessing) must natch the name on the certificate. The only solution I though of was to use a multi SAN certificate.

By default, requesting a domain certificate sing the IIS wizard will generate a certificate with the server’s CN and you’ll be able to bind this to the HTTPS port of the server. Unfortunately, there’s no way to add additional names to this request.

The workaround – Manually submit a Web Server certificate request.

Let’s cover these steps:

Open the local machine’s certificate console and request a new certificate:

Request

Run through the next screens until you reach the certificate template choice. Most of the odds are you’ll see this:

Computer

Hit “Show all templates” and scroll down to “Web Server”, you won’t be happy to see the following:

WebServerWell, how do we do that now…

Log on to your CA and open the Certification Authority management console, scroll down to “Certificate Templates”, right-click it and choose “Manage”:

ManageOn the new “Certificate Template Console”, locate your Web Server template, right-click it and choose “Properties”:

Properties

On the Web Server window, click the Security tab. Add the Computer you’re trying to enroll the certificate for (user accounts can’t be used here since we’re enrolling on behalf of the machine), then tick the “Enroll” box:

Security

Now go back to the machine and try to re-enroll the certificate; You’ll see that you now have the Web Server certificate template available:

WebOK

Tick Web Server certificate box and click on the “More information required….” link.
In the new window, do the following:
For the Subject Name – choose “Common name” for “Type” and enter your server’s FQDN in the value field, than click “Add”.
For Alternative names – choose DNS and enter the FQDN (or FQDNs) you’d like to use in the value field and click “Add”:

CertProperties

When done, click OK and then “Enroll” on the next window. This will initiate the certificate request. When enrolled. you’ll see the following:

Success

You’ll now see the certificate in the Personal certificate store of the machine:

Certificate

 

Advertisements

Skype for Business and Lync Servers certificate report

This is a cross-post with Guy Bachar’s blog, of a script we wrote back in August 2014 and that went through some technical (mostly Guy) and cosmetic (mostly yours truly) updates.

Report

This script will generate an HTML report of all Skype for Business \ Lync servers’ certificates, and you can even use it to send periodical emails.

As the new script supports contacting your Edge servers, there are some prereqs involved:

1. Enable Trusted Hosts on the Front-End server you’re running the script from:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value “*” -Force

2. Enable HTTP Compatibility Listener on all Edge servers:

Set-Item WSMan:\localhost\Service\EnableCompatibilityHttpListener -Value True

The script is pretty straight forward, all you have to do is run it form a local folder on your FE server with elevated permissions.
However, this will only give you the FE’s certificates.
Guy was smart enough to create the following additions:

-EdgeCertificates and -OWASCertificates

You can run either or both, and they will give you information about your Office Web Apps Servers’ certificates (-OWASCertificates) and your Edge Servers’ certificates (-EdgeCertificates).
When using the -EdgeCertificates option, you’ll be prompted to enter your Edge Server’s credentials.

Command

Visit Guy’s post for further information.

The script can be downloaded here, and we’ll love to hear your feedback.

Lync 2013 and Windows 8.1 PowerPoint presesntation issue fixed

A couple of weeks back I wrote a post about PowerPoint content issues when using Lync 2013 on Windows 8.1 workstations.

Gladly, this issue is fixed now with the release of the Office Web Apps November 2013 update.

Remember you will need to remove your existing farm first, install the update and then reconfigure the Office Web Apps farm.

Lync 2013 Office Web Apps (WAC) not working on Windows 8.1 stations

*** UPDATE ***

This issue has been resolved in the WAC November 2013 update: http://support.microsoft.com/kb/2837634/en-us.

Remember that in order to install this update you must first remove the existing farm, install the update and then recreate the farm. See this article if you need a reminder.

Original post:

Did some maintenance last weekend, installing the October 2013 update and other updates.
additionally, Had my work station upgraded to Windows 8.1.

The first thing I noticed was that PowerPoint presentations content is unavailable after installing the updates, with the following error:
“Sorry, we ran into a problem displaying the presentation. Please try again.”

Error Messgae

After testing this on multiple machines with multiple accounts, I can verify that Lync 2013 clients on Windows 8.1, are unable to present or view PowerPoint content on Office Web Apps Server.

This goes for Office Web Apps Servers installed on Windows Server 2008R2, Windows Server 2012 and Windows Server 2012R2, both internally and externally.

Lync 2013 clients on any Operating system OTHER than Windows 8.1 are not affected and can use the Office Web Apps services with no issues.

Keep that in mind before upgrading to Windows 8.1!

Installing and configuring IIS ARR Reverse Proxy on Windows Server 2012 for Lync Server 2013 \ Skype for Business External access

As Forefront TMG 2010 is becoming end of life, Microsoft’s official and at the moment only supported Reverse Proxy solution for Lync Server 2013 is IIS ARR.
For Skype for Business Server the only supported solution is Server 2012 WAP, but IIS ARR 3.0 will also work for you.

Doing this is rather simple, and this post will demonstrate the steps to publish Lync 2013 External Web Services using IIS ARR on Windows Server 2012.

First things first, an installation and two downloads:

– OR –

  • Install IIS on Windows Server 2012 with all defaults, nothing too smart.
  • Download Hotfix for Microsoft Application Request Routing Version 2.5 for IIS7 (KB 2732764) (x64), we’ll use that later.
  • Use Microsoft Web Platform Installer to install IIS ARR 2.5.

Whichever platform you choose (ARR 2.5 or ARR 3.0), it’s an identical installation and configuration process:

You’ll get the first installation screen, telling you it will install 2 features:

first installation screen

Hitting “Install” will show you the features you’re about to install. That’s 4 components all together:

Installation list

Click “I Accept” and enjoy the commercial content from Microsoft whilst the installation is taking place:

Installation in progress

When the installation is finished, You’ll see it has installed four components:

Installation OK

If your server can’t access the internet for some reason, you’re up for a real treat:

Checking Windows 2012’s Programs and features will show you these exact 4 items. This is all you need for IIS ARR to work:

Installed components

Open IIS Manager, and you’ll see you have two new features:

  • “Server Farms” under the server node.
  • “Web Platform Installer” in the management node.

New IIS features

Configuring the website:

Import your Lync 2013 external certificate to the server:

Certificate list

Navigate to your default website in IIS Manager and click “Bindings”:

Website Bindings

You’ll see it has only the HTTP binding. Click “Add” to edit the HTTPS binding:

Add Bindings

In the next window, choose “HTTPS” from the drop down menu, then choose your Lync external certificate, and press “OK”:

Choose Certificate

This completes the configuration of the web site.

Create Server Farms:

Guidelines:

  • We need to create a server farm for each name we’re publishing.
  • The Internal root CA (The one that’s used for signing the internal Lync certificates) must be placed in the “Trusted Root Certification Authorities” container in your IIS ARR machine.
  • The Internal names of your Lync servers and WAC servers must be resolvable from this server, so don’t forget to add them to your hosts file.

To build the first Server Farm, right click “Server Farms” and choose “Create Server Farm”:

Create server farm

In “Server Farm Name” enter the external FQDN of the service you want to publish.

This can be “Meet.MyDomain.com”, “DialIn.MyDomain.com”. etc. After you enter the name of the server farm, click “Next”:

Meet Farm

On the “Add Server” window, type the name of the server you want to publish and then click “Advanced settings”:

Add Server and advanced settings

Remember to click “Advanced settings” BEFORE you click “Add”. You need to add the server to the farm only after you set the advanced settings for the server.

“Advanced settings” is where we set the port bridging rules from 443 to 4443, just like we used to do with TMG 2010.

Set the HTTP port to 8080 and the HTTPS port to 4443, then click “Add”:

*** For the Office Web Apps farm leave the ports 443 and 80, as these are redirected directly to the server’s website.

Advanced Settings

Now you can see the server in the server farm:

Server ok

Once you click “Finish”, you’ll get a prompt asking if you would like to create a URL rewrite rule:

Rewrite prompt

Choose “Yes”. This will come in very handy in just a few more moments.

Do the same steps for every external address you want to publish.

Eventually, you’ll end up with enough farms to publish all your external addresses:

All Farms

Now, a few adjustments to make this work right with Lync. For each server farm, do the following steps:

Step 1:

Click each server farm and choose “Caching”:

Meet Caching

In “Caching”, uncheck the “Enable disk cache” box:

Disable Caching

Step 2:

Click each server farm and choose “Proxy”:

Meet Proxy

In “Proxy”, change the Time-out to 200:

Time-out

Step 3:

Click each server farm and choose “Routing Rules”:

Meet Routing

In “Routing Rules”, uncheck the “Enable SSL offloading” box:

Disable SSL offloading

After completing these three steps for all server farms, go to the IIS Server Home and click “URL Rewrite”:

URL Rewrite button

The next window will show you all the Server farms with the url rewrite rules that were created earlier (Remember that button?):

URL Rewrite main window

Clicking the ‘+’ sign on the left of each of the server farms will show you the existing URL Rewrite options. One of them is for HTTP, the other for HTTPS:

URL rewrite with HTTP

Since we are not using HTTP, you can remove the HTTP rule (the one that does NOT have the “_SSL” suffix). This will leave you with only the HTTPS rewrite rule.

Click “Add” to add a condition to the HTTPS rule:

URL rewrite only HTTPS

Start typing ‘{HTTP_‘ and choose the {HTTP_HOST} option from the drop-down menu. at the pattern, type the beginning of the FQDN followed by a star, e.g.: “Meet.*”, or “DialIn.*”:

HTTP_HOST add

The result should be like this:

URL Rewrite completed

Repeat these steps for each server farm on your list.

Important note regarding WAC:

One option is to publish it as a server farm as described above.

Another option is described in Koen Wagenveld’s great article on TechNet, to use a regular expression. Please refer to the article if you would like to use this option.

That’s about it! IIS ARR is now publishing your Lync 2013 services.

Lync Server 2013 WAC (Office Web Apps Server) – Part 2: Publishing

In part 1 of this post, we learned how to install and configure the Lync Server 2013 WAC Server.

In this part, we’ll publish it to enable external users access to our conference resources.

Add External Access url:

In part 1, we used the following command:

New-OfficeWebAppsFarm -InternalURL “https://LyncWAC.YourDomain.Local” –CertificateName “My WAC Server”

For external access, use the same command, but add -ExternalURL “<WAC server external DQDN>”. So if you want to run is together, the command would be:

New-OfficeWebAppsFarm -InternalURL “https://LyncWAC.YourDomain.Local” -ExternalURL "https://WACsrv.domain.com" –CertificateName “My WAC Server”

That’s all the configuration needed on the Lync side.

Next step is to configure a publishing rule in TMG 2010. Unfortunately, you cannot use your External web url, since Lync traffic is bridged to port TCP 4443, and Office Web Apps Server works HTTPS, meaning TCP 443.#

Update:

Since TMG is end of life, You can now use IIS ARR to publish Lync Server 2013.

Refer to this post if you want to use IIS ARR.

Publish your server with Forefront TMG 2010:

Form your TMG cosnsole, select “New Web Publishing Rule”. Give your rule a name and click “Next”:

In the “select Rule Action window, choose “Allow” and click next:

In the “Publishing Type” windows choose “Publish a single Web site or load balancer”:

Then choose “Use SSL”:

In the next window, enter you Internal site name – That’s the one entered earlier in the command. If your TMG cannot resolve this name to an IP, you might enter it it in the field below:

In the Internal Publishing Details window, Enter /* in the path field, and remember to check the “Forward the original host header…” checkbox:

In “Public Name Details” enter the external FQDN of your WAC server. This is the name you entered earlier in the -ExternalURL command:

In the “Select Web Listener” window select “New”:

Name your listener and click next:

Choose “Require SSL” in the Client Connection Security window:

Choose your listener IP:

Choose your listener’s certificate:

(Must contain you external FQDN)

In the “Authentication Settings” window select “No Authentication”:

Click “Next” on the SSO settings page, review your listener’s settings and click Finish:

The new listener is now selected for your rule:

In the next window, choose “No delegation, but client may authenticate directly”:

Leave the user sets with “All Users”:

In the last window, review your settings and click Finish:

Locate your rule in the TMG console and right click to edit it:

Navigate to the “Traffic” tab, click “Filtering” and “Configure HTTP”:

Uncheck the “Verify normalization” box and click OK:

Verify_Normalization

Apply the changes to your Forefront TMG 2010 Server.

To test your WAC publishing, open a web browser and type: https://<ExternalFQDN.Domain.Com/hosting/discovery

You should get a XML output similat to this:

<?xml version="1.0" encoding="UTF-8"?>
-<wopi-discovery>-<net-zone name="internal-https">-<app name="Excel" checkLicense="true" favIconUrl="https://lyncwac.mydomain.local/x/_layouts/images/FavIcon_Excel.ico"><action name="view" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" default="true" ext="ods"/><action name="view" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" default="true" ext="xls"/><action name="view" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" default="true" ext="xlsb"/><action name="view" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" default="true" ext="xlsm"/><action name="view" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" default="true" ext="xlsx"/><action name="edit" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?edit=1&<ui=UI_LLCC&><rs=DC_LLCC&>" ext="ods" requires="update"/><action name="edit" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?edit=1&<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xlsb" requires="update"/><action name="edit" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?edit=1&<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xlsm" requires="update"/><action name="edit" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?edit=1&<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xlsx" requires="update"/><action name="editnew" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?edit=1&<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xlsx" requires="update"/><action name="interactivepreview" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlpreview.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" default="true" ext="xlsb"/><action name="interactivepreview" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlpreview.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" default="true" ext="xlsm"/><action name="interactivepreview" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlpreview.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" default="true" ext="xlsx"/><action name="mobileView" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xls"/><action name="mobileView" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xlsb"/><action name="mobileView" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xlsm"/><action name="mobileView" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlviewerinternal.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xlsx"/><action name="embedview" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlembed.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xlsb"/><action name="embedview" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlembed.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xlsm"/><action name="embedview" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlembed.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xlsx"/><action name="formsubmit" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlform.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xlsb"/><action name="formsubmit" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlform.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>" ext="xlsm"/><action name="formsubmit" urlsrc="https://lyncwac.mydomain.local/x/_layouts/xlform.aspx?<ui=UI_LLCC&><rs=DC_LLCC&>"

Note you will have two “net zones”: “internal-https” and “external-https”, each with the following applications offered:

  • Excel
  • OneNote
  • PowerPoint
  • Word

Your Lync 2013 WAC Server is ready.

Lync Server 2013 and Skype for Business Server 2015 – WAC (Office Web Apps Server) – Part 1: Installing and configuring

27.03.2013: Updated to the latest version of Office Web Apps Server.

Lync Server 2013 WAC is a new requirement in the Lync Server 2013 deployment. You’ll have to have this server is you want to be able to share PowerPoint presentations.

The installation and configuration of this server is quite easy,  let’s take a look:

Prerequisites:

First, download the Microsoft Office Web Apps Server from here and the update from here. While it downloads, we can configure the other prerequisites.

If you’re using Windows Server 2008R2, please download Microsoft’s .Net Framework 4.5, download Windows Management Framework 3.0, and download KB2592525, which will allow you to run the applications in a Server 2008R2 environment.

Install all of the above, Then, run this using an elevated PowerShell:

Import-Module ServerManager
Add-WindowsFeature Web-Server,Web-WebServer,Web-Common-Http,Web-Static-Content,Web-App-Dev,Web-Asp-Net,Web-Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,Web-Security,Web-Windows-Auth,Web-Filtering,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Console,Ink-Handwriting,IH-Ink-Support

Restart the server if you’re prompted to do so.

If you’re using Windows Server 2012, it’s even easier; Just run the following from an elevated  PowerShell (Server 2012 imports the relevant PS modules automatically, so you don’t have to use the “Import-Module” command) :

Add-WindowsFeature Web-Server,Web-Mgmt-Tools,Web-Mgmt-Console,Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Static-Content,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Security,Web-Filtering,Web-Windows-Auth,Web-App-Dev,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,InkandHandwritingServices

Restart the server if you’re prompted to do so.

Install the Microsoft Office Web Apps Server:

For Server 2012, double-click the .img file and run “Setup.exe”.

For Server 2008R2, open the .img file with any software of your choice and run “Setup.exe”

Restart the server if you’re prompted to do so and install the update.

Create a certificate:

Like most Lync services, you’re required to assign a certificate to this service as well.

We’ll use the IIS Manager to do that:

Launch the IIS Manager and scroll down to “Server Certificates”:

In the “Server Certificates” window, click on “Create Domain Certificate” in the Action pane:

In the “Create Certificate” window, fill the details of your server and organization. Note that the “Common Name” must be in the “Server.Domain.Local” format:

In the next window, choose you CA, and give your certificate a friendly display name – We’ll use that name later:

When you click “Finish”, you’ll see you have a new certificate:

Configure the WAC Server:

From an elevated PowerShell, run the following command:

New-OfficeWebAppsFarm -InternalURL “https://LyncWAC.YourDomain.Local” –CertificateName “My WAC Server”

In -CertifiacteName, enter the friendly name you gave your certificate earlier.

The result should look like this:

To check that, open a web browser and go to https://LyncWAC.YourDomain.Local/hosting/discovery, you should get this result:

If you get an error, try fixing your .Net Framework 3.5 components with this command:

%systemroot%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -iru,

Then, run iisreset /restart /noforce.

Your WAC Server is ready!

Add the Server to Lync Topology:

Open the Lync Server Topology Builder, expand “Shared Components”,right click “Office Web Apps Servers”, and choose “New Office Web Apps Server…”:

In the new window, type your server’s FQDN. the wizard will fill-in the discovery address:

Press OK, and the server is in your topology:

Associate your  Front-End pools with your Office Web Apps Server, publish the topology, and you’re done!

See how to publish your WAC server in Part 2 of this post