One of the common requests on the newsgroup is about – you guessed it right – Certificates, DNS and Firewall Ports. I will try to make this simple by explaining in as few words as possible – but providing as many details as I can.
First of all – When are certificates needed? – If you deploy only a Standard Edition you don’t need certificates. If you deploy Enterprise Edition with only one front end – you don’t need certificates. Certificates are needed on the following common scenarios (if you deploy these you need certificates)
- Enterprise Edition with 2 or more Front End servers
- Access Proxy
- Standard Edition – if deploying Access Proxy and Director, all will need certificates.
You have realised now that certificates are needed only when there is a server to server communication (except SQL server). If you want the traffic from the LCS servers to the SQL servers encrypted/secure, you can. That is however beyond the current context scope.
Secondly – You don’t need a public certificate for all these servers. Only the Access Proxy’s external edge needs a public certificate. All others can have a certificate issued by an internal Certificate Authority. Install the Internal CA chain on all servers.
The Microsoft documentation assumes you have internal and external Domain Name Servers under “your” control. Well mostly that’s true but in cases where your external Domain Name Servers are hosted services you need to provide your hosting provider details on creating SRV records. A breakdown is provided in the image below.
Another common request is – which ports do I need to open up on the firewall. A breakdown is provided in the image.
For a detailed explaination on protocols/ports see http://support.microsoft.com/default.aspx?scid=KB;EN-US;903056
Follow the path from the “Remote Users” to the LCS pool and you will know (1) what DNS entries are required (2) what certificates are needed and (3) what ports need to be open. Print the following linked image on a legal sized paper.
The above images are in a Draft Format.