Thanks for the great comments. I'll revisit the design with the vendor helping me implement the solution. It seems clear that I should be using a commercial cert for the edge services - access.xyz.com, webcon.xyz.com, av.xyz.com.
In addition to the needs for my Lync installation, I had originally intended to use an internal CA to issue certs to company laptops and cell phones in the case where management chooses to want to limit access to outlook anywhere and activesync to only company issued devices. Does that sound reasonable or is there a better way to limit access to such things to company issued devices should that be their whim? Jim From: William Robbins [mailto:[email protected]] Sent: Wednesday, July 04, 2012 9:21 AM To: NT System Admin Issues Subject: Re: Certificate authority I'd have to concur, especially if federating is in your Lync future. Besides that if you are utilizing smart phones/3rd party software it's much easier to use certs from an already trusted external CA. Otherwise you'll need to install Root CA chains on your devices for your internal CA. We ended up using a hybrid of internal and external certs, but our internal PKI is mature, and we used 3rd party certs for all the Edge's. - Will On Wed, Jul 4, 2012 at 11:04 AM, Brian Desmond <[email protected]<mailto:[email protected]>> wrote: Why does installing Lync necessitate a CA? Just get the certs from a commercial CA. Thanks, Brian Desmond [email protected]<mailto:[email protected]> w - 312.625.1438<tel:312.625.1438> | c - 312.731.3132<tel:312.731.3132> From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, July 03, 2012 5:49 PM To: NT System Admin Issues Subject: Certificate authority We will be installing Microsoft Lync here very soon and I need to have a certificate authority running. To date, we've not had a need to stand one up and from the research I've done, it seems there are a number of ways to go - three tier, two, standalone. Our needs are for Lync, maybe some certs for some smart phones and some internal software we've written so it's not a complicated system from our perspective. At least not for the short term. I obviously don't want to do something that I'll regret later and was looking for some advice from other who have traveled these roads and learned what to do, and what not to do. >From my research, I think a two tier system will work but I'm not real clear >at this point how you have an offline CA (for security purposes) and >subordinate CA's to hand our certs. Still reading up on all that. Am I overthinking all this as my Lync installer suggests? He said that I should just install the certificate role on a DC and that would be that. I think they might be better at installing and configuring Lync than they are at designing certificate authorities as my research indicates doing that is not the best way to go. Can anyone share their experiences as time is short and I need to decide what CA to stand up. Any advice would be appreciated. Thanks Jim ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
