UCCs are NOT Required for OCS or Lync Edge Servers

This is starting to become a huge pet peeve for me that seems to get fed on a daily basis. I have written about it several times in the Microsoft forums because there is so much confusion.

When it comes to our choices for the public interface for Edge servers, we have the following:

  1. A certificate that uses a single name, the subject name, for each Edge role. That ends up being one cert for the Access Edge role and one cert for the Web Conferencing Edge role. Two individual certs.
  2. A Unified Communications Certificate (UCC) that has our Access Edge role name as the subject name, and subject alternatives names (yes, we use the Access Edge name for the first SAN entry) for the Access Edge and the Web Conferencing role names.
  3. Any certificate that supports server authentication that contains SAN fields so we can do the same thing as in the UCC.
  4. An internal/private CA that can issue a cert like in option 3. The problem with an internally issued cert is that the trusted root authority list on every client computer that will connect from the Internet must have the CA’s root cert imported to the certificate store.

There is NO requirement that we have to use a UCC. Really, when you get down to it, a UCC is nothing more than a marketing name that makes us think it is worth more than any other certificate that supports server authentication and SAN entries.

In other words, don’t waste your money on a UCC from a “approved vendor” when a cert from any third party trusted vendor will meet your needs.

Advertisements
This entry was posted in Office Communications Server. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s