#Skype4B – Edge Pool Deployment Part IV

Skype for Business Server Edge Pool deployment has four parts to cover end to end deployment process. See Part I, Part II, Part III and Part IV for step by step process.

Part IV of Skype for Business Server Edge Pool deployment focus on certificates. Once you are done with Edge server installation you can request a certificate. Edge server need two different types of certificates one for internal and another for external. For internal certificate you can use internal CA while for external certificate you can generate the request and send it to your external CA to get the public certificate. Follow the step by step process to request and assign the certificates:

Select “Edge internal” and click on “Request”

Select offline certificate request and click on Next

Browse to location where you want to store the certificate request

Click on Next

Enter friendly name and select “Mark the certificate’s private key as exportable”

Fill the Organization Information

Fill the Geographical Information

Click on Next

Add all the Edge servers FQDN which are going to be part of this pool

Review the summary and click on Next

Once completed successfully, click on Next

Click on finish to generate the CSR

As you have request CSR for internal certificate, copy the *.req file and go to the internal CA to request the internal certificate.

Access your ADCS through web and click on “Request a certificate”

Select “advanced certificate request”

Select “Submit a certificate request …… PKCS#7 file”

Copy and paste the *.req file content here and select “Web Server” as a certificate template

Select “Base 64 encoded” and download both the files

Install the root certificate on your Edge server, you may run “Download certificate chain” to install the root certificate.

Install only root certificate form “certificate chain” and store it to “Local Computer” under “Trusted Root Certification Authorities”

If you don’t install root certificate then you can face below error while assigning certificate

Once done with root certificate installation, go to the Certificate Wizard and click on “Import Certificate”

Select the *.cer file and click on next

Click on Next to import the certificate

Once completed click on finish

Now, select “Edge internal” and click on “Assign”

Click on Next

Select Certificate and click on Next

Review the summary and click on Next

Once completed click on Finish.

Once Certificate is assigned to “Edge internal”, you can select the “External Edge certificate…” and click on “Request”

Select “offline certificate request” and click on Next

Browse to location to save the certificate request file

Click on Next

Enter “Friendly name” and make sure “Mark the certificate’s private key as exportable” is being selected

Enter your Organization Information

Enter Geographical Information

Click on Next

Select SIP domains and click on Next

Enter alternative SANs if you have any (For Example: If you want to use the same certificate for reverse proxy as well add same names such as lyncdiscover.domain.com, meet.domain.com, externalwebservices.domain.com etc.)

Once certificate request has been completed successfully, click on Next

Click on Finish to generate the CSR

Sent the *.req file to you Public CA vendor and get the certificate. Once you receive the certificate then Import and assign the certificate.

Once certificate part is done, start the Edge server services

Open Skype for Business Server Management Shell and run “Start-CsWindowsService”

Enjoy your Edge services J

Make sure you have public DNS records in place for external users.


1 thought on “#Skype4B – Edge Pool Deployment Part IV

  1. Gustavo Domínguez (@vitaprimo)

    So, besides, protecting the Front End service and consuming extra resources, what was the other use cases of the Edge server? When I first deployed my FE server I thought there was going to be only one server because it’s repeated over and over in the documentation, unless you pay really close attention there’s no mention of the Standard, single-server, deployment needing an extra Edge server that apparently doesn’t count as 2 (two).

    Naturally I tried forwarding to the “external” ports on the front server and could never figure out why it would connect and text but calls wouldn’t work. I tried the incredibly convoluted process of adding an Edge server –twice– only for neither time to work, it was worst now, at least I could chat before. And–it requires a not one but three ( ! ) IP addresses.

    Our IP PBX does all the things Skype for Business server does, much cheaper, much faster, and DDNS is enough for it to never fail connecting calls. It doesn’t show presence in Exchange though… so about to try for the third time I took a different approach and instead just forwarded 443 and 80 to 443 and 80 instead of using the external ports and bam! Audio and video calls are now working flawlessly and we get presence in Exchange web client! About security, firewalls today are extremely robust, I can just know instead of blacklisting, I can geo-whitelist IP addresses and then let IDS & IPS take care of the rest. Pretty much just by whitelisting IP ranges for my city and adding automatic dial-on-demand and/or self-healing IKEv2 VPN profiles to roaming mobile clients weeds out the bad guys and all of this is without deploying any extra resource than what’s already working; so I genuine want to know, what’s so special about the Edge server?

    Our sales rep told us we only have to pay for the Front End server but between a buttload of components she mentioned she sort of kept jumping past the Edge thingy and quite frankly this pushing to install it feels just like the thing they do to get you to buy more stuff, Office365-style. For the time being, we’re ecstatic to having solved the external access without all that Edge hassle. 🙂 Your article was really helpful though, between this one, another and Technet’s docs I became convinced it was Microsoft’s software’s uncanny superpower to screw itself up the reason we kept having issues.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s