Skype for Business Server Edge Pool deployment has four parts to cover end to end deployment process. See Part I, Part II, Part III and Part IV for step by step process.
Part IV of Skype for Business Server Edge Pool deployment focus on certificates. Once you are done with Edge server installation you can request a certificate. Edge server need two different types of certificates one for internal and another for external. For internal certificate you can use internal CA while for external certificate you can generate the request and send it to your external CA to get the public certificate. Follow the step by step process to request and assign the certificates:
Select “Edge internal” and click on “Request”
Select offline certificate request and click on Next
Browse to location where you want to store the certificate request
Click on Next
Enter friendly name and select “Mark the certificate’s private key as exportable”
Fill the Organization Information
Fill the Geographical Information
Click on Next
Add all the Edge servers FQDN which are going to be part of this pool
Review the summary and click on Next
Once completed successfully, click on Next
Click on finish to generate the CSR
As you have request CSR for internal certificate, copy the *.req file and go to the internal CA to request the internal certificate.
Access your ADCS through web and click on “Request a certificate”
Select “advanced certificate request”
Select “Submit a certificate request …… PKCS#7 file”
Copy and paste the *.req file content here and select “Web Server” as a certificate template
Select “Base 64 encoded” and download both the files
Install the root certificate on your Edge server, you may run “Download certificate chain” to install the root certificate.
Install only root certificate form “certificate chain” and store it to “Local Computer” under “Trusted Root Certification Authorities”
If you don’t install root certificate then you can face below error while assigning certificate
Once done with root certificate installation, go to the Certificate Wizard and click on “Import Certificate”
Select the *.cer file and click on next
Click on Next to import the certificate
Once completed click on finish
Now, select “Edge internal” and click on “Assign”
Click on Next
Select Certificate and click on Next
Review the summary and click on Next
Once completed click on Finish.
Once Certificate is assigned to “Edge internal”, you can select the “External Edge certificate…” and click on “Request”
Select “offline certificate request” and click on Next
Browse to location to save the certificate request file
Click on Next
Enter “Friendly name” and make sure “Mark the certificate’s private key as exportable” is being selected
Enter your Organization Information
Enter Geographical Information
Click on Next
Select SIP domains and click on Next
Enter alternative SANs if you have any (For Example: If you want to use the same certificate for reverse proxy as well add same names such as lyncdiscover.domain.com, meet.domain.com, externalwebservices.domain.com etc.)
Once certificate request has been completed successfully, click on Next
Click on Finish to generate the CSR
Sent the *.req file to you Public CA vendor and get the certificate. Once you receive the certificate then Import and assign the certificate.
Once certificate part is done, start the Edge server services
Open Skype for Business Server Management Shell and run “Start-CsWindowsService”
Enjoy your Edge services J
Make sure you have public DNS records in place for external users.
InsideMSTech 
So, besides, protecting the Front End service and consuming extra resources, what was the other use cases of the Edge server? When I first deployed my FE server I thought there was going to be only one server because it’s repeated over and over in the documentation, unless you pay really close attention there’s no mention of the Standard, single-server, deployment needing an extra Edge server that apparently doesn’t count as 2 (two).
Naturally I tried forwarding to the “external” ports on the front server and could never figure out why it would connect and text but calls wouldn’t work. I tried the incredibly convoluted process of adding an Edge server –twice– only for neither time to work, it was worst now, at least I could chat before. And–it requires a not one but three ( ! ) IP addresses.
Our IP PBX does all the things Skype for Business server does, much cheaper, much faster, and DDNS is enough for it to never fail connecting calls. It doesn’t show presence in Exchange though… so about to try for the third time I took a different approach and instead just forwarded 443 and 80 to 443 and 80 instead of using the external ports and bam! Audio and video calls are now working flawlessly and we get presence in Exchange web client! About security, firewalls today are extremely robust, I can just know instead of blacklisting, I can geo-whitelist IP addresses and then let IDS & IPS take care of the rest. Pretty much just by whitelisting IP ranges for my city and adding automatic dial-on-demand and/or self-healing IKEv2 VPN profiles to roaming mobile clients weeds out the bad guys and all of this is without deploying any extra resource than what’s already working; so I genuine want to know, what’s so special about the Edge server?
Our sales rep told us we only have to pay for the Front End server but between a buttload of components she mentioned she sort of kept jumping past the Edge thingy and quite frankly this pushing to install it feels just like the thing they do to get you to buy more stuff, Office365-style. For the time being, we’re ecstatic to having solved the external access without all that Edge hassle. 🙂 Your article was really helpful though, between this one, another and Technet’s docs I became convinced it was Microsoft’s software’s uncanny superpower to screw itself up the reason we kept having issues.
LikeLike