Saturday 22 March 2014

Lync Lab in ESXi

Recently I set up an on-premises Lync server lab with ESXi. Something learned from the experiment are.

  • Before installation, carefully read Microsoft Lync Server 2013 Protocol Workloads Poster. Apart from the network diagram, also try to fully understand the DNS Configuration and Certificate Requirements.
  • SIP domain can be different from AD domain. In my example, AD domain = nanoart.local, but SIP domain = nanoart.co.uk.
  • The server certificate for Lync Edge server external NIC must have CRL Distribution Points . If using my OpenSSL shell script in previous blog, enable the line,
crlDistributionPoints = URI:https://$CN/crlempty.crl

You need a physical machine as ESXi host, install 5 VMs. 1: Domain Controller, 2: Lync 2013 Standard Server Edition, 3: Lync 2013 Edge server, 4: TMG 2010, 5: DNS server.

Apart from it, you also need a desktop test machine, one wireless AP and a mobile phone.

Here is my lab's network diagram.




















This is the external DNS configuration.




Read more at ....

Cisco ACS 5.4 in ESXi

There are some tutorials on Internet which teach you how to apply the cracked licenses onto ACS 5.2. I found they are still valid for ACS 5.4. The procedure is quite same apart from that you need to remove GRUB password protection in ACS 5.4.

Read more at the link.

Wednesday 12 March 2014

OpenSSL to generate certificate in single shell script

Are you looking for a Linux shell script which can generate a certificate? Ideally, you only need to give a parameter, for web site certificate, which is its FQDN. You don't care other information, and you are fed up with the interaction which asks you input Country, Organization etc. In that case, here it is.

I use certificates quite a lot. Recently I was asked to set up Microsoft Lync server(s). The certificates on Lync Reverse Proxy and Lync Edge server must have SANs (subject alternative name). It drove me to write such a shell script.

You are encouraged to change the configuration part in the shell script, for instance, key length (2048 by default), key password (PFX password, = "changeit"), how long the generated certificate will be valid(10 years)?

You can run this script without any parameter to see its usage

# ./certgen.sh
Usage:
  certgen ca
  certgen client
  certgen server []


First of all, you need to create CA certificate. Just run "certgen ca", it will create two files, cacert.crt and cakey.pem. Back up these two files, you are going to use this CA to sign the server/client certificates afterwards.

Now you can generate a server certificate, for instance, run the following command,

./certgen.sh server fruit.myorchard.local DNS:apple.myorchard.local,DNS:cherry.myorchard.local

You are expected to see the result

Generating ca_config.cnf
generating server cert for:fruit.myorchard.local
Generating a 2048 bit RSA private key
.........................................................+++
.....................................................................................................................................................................................................................+++
writing new private key to 'fruit.myorchard.local.key'
-----
Using configuration from ca_config.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4 (0x4)
        Validity
            Not Before: Mar 12 11:44:40 2014 GMT
            Not After : Mar  9 11:44:40 2024 GMT
        Subject:
            countryName               = GB
            stateOrProvinceName       = BUCKS
            localityName              = LONDON
            organizationName          = YOURCOMPANY.COM
            organizationalUnitName    = R&D
            commonName                = fruit.myorchard.local
            emailAddress              = support@yourcompany.com
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Key Usage:
                Digital Signature, Key Encipherment, Data Encipherment
            X509v3 Subject Alternative Name:
                DNS:fruit.myorchard.local, DNS:apple.myorchard.local, DNS:cherry.myorchard.local
Certificate is to be certified until Mar  9 11:44:40 2024 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
Generated files: key: fruit.myorchard.local.key , cert: fruit.myorchard.local.crt

If you see "failed to update database TXT_DB error number 2", it is very likely you have already generated the certificate with the same FQDN. You need to edit the index.txt file to remove the related entry.

See more at this link.

Reference


Generating Self-Signed Test Certificates Using One Single Shell Script