Jun 20 2017 10:07 AM
Hi,
We are currently deploying Skype for business mobile apps for internal use.
Before that, the use of mobile apps was mostly external. No problem...
But it appears that by using applications internally, users receive many warning related to the fact that internally, certificates are signed by the Active Directory Certification Authority.
In BYOD scenario, we can deploy our root CA to device, not a problem, but for some population, mobile are only used as "mobile Lync Phone", and when you deploy root CA to android phones, you are required to set an unlock code. This is not compatible with the intended use.
Is there a way to prevent this ? After a lot of reading I have find a discussion saying that you have to redirect ALL https connections like meet.domain.com, including desk phones, windows clients, etc..., to reverse proxy, like that it's our public certicates that are presented to mobile.
This seems to me completely absurd and at least not optimized
So what is the good practice for Mobile Apps using internally with internal certs from ADCS ?
Thanks
Jun 21 2017 11:46 PM
So I just do the test.
From my mobile, on corporate wifi, if I go with the browser to : https://pools4bpriws.domain.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=domain.com, I have an error 401 unauthorized, with the public cert from globasign...
Jun 22 2017 11:12 PM
Sounds perfect. What happens when you try to login the client from the mobile device?
Jun 23 2017 12:14 AM
certificate warning :(
prompt for an internal cert
Jun 23 2017 12:38 AM
But it's "normal" if it try to connect to https://lyncdiscoverinternal.domain.com, it will get certificate warning.
what I don't understand is why is it trying to connect to this internal url if mobile phone use external connection first...
When I look for the log, first connection are going to lyncdiscover.domain.com...But why after that it try lyncdiscoverinternal.domain.com
Jun 23 2017 12:46 AM
it seems that we receive first an answer for lyncdiscoverinternal.domain.com
06-23 07:31:55.391 9235 INFO APPLICATION CUcwaAutoDiscoveryGetUserUrlOperation.cpp:412 CUcwaAutoDiscoverGetUserUrlOperation::onEvent received. Status = S_OK (S0-0-0), url = http://lyncdiscoverinternal.domain.com/
then after from lyncdiscover.domain.com
06-23 07:31:55.525 9235 INFO APPLICATION CUcwaAutoDiscoveryGetUserUrlOperation.cpp:412 CUcwaAutoDiscoverGetUserUrlOperation::onEvent received. Status = S_OK (S0-0-0), url = http://lyncdiscover.domain.com/
Jun 27 2017 09:18 AM - edited Jun 27 2017 02:52 PM
Is it possible to purchase public certs for the internal SfB Infrastructure?
This is really the best route to take and will eliminate a lot of headaches if you want to provide the full feature-set for BYOD SfB Mobile clients that are on your internal network.
Jul 01 2017 06:30 PM
Yes, possible and done that. And some organization who prefer to use Public cert for all secure communication over internal cert.
I had configured and deployed public SSL certificates for Frontend, Oauth, RP, and Edge for a few customers and working perfect.
Jul 01 2017 06:30 PM
Please let me know if you wanna know how it should be done.
Jul 19 2017 10:25 AM
Hi,
sorry I was out of office.
for sure it's possible to replace all certs with public certs...But it's not without cost...