A Unified Communication Blog
Get Adobe Flash player

I have in the last couple of month’s two customers, who wanted almost as many sip domains as possible in Lync, besides the usual 2-3 sip domains I normally see.


This post is what I found and what I had setup up, at one of the customers.

I found these restrictions:

  • An internal SIP certificate has a limit of 4096 characters.
  • Globalsign (my public cert provider) has a limit of 100 SAN names.

First of all 100 names sub in a public certificate – that will cost a million $ K

So I started by creating a support case at Microsoft, to see if I could get some info on how Microsoft is doing in Office 365 (they do it differently, so they don’t need expensive certificates)– That wasn’t a success – they would not tell me anything.


Back to the expensive certificates – I got a god price from Globalsign for a three year certificate with 100 san names for “only” 20.000$ and that’s only for the Edge server certificate – I also need one for the Reverse Proxy, so that is 20.000$ more for the reverse proxy.


My primary concern (if we don’t look at the cost of the certificates) is the Edge server which must have a certificate which has all the sip domains.

The Edge certificate should have these names:

The Common Name, like sip.exchangepro.dk

The Webconf: webconf.exchangepro.dk

For each sip domain you will at least need a sip.contoso.com SAN

So this gives you the possibility to have 99 Sip domains in the edge certificate.

If you want to federated with Xmpp partners like Google, then you must also add the domain name eg. Contoso.com to the SAN list, so that each domain will require 2 SAN names

With that you end up with 49 Sip domains.


It’s the same for the reverse proxy server, it usually consist of these names:

The Common Name, like csweb.exchangepro.dk

The dialin URL, like dialin.exchangepro.dk

The meeting FQDN, like meet.exchangepro.dk (normally one per domain)

The Lyncdiscover (one per domain)

I will later show how to optimize this certificate so you still can have either 99 or 49 sip domains, also for the reverse proxy certificate.


The next thing was the internal certificate for the frontend server – You can have as many SAN names as you want, but the certificate is limited to 4096 characters.

So how many names is that ? The answer is: It depends on the length of the names.


A normal frontend certificate consist of these names for an enterprise pool:

Common Name: Pool name, like FEPOOL.exchangepro.local

The frontend servers: FE01.exchangepro.local (I normally have all my frontend servers in the same certificate), so add all the frontend servers.

Internal Web Url (like cswebint.exchangepro.local)

Dialin URL like dialin.exchangepro.dk

Lyncdiscover.SIPDOMAIN.dk (per domain)

Lyncdiscoverinternal.SIPDOMAIN.dk (per domain)

Meet URL like meet.SIPDOMAIN.dk (per domain)

SIP record, like sip.SIODOMAIN.dk (per domain)


That is many names per domain, and all of them might extend the 4096 characters limit, so let’s see how we can optimize this:


First the meeting URL. When you add a sip domain the default meeting url is meet.SIPDOMAIN

Example from Topology Builder


With 4 domains the default look like this:

Example from Topology Builder


Instead of having, a separate meeting name for each domain simple select the meeting url and click Edit URL, and use a common name (like meet.exchangepro.dk) and then append the domain after.

Example from Topology Builder

Also notice that I do the same for the Dialin URL.

So now I only use one SAN Name for the meeting URL and dialin url.


Next let’s jump a little bit, when you assign a certificate to a frontend server (or director server) you have the option to assign different certificates for the Server, Internal or External web sites (normally you just select Default certificate, which create one certificates which covers all three)

Example from Lync Deployment Wizard


This means that we can split all our names into three internal certificates:

Server Default:

Should contain these names:

Frontend Pool Name

Frontend Server name(s)





Web service internal:

Should contain these names:

Internal Web url name like cswebint.exchangepro.local (if specified otherwise the frontend pool name)

Meeting FQDN





Web service external:

Should contain these names:

External Web URL name like csweb.exchangepro.dk

Meeting FQDN




Note: The names in this certificate is the same name you will have in the reverse proxy certificate – so you can have up to 99 sip domains, or if you are going to use Xmpp you will only have 50 names in this certificate.


When you request the certificates simply select one at a time a then request it

Example from Lync Deployment Wizard


So the result end up with three certificates

Example from Lync Deployment Wizard


But even though we can split the all the names in three certificates, you might hit the 4096 character limit if the domain names are very long. I will recommend that you put all the doamins in a excel sheet for each of the certificates, and for each name add 2. Then you can make a calculation if you will hit the 4096 character limit.

Example from Excel


So this is how to do it.



If you have the need to add a lot a sip domains to Lync, you will see three problems – a money issue, a limit in the names you can have in the public certificates and the length the certificates can have.

But with some optimization we can most likely overcome the last problem by splitting the certificates in three different certificates and assign these to the frontend servers.

I normally use Globalsign certificates for my edge and reverse proxy. Globalsign has a limit of 100 SAN name in the certificates, and you will need two – so that is 30.000$-50.000$ for three year certificates if you can get a good custom price.

With these limits you should be able to have 99 sip domains or 49 sip domains in you plan to federated with Google.



2 Responses to How to handle many SIP Domains

  • There are some other good Cert Providers out there where you could find certs with a 100 SAN name for about $ 2k a year.

  • I don’t think that you need to spend so much money on the certificate

    what I mean is you did not need to upgrade the Certificate

    just set the new domain DNS record from A record to CNAME record, just like what office 365 did

    Then when you login the Lync 2013 client , you will see a certificate warning, click yes and you can sign in.

    But need to restart your edge access service after you adding a new sip domain.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>


Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 77 other subscribers

Follow me on Twitter