© 2010 Microsoft Corporation. All rights reserved. Active Directory, Lync, MSN, and any associated logos are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks or trade names mentioned herein are the property of their respective owners.
External
Firewall
Internal
Firewall
IM and Presence Workload
C3P/HTTPS:444
SIP
/MT
LS
:50
61
XMPP/TCP:5269
Reverse proxy
Access Edge - SIP/MTLS:5061
Federated Company
Yahoo!
MSN
AOL
Jabber
Gmail
HTTPS:443
SIP/MTLS:5061Access Edge - SIP/TLS:443
SIP/MTLS:5061
Group Chat
Compliance
Server
HTTPS:443
SIP
/TL
S:5
06
1
SR
V q
ue
ry
External user sign-in process:
1. Client resolves DNS SRV record _sip._tls.<sip-domain> to Edge Server.
2. Client connects to Edge Server.
3. Edge Server proxies connection to Director.
4. Director authenticates user and proxies connection to user’s home pool.
HT
TP
S:4
43
SIP
/TL
S:5
06
1
MS
MQ
SIP/MTLS
SIP/MTLS:5041
MS
MQ
Monitoring
Server
Group Chat
Server
Edge Pool
XMPP Gateway
Directors
Archiving
Server
Enterprise
Pool
Address book
& Group Chat
file share.
Central Management Service
A/V and Web Conferencing Workload
Edge Pool
External
firewall
Internal
firewall
HTTPS:443
SIP/MTLS:5061
SIP
/TL
S:5
06
1
Two inbound and two
outbound unidirectional
streams.
TCP:443 must be open
inbound.
TCP:3478 must be
open both inbound and
outbound.
A/V Edge - STUN/TCP:443, UDP:3478
A/V Edge – SRTP:443,3478,[TCP:50,000-59,999]
SR
TP
/UD
P:4
91
52
-65
53
5
PS
OM
/TL
S:8
05
7
HT
TP
S:4
43
HTTPS:443 is
used to
download
conferencing
content.
Traffic goes directly to Web
Conferencing Service
WITHOUT going through the
pool’s hardware load balancer
Traffic goes directly to Audio/
Video Conferencing Service
WITHOUT going through the
pool’s hardware load balancer.
Web Conf Edge - PSOM/TLS:443
Access Edge - SIP/TLS:443
Directors
Monitoring
Server
SIP/MTLS:5061
MSMQ
Protocol Workloads
LEGEND
· Publish SRV for _sipfederationtls._tcp.<sip-domain>, that resolves to Access Edge FQDN, accesssrv.<sip-domain>. · Publish SRV for _sip._tls.<sip-domain>, that resolves to Access Edge FQDN. This is required for federated and anonymous connections
to Web conferences.· Publish SRV for _xmpp-server._tcp.<sip-domain>, that resolves to gateway NIC of the XMPP gateway.· Publish CNAME or A record for lyncdiscoverinternal.<sip-domain> that resolves to IP address of Director, if one is deployed, or pool.· Publish CNAME for lyncdiscover.<sip-domain> that resolves to IP address of reverse proxy. HTTPS connection is proxied to internal
pool’s Web Service.· Publish A record for Meet Simple URL that resolves the URL to IP address of Director, if one is deployed, or pool.· Publish A record for Dial-In Simple URL that resolves the URL to IP address of Director, if one is deployed, or pool.
· Publish A record for Access Edge FQDN, accesssrv.<sip-domain> | sip.<sip-domain>, that resolves to Access Edge public IP address. · Publish A record for A/V Edge FQDN, av.<sip-domain>, that resolves to A/V Edge public IP address. · Publish A record for Conferencing Edge FQDN, conf.<sip-domain>, that resolves to Conferencing Edge public IP address.· Publish A record for internal pool to the reverse proxy FQDN, that resolves to public IP address of reverse proxy
DNS Configuration
External
firewallInternal
firewall
SMB traffic Direction of arrow indicates which
server initiates the connection.
Subsequent traffic is bi-directional.
Directors
(CMS replica)
Standard Edition
Server
(CMS replica)
Enterprise Pool
(CMS master)
Enterprise Pool
(CMS replica)
Mediation Pool
(CMS replica)
HTTPS traffic
SM
B:4
45
HTTPS:4443
Edge Pool
(CMS replica)
Diagram v5.12 Author: Rui Maximo — Editor: Kelly Fuller Blue — Designer: Ken Circeo
Reviewers: Jens Trier Rasmussen, Paul Brombley, Doug Lawty, Stefan Plizga, Jeff Colvin, Kaushal Mehta,
Richard Pasztor, Thomas Binder, Subbu Chandrasekaran, Randy Wintle, Rob L., Stefan Heidl, Fabian Kunz
Central Management Service
http://twitter.com/DrRez
LEARN MORE
External
firewall
Internal
firewall
Enterprise Voice Workload
Connectivity to:
• IP-PSTN
gateway
• IP/PBX
• Direct SIP
• SIP trunk
A/V Edge – ICE: STUN/TCP:443, STUN/UDP:3478
Access Edge - SIP/TLS:443
A/V Edge – SRTP:443,3478,[TCP:50,000-59,999]
SIP
/TL
S:5
06
1
SRTP consists of two
unidirectional streams. RTCP
traffic piggy backs on the SRTP
stream.
Media codec varies per workload:
- RTAudio
- G.711
- Siren
- G.722
TCP:443 must be open inbound.
TCP:3478 must be open both
inbound and outbound.
Mediation Pool
(optional)
SIP/MTLS:5061
ST
UN
/TC
P:4
43
, S
TU
N/U
DP
:34
78
SIP/TCP:5060,5061
Monitoring Server
Exchange
UM Server
Edge Pool
Directors
SIP/MTLS:5062
MRAS
traffic.
SIP/MTLS:5061
SR
TP
/RT
CP
:30
,00
0-3
9,9
99
Enterprise Pool
Branch
Appliance
SIP/MTLS:5062
http://nexthop.info
CERTIFICATE REQUIREMENTS
*Required only for public IM connectivity with AOL IM
Edge Server 1, Edge Server 2Internal FQDN: intsrv.<ad-domain>Certificate SN: intsrv.<ad-domain>Certificate SAN:EKU: serverRoot certificate: private CA
Access FQDN: accesssrv.<sip-domain>Certificate SN: accesssrv.<sip-domain>Certificate SAN: accesssrv.<sip-domain>,
sip.<sip-domain>EKU: server, client*Root certificate: public CA
Conference FQDN: N/ACertificate SN: conf.<sip-domain>Certificate SAN: N/AEKU: serverRoot certificate: public CA
A/V FQDN: av.<sip-domain>Certificate SN: av.<sip-domain>Certificate SAN: N/AEKU: serverRoot certificate: private CA
Edge Servers
Mediation Server
FQDN: medsrv.<ad-domain>Certificate SN: medsrv.<ad-domain>Certificate SAN: N/AEKU: serverRoot certificate: private CA
Directors
Director 1, Director 2FQDN: dir.<ad-domain>Certificate SN: dir.<ad-domain>Certificate SAN: dir.<ad-domain>,
sipinternal.<sip-domain>sip.<sip-domain>meet.<sip-domain>dialin.<sip-domain>
EKU: serverRoot certificate: private CA
Front End Server 1, Front End Server 2FQDN: pool.<ad-domain>Certificate SN: pool.<ad-domain>Certificate SAN: pool.<ad-domain>,
fe.<sip-domain>sip.<sip-domain>meet.<sip-domain>dialin.<sip-domain>
EKU: serverRoot certificate: private CA
Enterprise pool
Application Sharing Workload
HTTPS:443
HTTPS:443
External
firewall
Access Edge - SIP/TLS:443
HTTPS:443
Peer-to-peer
application
sharing session.
RDP/SRTP traffic
HTTPS traffic
SIP traffic Direction of arrow indicates which
server initiates the connection.
Subsequent traffic is bi-directional.
Internal
firewall
A/V Edge – SRTP:443,3478,50,000-59,999
Range of ports
is configurable.
Two inbound and
two outbound
unidirectional
streams.
Monitoring
Server
RDP/SRTP/TCP:1024-65535
SIP
/TL
S:5
06
1
HTTPS:4443
Port number to service traffic assignment:
5065 - Application Sharing Conferencing Service
SIP/MTLS:5061 SIP/MTLS:5061
RD
P/S
RT
P/T
CP
:49
15
2-6
55
35
Internal user sign-in process:
1. Client resolves DNS SRV record _sipinternaltls._tcp.<sip-domain> to Director.
2. Client connects to Director.
3. Director redirects client to user’s home pool.
http://technet.microsoft.com/lync
http://go.microsoft.com/fwlink/?LinkId=204593
Active Directory
Domain Services
HTTPS traffic
SIP traffic: signaling
RTP/SRTP traffic: A/V Conferencing
PSOM traffic: Web Conferencing
SIP traffic: signaling and IM
XMPP traffic
HTTPS traffic
MSMQ traffic
SIP
/TL
S:5
06
1
RTP/SRTP traffic
SIP traffic
Call Admission Control (CAC) traffic
WAN
Connection
Attendant Console
Lync Phone Edition
Lync Group ChatLync Web App
Branch Appliance
FQDN: sba.<ad-domain>Certificate SN: sba.<ad-domain>Certificate SAN: sba.<ad-domain>EKU: serverRoot certificate: private CA
FQDN: xmppsrv.<sip-domain> (1)
Certificate SN: xmppsrv.<sip-domain>Certificate SAN: N/AEKU: serverRoot certificate: private CA
XMPP Gateway
FQDN: xmpp.<sip-domain> (2)
Certificate SN: xmpp.<sip-domain>Certificate SAN: N/AEKU: serverRoot certificate: public CA
(1) This FQDN is for connectivity to internal Edge Servers (2) This FQDN is for connectivity to external XMPP gateways
If client connects on port 80,
it gets redirected to port 443
This port is used to:
- download the Address Book
- connect to the Mobility Service
- connect to the AutoDiscovery ServicePorts to load balanced by HLB:
- 443
- 4443
- 5061
- 135 – only if SIP traffic is load balanced by HLB
MRAS
traffic.
Group Chat Server
FQDN: chatsrv.<ad-domain>Certificate SN: chatsrv.<ad-domain>Certificate SAN: N/AEKU: server, clientRoot certificate: private CA
Exchange UM Server
FQDN: umsrv.<ad-domain>
Certificate SN: umsrv.<ad-domain>
Certificate SAN: N/AEKU: serverRoot certificate: private CA
MRAS
traffic.
Edge Pool
Enterprise
Pool
SIP/MTLS
MSMQ
Directors
If client connects on port 80,
it gets redirected to port 443
TCP port range, 50,000-59,999, only needs
to be open outbound.
TCP/UDP port range, 50,000-59,999, needs
to be open inbound and outbound to the
Internet for federation with partners running
Office Communications Server 2007.
AD DS Sync
LDAP/TCP:389
AD DS
Domain Controller
(DC)
LDAP traffic
Enterprise Pool
LDAP/TCP:3268
C.contoso.com
SRTP/UDP:49152-65535
ICE: STUN/TCP:443, UDP:3478
Peer-to-peer
A/V session.
ICE traffic
ICE traffic
ICE traffic
TU
RN
/TC
P:4
48
Media codec varies
per workload:
- RTAudio
- G.711
SR
TP
/RT
CP
:60
,00
0-6
4,0
00
Media bypass: audio routed
directly to gateway
bypassing Mediation
Server.
TURN/TCP:443, UDP:3478
Codec varies per workload:
- G.722 or Siren for audio
- RTVideo for video
Port number to service traffic
assignment:
5062 – IM Conferencing Service
5086 – Internal Mobility Service
5087 – External Mobility Service
TURN/TCP:448
Port number to service traffic assignment:
5064 - Telephony Conferencing Service
5067 – Mediation Server Service
5071 - Response Group Service
5072 - Conferencing Attendant Service
5073 - Conferencing Announcement Service
SR
TP
/RT
CP
:49
,15
2-5
7,5
00
AD DS
Global Catalog
(GC)A.contoso.com
B.contoso.com
LDAP/TCP:3268
LDAP/TCP:3268
Enterprise Voice
applications
Active Directory Domain Services (AD DS)
TCP port range, 50,000-59,999, only needs
to be open outbound.
TCP/UDP port range, 50,000-59,999, needs
to be open inbound and outbound to the
Internet for federation with partners running
Office Communications Server 2007.
SIP/TLS:5061
Lync client automatically
registers with the pool if
the Branch Appliance
becomes unavailable
SR
TP
/RT
CP
:30
,00
0-3
9,9
99
SRTP, ICE: STUN/TCP:443, UDP:3478
SRTP, ICE: STUN/TCP:443, UDP:3478
SRTP,ICE: STUN/TCP:443, UDP:3478
SRTP,ICE: STUN/TCP:443, UDP:3478
This port is used to connect to Lync Web Services:
- download the Address Book
- provide distribution list expansion
- download meeting content
- connect to the Mobility Service
- connect to the AutoDiscovery Service
Meeting content
+ metadata +
compliance file
share.
SIP/MTLS:5063
SRTP/UDP:57501-65335
A/V Conferencing
Server
If no Edge Server is defined in
the topology, callee checks
the Front End Server’s
Bandwidth Policy Service.
If no Edge Server is defined in
the topology, callee checks
the Front End Server’s
Bandwidth Policy Service.
SIP/MTLS
SIP/TLS:5067
If gateway does not
support TLS, connect to
gateway on SIP/TCP:5068
MSMQ
SIP/TLS:5061
MRAS
traffic.
For federation, SBA
connects directly with
Director. If no Director
is available, federation
traffic goes directly to
Edge Server
HTTPS:4443
HTTPS:4443
Publish rule for port 4443 to
set “forward host header” to
true. This ensures the
original URL is forwarded.
Director redirects Web
traffic to destination
pool’s Web Service.
Reverse proxy
Director redirects Web
traffic to destination
pool’s Web Service.
SIP/MTLS:5062
Director redirects Web
traffic to destination
pool’s Web Service.
PSOM/MTLS:8057
SIP/MTLS:5062
TCP:1433
Back-end
SQL Server
Install on Enterprise Edition
to provide high availability.
SIP/MTLS:5061
Enterprise
Pool
SR
TP
, IC
E:
ST
UN
/TC
P:4
43, U
DP
:34
78
Reverse proxy
HTTPS:4443
SRTP, ICE: STUN/TCP:443, UDP:3478
HTTPS:444
