IM and Presence Workload

SIP traffic: signaling and IM XMPP traffic HTTPS traffic MSMQ traffic This port is used to connect to Lync Web Services: - download the Address Book - provide distribution list expansion - download meeting content - connect to the Mobility Service - connect to the AutoDiscovery Service

Internal user sign-in process: 1. Client resolves DNS SRV record _sipinternaltls._tcp.<sip-domain> to Director. 2. Client connects to Director. 3. Director redirects client to users home pool.

A/V and Web Conferencing Workload

SIP traffic: signaling HTTPS:443 HTTPS traffic RTP/SRTP traffic: A/V Conferencing SRV query PSOM traffic: Web Conferencing ICE traffic Codec varies per workload: - G.722 or Siren for audio - RTVideo for video SRTP/UDP:49152-65535 Traffic goes directly to Audio/ Web Video Conferencing Service Conferencing Service WITHOUT going through the pools hardware load balancer. balancer ICE: STUN/TCP:443, UDP:3478 SRTP/UDP:49152-65535 Peer-to-peer A/V session.

SIP/TLS:5061

SIP/TLS:5061

LEARN MORE
http://technet.microsoft.com/lync

HTTPS:443

HTTPS:4443

Ports to load balanced by HLB: - 443 - 4443 - 5061 - 135 only if SIP traffic is load balanced by HLB Enterprise Pool

Directors

HTTPS:443 is used to download conferencing content.

HTTPS:443

SIP/TLS:5061

If client connects on port 80, it gets redirected to port 443

SRTP, ICE: STUN/TCP:443, UDP:3478

PSOM/TLS:8057

External user sign-in process: 1. Client resolves DNS SRV record _sip._tls.<sip-domain> to Edge Server. 2. Client connects to Edge Server. 3. Edge Server proxies connection to Director. 4. Director authenticates user and proxies connection to users home pool.

Publish rule for port 4443 to set forward host header to true. This ensures the original URL is forwarded.

HTTPS:443

Protocol Workloads
http://twitter.com/DrRez http://go.microsoft.com/fwlink/?LinkId=204593
http://nexthop.info

This port is used to: - download the Address Book - connect to the Mobility Service - connect to the AutoDiscovery Service

Active Directory Domain Services

Reverse proxy Director redirects Web traffic to destination pools Web Service.

Directors HTTPS:4443

Meeting content + metadata + compliance file share. Address book & Group Chat file share. Enterprise Pool

Access Edge - SIP/TLS:443 Web Conf Edge - PSOM/TLS:443

SIP/MTLS:5061

SIP/MTLS:5061 PSOM/MTLS:8057

Yahoo! MSN Federated Company

Diagram v5.12 Author: Rui Maximo Editor: Kelly Fuller Blue Designer: Ken Circeo Reviewers: Jens Trier Rasmussen, Paul Brombley, Doug Lawty, Stefan Plizga, Jeff Colvin, Kaushal Mehta, Richard Pasztor, Thomas Binder, Subbu Chandrasekaran, Randy Wintle, Rob L., Stefan Heidl, Fabian Kunz

AOL

Access Edge - SIP/TLS:443 Access Edge - SIP/MTLS:5061 Edge Pool SIP/MTLS:5061

SIP/MTLS:5061

SIP/MTLS:5061 SIP/MTLS

A/V Edge - STUN/TCP:443, UDP:3478 A/V Edge SRTP:443,3478,[TCP:50,000-59,999] Edge Pool

SRTP, ICE: STUN/TCP:443, UDP:3478 SIP/MTLS:5062

SRTP/UDP:57501-65335 SIP/MTLS:5063

C3P/HTTPS:444

MSMQ

AD DS Sync
LDAP/TCP:3268 A.contoso.com LDAP/TCP:3268

Active Directory Domain Services (AD DS)

LDAP traffic

Monitoring Server Group Chat Server MSMQ SIP/MTLS:5041

Two inbound and two outbound unidirectional streams. TCP:443 must be open inbound.

TCP port range, 50,000-59,999, only needs to be open outbound. TCP/UDP port range, 50,000-59,999, needs to be open inbound and outbound to the Internet for federation with partners running Office Communications Server 2007.

MRAS traffic. Director redirects Web traffic to destination pools Web Service. HTTPS:4443

Gmail
AD DS Domain Controller (DC) AD DS Global Catalog (GC)

HTTPS:443 Archiving Server TCP:3478 must be open both inbound and outbound.

Jabber

XMPP/TCP:5269

A/V Conferencing Server MSMQ

XMPP Gateway

LDAP/TCP:389 LDAP/TCP:3268

B.contoso.com

Enterprise Pool C.contoso.com

External Firewall

Internal Firewall

Group Chat Compliance Server

Port number to service traffic assignment: 5062 IM Conferencing Service 5086 Internal Mobility Service 5087 External Mobility Service

Reverse proxy

Monitoring Server External firewall Internal firewall

Central Management Service Central Management Service

SMB traffic HTTPS traffic Direction of arrow indicates which server initiates the connection. Subsequent traffic is bi-directional. Install on Enterprise Edition to provide high availability. Enterprise Pool (CMS master)

Application Sharing Workload

SIP traffic RDP/SRTP traffic HTTPS traffic HTTPS:443 ICE traffic SRTP,ICE: STUN/TCP:443, UDP:3478 Directors Direction of arrow indicates which server initiates the connection. Subsequent traffic is bi-directional.

RDP/SRTP/TCP:1024-65535

Peer-to-peer application sharing session.

Enterprise Voice Workload

SIP traffic RTP/SRTP traffic Call Admission Control (CAC) traffic ICE traffic Media bypass: audio routed directly to gateway bypassing Mediation Server. TURN/TCP:443, UDP:3478 SRTP/RTCP:30,000-39,999

If no Edge Server is defined in the topology, callee checks the Front End Servers Bandwidth Policy Service.

If no Edge Server is defined in the topology, callee checks the Front End Servers Bandwidth Policy Service.

RDP/SRTP/TCP:49152-65535

SRTP/RTCP:60,000-64,000

TURN/TCP:448

SIP/TLS:5061

HTTPS:4443

TCP:1433 Back-end SQL Server

Directors

SIP/TLS:5061

For federation, SBA connects directly with Director. If no Director is available, federation traffic goes directly to Edge Server

WAN Connection

TURN/TCP:448 SIP/TLS:5061 Enterprise Pool SIP/MTLS:5061 HTTPS:444 SIP/MTLS:5062

Edge Pool (CMS replica)

MRAS traffic.

Enterprise Pool SIP/MTLS:5061 Access Edge - SIP/TLS:443 SIP/MTLS:5062 A/V Edge SRTP:443,3478,50,000-59,999 Enterprise Pool (CMS replica) Two inbound and two outbound unidirectional streams. Mediation Pool (CMS replica) Standard Edition Server (CMS replica) If client connects on port 80, it gets redirected to port 443 Range of ports is configurable. Edge Pool A/V Edge ICE: STUN/TCP:443, STUN/UDP:3478 SRTP,ICE: STUN/TCP:443, UDP:3478 SIP/MTLS A/V Edge SRTP:443,3478,[TCP:50,000-59,999] SMB:445 SIP/MTLS:5061 Access Edge - SIP/TLS:443

MRAS traffic. SIP/MTLS:5061 SIP/MTLS:5061 SIP/MTLS:5062 SRTP, ICE: STUN/TCP:443, UDP:3478 Edge Pool SRTP consists of two unidirectional streams. RTCP traffic piggy backs on the SRTP stream. Media codec varies per workload: - RTAudio - G.711 - Siren - G.722 TCP:443 must be open inbound. TCP:3478 must be open both inbound and outbound. External firewall Internal firewall TCP port range, 50,000-59,999, only needs to be open outbound. TCP/UDP port range, 50,000-59,999, needs to be open inbound and outbound to the Internet for federation with partners running Office Communications Server 2007.

SIP/TLS:5061

SRTP/RTCP:49,152-57,500

Director redirects Web traffic to destination pools Web Service. HTTPS:4443 HTTPS:443 MSMQ Reverse proxy Monitoring Server Port number to service traffic assignment: 5065 - Application Sharing Conferencing Service

SIP/MTLS

MRAS traffic. Lync client automatically registers with the pool if the Branch Appliance becomes unavailable

HTTPS:443

MSMQ Monitoring Server

Exchange UM Server Connectivity to: IP-PSTN gateway IP/PBX Direct SIP SIP trunk

Enterprise Voice applications

External firewall

SIP/TLS:5067 SIP/TCP:5060,5061 Mediation Pool (optional) If gateway does not support TLS, connect to gateway on SIP/TCP:5068

Internal firewall Directors (CMS replica) External firewall Internal firewall

Port number to service traffic assignment: 5064 - Telephony Conferencing Service 5067 Mediation Server Service 5071 - Response Group Service 5072 - Conferencing Attendant Service 5073 - Conferencing Announcement Service

LEGEND
Lync Lync Phone Edition Attendant Console Group Chat Lync Web App

CERTIFICATE REQUIREMENTS
Front End Server 1, Front End Server 2 FQDN: pool.<ad-domain> Certificate SN: pool.<ad-domain> Certificate SAN: pool.<ad-domain>, fe.<sip-domain> sip.<sip-domain> meet.<sip-domain> dialin.<sip-domain> EKU: server Root certificate: private CA Director 1, Director 2 FQDN: dir.<ad-domain> Certificate SN: dir.<ad-domain> Certificate SAN: dir.<ad-domain>, sipinternal.<sip-domain> sip.<sip-domain> meet.<sip-domain> dialin.<sip-domain> EKU: server Root certificate: private CA FQDN: Certificate SN: Certificate SAN: EKU: Root certificate: Group Chat Server chatsrv.<ad-domain> chatsrv.<ad-domain> N/A server, client private CA FQDN: Certificate SN: Certificate SAN: EKU: Root certificate: Branch Appliance sba.<ad-domain> sba.<ad-domain> sba.<ad-domain> server private CA FQDN:

Certificate SN: Certificate SAN:

EKU: Root certificate: Exchange UM Server

DNS Configuration
Publish SRV for _sipfederationtls._tcp.<sip-domain>, that resolves to Access Edge FQDN, accesssrv.<sip-domain>. Publish SRV for _sip._tls.<sip-domain>, that resolves to Access Edge FQDN. This is required for federated and anonymous connections to Web conferences. Publish SRV for _xmpp-server._tcp.<sip-domain>, that resolves to gateway NIC of the XMPP gateway. Publish CNAME or A record for lyncdiscoverinternal.<sip-domain> that resolves to IP address of Director, if one is deployed, or pool. Publish CNAME for lyncdiscover.<sip-domain> that resolves to IP address of reverse proxy. HTTPS connection is proxied to internal pools Web Service. Publish A record for Meet Simple URL that resolves the URL to IP address of Director, if one is deployed, or pool. Publish A record for Dial-In Simple URL that resolves the URL to IP address of Director, if one is deployed, or pool. Publish A record for Access Edge FQDN, accesssrv.<sip-domain> | sip.<sip-domain>, that resolves to Access Edge public IP address. Publish A record for A/V Edge FQDN, av.<sip-domain>, that resolves to A/V Edge public IP address. Publish A record for Conferencing Edge FQDN, conf.<sip-domain>, that resolves to Conferencing Edge public IP address. Publish A record for internal pool to the reverse proxy FQDN, that resolves to public IP address of reverse proxy

umsrv.<ad-domain> umsrv.<ad-domain> N/A server private CA

Enterprise pool

Directors

Edge Server 1, Edge Server 2 Internal FQDN: intsrv.<ad-domain> Certificate SN: intsrv.<ad-domain> Certificate SAN: EKU: server Root certificate: private CA Edge Servers Access FQDN: Certificate SN: Certificate SAN: EKU: Root certificate: accesssrv.<sip-domain> accesssrv.<sip-domain> accesssrv.<sip-domain>, sip.<sip-domain> server, client* public CA

Conference FQDN: Certificate SN: Certificate SAN: EKU: Root certificate: A/V FQDN: Certificate SN: Certificate SAN: EKU: Root certificate:

N/A conf.<sip-domain> N/A server public CA av.<sip-domain> av.<sip-domain> N/A server private CA

FQDN: Certificate SN: Certificate SAN: EKU: Root certificate: Mediation Server

medsrv.<ad-domain> medsrv.<ad-domain> N/A server private CA XMPP Gateway

FQDN: Certificate SN: Certificate SAN: EKU: Root certificate:

(1)

xmppsrv.<sip-domain> (1) xmppsrv.<sip-domain> N/A server private CA

FQDN: Certificate SN: Certificate SAN: EKU: Root certificate:

(2)

xmpp.<sip-domain> (2) xmpp.<sip-domain> N/A server public CA

This FQDN is for connectivity to internal Edge Servers

This FQDN is for connectivity to external XMPP gateways

*Required only for public IM connectivity with AOL IM

2010 Microsoft Corporation. All rights reserved. Active Directory, Lync, MSN, and any associated logos are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks or trade names mentioned herein are the property of their respective owners.

SRTP/RTCP:30,000-39,999 Branch Appliance

SIP/TLS:5061

Media codec varies per workload: - RTAudio - G.711

STUN/TCP:443, STUN/UDP:3478 SRTP, ICE: STUN/TCP:443, UDP:3478