Escolar Documentos
Profissional Documentos
Cultura Documentos
SIP traffic: signaling and IM XMPP traffic HTTPS traffic MSMQ traffic This port is used to connect to Lync Web Services: - download the Address Book - provide distribution list expansion - download meeting content - connect to the Mobility Service - connect to the AutoDiscovery Service
Internal user sign-in process: 1. Client resolves DNS SRV record _sipinternaltls._tcp.<sip-domain> to Director. 2. Client connects to Director. 3. Director redirects client to users home pool.
SIP/TLS:5061
SIP/TLS:5061
LEARN MORE
http://technet.microsoft.com/lync
HTTPS:443
HTTPS:4443
Ports to load balanced by HLB: - 443 - 4443 - 5061 - 135 only if SIP traffic is load balanced by HLB Enterprise Pool
Directors
HTTPS:443
SIP/TLS:5061
PSOM/TLS:8057
External user sign-in process: 1. Client resolves DNS SRV record _sip._tls.<sip-domain> to Edge Server. 2. Client connects to Edge Server. 3. Edge Server proxies connection to Director. 4. Director authenticates user and proxies connection to users home pool.
Publish rule for port 4443 to set forward host header to true. This ensures the original URL is forwarded.
HTTPS:443
Protocol Workloads
http://twitter.com/DrRez http://go.microsoft.com/fwlink/?LinkId=204593
http://nexthop.info
This port is used to: - download the Address Book - connect to the Mobility Service - connect to the AutoDiscovery Service
Reverse proxy Director redirects Web traffic to destination pools Web Service.
Directors HTTPS:4443
Meeting content + metadata + compliance file share. Address book & Group Chat file share. Enterprise Pool
SIP/MTLS:5061
SIP/MTLS:5061 PSOM/MTLS:8057
Diagram v5.12 Author: Rui Maximo Editor: Kelly Fuller Blue Designer: Ken Circeo Reviewers: Jens Trier Rasmussen, Paul Brombley, Doug Lawty, Stefan Plizga, Jeff Colvin, Kaushal Mehta, Richard Pasztor, Thomas Binder, Subbu Chandrasekaran, Randy Wintle, Rob L., Stefan Heidl, Fabian Kunz
AOL
SIP/MTLS:5061
SIP/MTLS:5061 SIP/MTLS
SRTP/UDP:57501-65335 SIP/MTLS:5063
C3P/HTTPS:444
MSMQ
AD DS Sync
LDAP/TCP:3268 A.contoso.com LDAP/TCP:3268
Two inbound and two outbound unidirectional streams. TCP:443 must be open inbound.
TCP port range, 50,000-59,999, only needs to be open outbound. TCP/UDP port range, 50,000-59,999, needs to be open inbound and outbound to the Internet for federation with partners running Office Communications Server 2007.
MRAS traffic. Director redirects Web traffic to destination pools Web Service. HTTPS:4443
Gmail
AD DS Domain Controller (DC) AD DS Global Catalog (GC)
HTTPS:443 Archiving Server TCP:3478 must be open both inbound and outbound.
Jabber
XMPP/TCP:5269
XMPP Gateway
LDAP/TCP:389 LDAP/TCP:3268
B.contoso.com
External Firewall
Internal Firewall
Port number to service traffic assignment: 5062 IM Conferencing Service 5086 Internal Mobility Service 5087 External Mobility Service
Reverse proxy
RDP/SRTP/TCP:1024-65535
If no Edge Server is defined in the topology, callee checks the Front End Servers Bandwidth Policy Service.
If no Edge Server is defined in the topology, callee checks the Front End Servers Bandwidth Policy Service.
RDP/SRTP/TCP:49152-65535
SRTP/RTCP:60,000-64,000
TURN/TCP:448
SIP/TLS:5061
HTTPS:4443
Directors
SIP/TLS:5061
For federation, SBA connects directly with Director. If no Director is available, federation traffic goes directly to Edge Server
WAN Connection
MRAS traffic.
Enterprise Pool SIP/MTLS:5061 Access Edge - SIP/TLS:443 SIP/MTLS:5062 A/V Edge SRTP:443,3478,50,000-59,999 Enterprise Pool (CMS replica) Two inbound and two outbound unidirectional streams. Mediation Pool (CMS replica) Standard Edition Server (CMS replica) If client connects on port 80, it gets redirected to port 443 Range of ports is configurable. Edge Pool A/V Edge ICE: STUN/TCP:443, STUN/UDP:3478 SRTP,ICE: STUN/TCP:443, UDP:3478 SIP/MTLS A/V Edge SRTP:443,3478,[TCP:50,000-59,999] SMB:445 SIP/MTLS:5061 Access Edge - SIP/TLS:443
MRAS traffic. SIP/MTLS:5061 SIP/MTLS:5061 SIP/MTLS:5062 SRTP, ICE: STUN/TCP:443, UDP:3478 Edge Pool SRTP consists of two unidirectional streams. RTCP traffic piggy backs on the SRTP stream. Media codec varies per workload: - RTAudio - G.711 - Siren - G.722 TCP:443 must be open inbound. TCP:3478 must be open both inbound and outbound. External firewall Internal firewall TCP port range, 50,000-59,999, only needs to be open outbound. TCP/UDP port range, 50,000-59,999, needs to be open inbound and outbound to the Internet for federation with partners running Office Communications Server 2007.
SIP/TLS:5061
SRTP/RTCP:49,152-57,500
Director redirects Web traffic to destination pools Web Service. HTTPS:4443 HTTPS:443 MSMQ Reverse proxy Monitoring Server Port number to service traffic assignment: 5065 - Application Sharing Conferencing Service
SIP/MTLS
MRAS traffic. Lync client automatically registers with the pool if the Branch Appliance becomes unavailable
HTTPS:443
Exchange UM Server Connectivity to: IP-PSTN gateway IP/PBX Direct SIP SIP trunk
External firewall
SIP/TLS:5067 SIP/TCP:5060,5061 Mediation Pool (optional) If gateway does not support TLS, connect to gateway on SIP/TCP:5068
Port number to service traffic assignment: 5064 - Telephony Conferencing Service 5067 Mediation Server Service 5071 - Response Group Service 5072 - Conferencing Attendant Service 5073 - Conferencing Announcement Service
LEGEND
Lync Lync Phone Edition Attendant Console Group Chat Lync Web App
CERTIFICATE REQUIREMENTS
Front End Server 1, Front End Server 2 FQDN: pool.<ad-domain> Certificate SN: pool.<ad-domain> Certificate SAN: pool.<ad-domain>, fe.<sip-domain> sip.<sip-domain> meet.<sip-domain> dialin.<sip-domain> EKU: server Root certificate: private CA Director 1, Director 2 FQDN: dir.<ad-domain> Certificate SN: dir.<ad-domain> Certificate SAN: dir.<ad-domain>, sipinternal.<sip-domain> sip.<sip-domain> meet.<sip-domain> dialin.<sip-domain> EKU: server Root certificate: private CA FQDN: Certificate SN: Certificate SAN: EKU: Root certificate: Group Chat Server chatsrv.<ad-domain> chatsrv.<ad-domain> N/A server, client private CA FQDN: Certificate SN: Certificate SAN: EKU: Root certificate: Branch Appliance sba.<ad-domain> sba.<ad-domain> sba.<ad-domain> server private CA FQDN:
DNS Configuration
Publish SRV for _sipfederationtls._tcp.<sip-domain>, that resolves to Access Edge FQDN, accesssrv.<sip-domain>. Publish SRV for _sip._tls.<sip-domain>, that resolves to Access Edge FQDN. This is required for federated and anonymous connections to Web conferences. Publish SRV for _xmpp-server._tcp.<sip-domain>, that resolves to gateway NIC of the XMPP gateway. Publish CNAME or A record for lyncdiscoverinternal.<sip-domain> that resolves to IP address of Director, if one is deployed, or pool. Publish CNAME for lyncdiscover.<sip-domain> that resolves to IP address of reverse proxy. HTTPS connection is proxied to internal pools Web Service. Publish A record for Meet Simple URL that resolves the URL to IP address of Director, if one is deployed, or pool. Publish A record for Dial-In Simple URL that resolves the URL to IP address of Director, if one is deployed, or pool. Publish A record for Access Edge FQDN, accesssrv.<sip-domain> | sip.<sip-domain>, that resolves to Access Edge public IP address. Publish A record for A/V Edge FQDN, av.<sip-domain>, that resolves to A/V Edge public IP address. Publish A record for Conferencing Edge FQDN, conf.<sip-domain>, that resolves to Conferencing Edge public IP address. Publish A record for internal pool to the reverse proxy FQDN, that resolves to public IP address of reverse proxy
Enterprise pool
Directors
Edge Server 1, Edge Server 2 Internal FQDN: intsrv.<ad-domain> Certificate SN: intsrv.<ad-domain> Certificate SAN: EKU: server Root certificate: private CA Edge Servers Access FQDN: Certificate SN: Certificate SAN: EKU: Root certificate: accesssrv.<sip-domain> accesssrv.<sip-domain> accesssrv.<sip-domain>, sip.<sip-domain> server, client* public CA
Conference FQDN: Certificate SN: Certificate SAN: EKU: Root certificate: A/V FQDN: Certificate SN: Certificate SAN: EKU: Root certificate:
N/A conf.<sip-domain> N/A server public CA av.<sip-domain> av.<sip-domain> N/A server private CA
FQDN: Certificate SN: Certificate SAN: EKU: Root certificate: Mediation Server
2010 Microsoft Corporation. All rights reserved. Active Directory, Lync, MSN, and any associated logos are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks or trade names mentioned herein are the property of their respective owners.
SIP/TLS:5061