Professional Documents
Culture Documents
IM and Presence: External Internal
IM and Presence: External Internal
Legend
Active Directory
Domain Services
Internal Firewall
Director proxies Web traffic to
destination pool s Web service.
HTTPS traffic
MSMQ traffic
HTTPS:443
CLS traffic
Certificate
Authority
HTTP: 80
Reverse proxy
C
File Share Server
XMPP/TCP: 5269
Directors
XMPP federation
SIP/MTLS: 5061
SIP/MTLS
HTTPS: 4443
CLS/MTLS: 50001-50003
Edge Pool
C3P/HTTPS: 444
MSMQ
DSML/HTTPS: 443
DirSync
Office 365
ADFS Proxy
SIP/
MTLS:
5041
Persistent Chat
Server
SAML/HTTPS: 443
Skype
Directory
Search
Address book
& Persistent
Chat file share
LPE devices
also require
port 80.
XMPP/MTLS: 23456
TCP: 443
HTTPS: 4443
HTTPS: 443
XMPP traffic
External Firewall
SIP/TLS: 5061
SIP/TLS: 5061
IM and Presence
External
ADFS
Single sign-on
(SSO)
Back-end SQL
Server
Port number to service traffic assignment:
5062 IM Conferencing Service
5086 Internal Mobility Service
5087 External Mobility Service
External
Internal
Peer-to-peer A/V
session.
External Firewall
Legend
SRTP/UDP:1024-65535
Internal Firewall
Active Directory
Domain Services
SRTP/
UDP:4915265535
HTTP(S) traffic
C
Access Edge SIP/TLS:5061
A
Directors
ICE: STUN/TCP:443, UDP:3478
A
Destination IP Source Port
Destination Port
SIP/MTLS/TCP:5061
A/V Edge
A/V Edge
Any
Any
Any
Any
A/V Edge
A/V Edge
TCP 443
UDP 3478
TCP 443
UDP 3478
PSOM/MTLS/TCP:8057
Edge Pool
SIP/MTLS/TCP:5062
HTTPS:4443
HTTPS:443
If client connects on
port 80 during sign-in,
it gets redirected to
port 443
Director proxies
Web traffic to
destination pool s
Web Service.
TLS:5061
SMB:445
SRTP/
UDP:4915265535
HTTPS:443
VIS
HTTPS:443
Reverse proxy
Office Web
Apps Server
SIP Trunk
TCP:5060
TLS:5061
SIP/MTLS/TCP:5061
HTTPS:443
TCP 50,000-59,999
UDP 3478
Any
Any
Meeting content +
metadata +
compliance file share.
Source IP
SIP/TLS:5061
HTTPS:443
PSOM/TLS:8057
ICE traffic
SRTP/UDP:49152-65535
TCP:5060
TLS:5061
CUCM
VTC
Internal Firewall
SRTP: STUN/TCP:443
HTTP(S) traffic
ICE: STUN/TCP:443
A
Source IP
A/V Edge
Any
Any
A/V Edge
ICE traffic
Arrow direction indicates which
server initiates the connection.
Actual traffic is bi-directional.
RDP/SRTP/TCP:1024-65535
Directors
SIP/TLS:5061
External Firewall
Legend
Peer-to-peer
application
sharing session
SIP/TLS:5061
Application
Sharing
Internal
RDP/SRTP/TCP:49152-65535
External
Destination Port
SIP/MTLS:5061
SIP/MTLS:5062
SRTP: STUN/TCP:443
Edge Pool
SIP/MTLS
ICE: STUN/TCP:443
HTTPS:4443
HTTPS:443
If client connects on
port 80 during sign-in,
it gets redirected to
port 443
Reverse proxy
Active Directory
Domain Services
Internal
Legend
External Firewall
Internal Firewall
ICE traffic
SRTP/UDP:30,000-39,999
If no Edge Server is
defined in the topology,
callee checks the Front
End Server s Bandwidth
Policy Service.
SRTP/RTCP:60,000-64,000
External
MRAS traffic
Directors
STUN/TCP:448
SIP/TLS:5061
SIP/TLS:5061
TURN/TCP:448
Media bypass:
audio routed
directly to
gateway
bypassing
Mediation Server.
SIP traffic
Active Directory
Domain Services
SRTP/RTCP:49,152-57,500
Enterprise Voice
Branch Office
WAN
Connection
SIP/MTLS:5061
SIP/MTLS:5061
SIP/MTLS:5062
HTTPS:444
Lync client
automatically
registers with the
pool if the Branch
Appliance becomes
unavailable.
SIP/MTLS:5062
Edge Pool
SIP/TLS:5061
SIP/MTLS
MRAS traffic
Connectivity to:
Branch Appliance
Exchange UM
IP-PSTN gateway
IP/PBX
Direct SIP
SIP trunk
SIP/TLS:5061,5070
SRTP/RTCP:49,152-57,500
Mediation Pool
(optional)
SIP/TCP:5060,5061
Certificate Requirements
Core elements
Additional elements
Reverse proxy
Front End Server 1, Front End Server 2
FQDN:
Certificate SN:
Certificate SAN:
EKU:
Root certificate:
pool.<ad-domain>
pool.<ad-domain>
pool.<ad-domain>, fe.<ad-domain>, sip.<sip-domain>,
lyncdiscoverinternal.<sip-domain>, lyncdiscover.<sip-domain>,
admin URL, meet URL, dial-in URL,
server
private CA
EKU:
Root certificate:
Branch Appliance
Edge Servers
Edge Server 1, Edge Server 2
Internal FQDN:
internal.<ad-domain>
Certificate SN:
internal.<ad-domain>
Certificate SAN:
EKU:
server
Root certificate:
private CA
External FQDN:
Certificate SN:
Certificate SAN:
EKU:
Root certificate:
External network
Internal network
Access edge
A/V edge
Internal edge
Conf edge
access.<sip-domain>
access.<sip-domain>
access.<sip-domain>, sip.<sip-domain>, conf.<sip-domain>
server
public CA
Directors
FQDN:
Certificate SN:
Certificate SAN:
chatsrv.<ad-domain>
chatsrv.<ad-domain>
N/A
server, client
private CA
FQDN:
Certificate SN:
Certificate SAN:
EKU:
Root certificate:
sba.<ad-domain>
sba.<ad-domain>
sba.<ad-domain>
server
private CA
Exchange UM Server
FQDN:
Certificate SN:
Certificate SAN:
EKU:
Root certificate:
umsrv.<ad-domain>
umsrv.<ad-domain>
N/A
server
private CA
Director 1, Director 2
FQDN:
dir.<ad-domain>
Certificate SN:
dir.<ad-domain>
Certificate SAN:
dir.<ad-domain>, sipinternal.<sip-domain>, sip.<sip-domain>,
lyncdiscoverinternal.<sip-domain>, lyncdiscover.<sip-domain>,
admin URL, meet URL, dial-in URL
EKU:
server
Root certificate:
private CA
FQDN:
Certificate SN:
Certificate SAN:
Certificate SAN:
EKU:
Root certificate:
OwaExtWeb.<sip-domain>
OwaExtWeb.<sip-domain>
wacsrv1.<ad-domain>
wacsrv2.<ad-domain>
server
private CA
Internal
CMS
Legend
SMB traffic
External Firewall
Internal Firewall
HTTPS traffic
Edge Pool
(CMS replica)
Back-end
SQL Server
Enterprise Pool
(CMS master)
Front-end Pool
(CMS replica)
SMB:445
TCP:1433
Director
(CMS replica)
Mediation Pool
(CMS replica)
Standard
Edition Server
(CMS replica)
Branch Appliance
(CMS replica)
Active Directory
Domain Services
DNS Configuration
Internal DNS Configuration
DNS Type
SRV
A/CNAME
A
A
A
A
A
A
Value
_sipinternaltls._tcp.<sip-domain>
lyncdiscoverinternal.<sip-domain>
Pool FQDN
admin URL
meet URL
dial-in URL
internal Web Services FQDN
external Web Services FQDN
Purpose
internal user access
internal AutoDiscover Service
Internal pool name
Lync Server Control Panel (LSCP)
Lync Server Web Service
Lync Server Web Service
Lync Server Web Service
Proxied to Lync Server Web Service
Value
_sipfederationtls._tcp.<sip-domain>
_sip._tls.<sip-domain>
_xmpp-server._tcp.<sip-domain>
sip.<sip-domain>
Access Edge FQDN: access.<sip-domain>
A/V Edge FQDN: av.<sip-domain>
Conf Edge FQDN: conf.<sip-domain>
lyncdiscover.<sip-domain>
meet URL
dial-in URL
external Web Services FQDN
Resolution
Access Edge FQDN: access.<sip-domain>
Access Edge FQDN: access.<sip-domain>
Access Edge FQDN: access.<sip-domain>
Access Edge FQDN: access.<sip-domain>
Access Edge IP address
A/V Edge IP address
Conf Edge IP address
reverse proxy public IP address
reverse proxy public IP address
reverse proxy public IP address
reverse proxy public IP address
Purpose
Federation and public IM connectivity
external user access
XMPP federation
locate Edge Server
Edge Server Access edge
Edge Server A/V edge
Edge Server Conf edge
external AutoDiscover Service
proxied to Lync Server Web Service
proxied to Lync Server Web Service
proxied to Lync Server Web Service
OWA
DNS Type
A
A
Value
OWA internal URL
OWA external URL
Purpose
internal user access to PowerPoint Presentations
external user access to PowerPoint Presentations