IM and Presence Workload Internal user sign-in process:

1. Client resolves DNS SRV record _sipinternaltls._tcp.<sip-domain> to Director.

2. Client connects to Director.
A/V and Web Conferencing Workload
3. Director redirects client to user’s home pool. Peer-to-peer
ICE: STUN/TCP:443, UDP:3478 A/V session.
SIP traffic: signaling and IM SIP traffic: signaling
SRTP/UDP:49152-65535
XMPP traffic HTTPS:443 HTTPS traffic

HTTPS traffic This port is used to connect to Lync Web Services: RTP/SRTP traffic: A/V Conferencing

SRV query
- download the Address Book
MSMQ traffic - provide distribution list expansion PSOM traffic: Web Conferencing
- download meeting content
- connect to the Mobility Service ICE traffic
- connect to the AutoDiscovery Service Codec varies per workload:
- G.722 or Siren for audio
- RTVideo for video

SRTP/UDP:49152-65535
Protocol Workloads
Active Directory Traffic goes directly to Audio/
Web
This port is used to: Domain Services Video Conferencing Service

HTTPS:443
Publish rule for port 4443 to Conferencing Service
External user sign-in process: - download the Address Book WITHOUT going through the
set “forward host header” to

PSOM/TLS:8057
If client connects on port 80,

SIP/TLS:5061
SIP/TLS:5061
1. Client resolves DNS SRV record _sip._tls.<sip-domain> to Edge Server. SRTP, ICE: STUN/TCP:443, UDP:3478 pool’s hardware load balancer.
true. This ensures the - connect to the Mobility Service balancer

SIP/TLS:5061
2. Client connects to Edge Server. it gets redirected to port 443
original URL is forwarded. - connect to the AutoDiscovery Service

HTTPS:443
3. Edge Server proxies connection to Director. Ports to load balanced by HLB: HTTPS:443 is
4. Director authenticates user and proxies connection to user’s home pool. - 443 used to
LEARN MORE - 4443
- 5061
Directors download
conferencing
HTTPS:443 HTTPS:4443 - 135 – only if SIP traffic is load balanced by HLB content.
http://technet.microsoft.com/lync Meeting content
Enterprise + metadata +
Reverse proxy Directors compliance file
Pool
share.

Director redirects Web HTTPS:4443 Address book Enterprise

http://twitter.com/DrRez traffic to destination & Group Chat Access Edge - SIP/TLS:443 SIP/MTLS:5061 SIP/MTLS:5061 Pool
pool’s Web Service. file share.
Web Conf Edge - PSOM/TLS:443 PSOM/MTLS:8057
http://go.microsoft.com/fwlink/?LinkId=204593 http://nexthop.info Yahoo! Access Edge - SIP/TLS:443
SIP/MTLS:5061 SIP/MTLS:5061 SRTP/UDP:57501-65335
AOL A/V Edge - STUN/TCP:443, UDP:3478 SRTP, ICE: STUN/TCP:443, UDP:3478
Diagram v5.12 Author: Rui Maximo — Editor: Kelly Fuller Blue — Designer: Ken Circeo SIP/MTLS:5063
MSN Access Edge - SIP/MTLS:5061
Reviewers: Jens Trier Rasmussen, Paul Brombley, Doug Lawty, Stefan Plizga, Jeff Colvin, Kaushal Mehta, SIP/MTLS A/V Edge – SRTP:443,3478,[TCP:50,000-59,999] Edge Pool SIP/MTLS:5062
C3P/HTTPS:444
Richard Pasztor, Thomas Binder, Subbu Chandrasekaran, Randy Wintle, Rob L., Stefan Heidl, Fabian Kunz Edge Pool
Federated TCP port range, 50,000-59,999, only needs

SIP/MTLS:5061
Company to be open outbound. MRAS
Active Directory Domain Services (AD DS) Monitoring Two inbound and two TCP/UDP port range, 50,000-59,999, needs traffic.

AD DS Sync LDAP traffic

Group Chat
SIP/MTLS:5041
Server outbound unidirectional
streams.
to be open inbound and outbound to the
Internet for federation with partners running
Office Communications Server 2007.
Director redirects Web
traffic to destination
pool’s Web Service.

MSMQ
Gmail Server TCP:443 must be open
inbound.
AD DS HTTPS:443 HTTPS:4443
LDAP/TCP:3268 A/V Conferencing

MSMQ
Domain Controller Jabber XMPP/TCP:5269 Archiving TCP:3478 must be Server
(DC) AD DS
Server open both inbound and
Global Catalog
outbound.
A.contoso.com (GC) XMPP Gateway Port number to service traffic Reverse proxy
MSMQ
assignment:
5062 – IM Conferencing Service
LDAP/TCP:3268 LDAP/TCP:389 5086 – Internal Mobility Service
Group Chat 5087 – External Mobility Service
LDAP/TCP:3268 Monitoring
Compliance
Enterprise Pool External Internal Server Server
B.contoso.com Firewall External Internal
C.contoso.com Firewall firewall firewall

Central
Central Management
Management Service
Service Application Sharing Workload RDP/SRTP/TCP:1024-65535
Peer-to-peer
application Enterprise Voice Workload If no Edge Server is defined in
the topology, callee checks
If no Edge Server is defined in
the topology, callee checks
sharing session. the Front End Server’s the Front End Server’s
Bandwidth Policy Service. Bandwidth Policy Service.
SMB traffic HTTPS traffic Direction of arrow indicates which
SIP traffic
server initiates the connection. SIP traffic Direction of arrow indicates which Media bypass: audio routed
Subsequent traffic is bi-directional. server initiates the connection. directly to gateway TURN/TCP:443, UDP:3478
RTP/SRTP traffic
RDP/SRTP traffic Subsequent traffic is bi-directional. bypassing Mediation
Server.
Install on Enterprise Edition Call Admission Control (CAC) traffic

RDP/SRTP/TCP:49152-65535
to provide high availability. HTTPS traffic

SRTP/RTCP:30,000-39,999
HTTPS:443 ICE traffic

STUN/UDP:3478
ICE traffic Media codec varies

UDP:3478
Enterprise Pool

SRTP/RTCP:30,000-39,999
SIP/TLS:5061
per workload: For federation, SBA WAN
(CMS master)

SRTP/RTCP:60,000-64,000
- RTAudio connects directly with

TURN/TCP:448
SRTP,ICE: STUN/TCP:443, UDP:3478 Connection

SIP/TLS:5061
- G.711 Director. If no Director
is available, federation

SIP/TLS:5061

STUN/TCP:443,
Directors traffic goes directly to
Directors
HTTPS:4443 TCP:1433 Edge Server

STUN/TCP:443,
Back-end TURN/TCP:448
Edge Pool MRAS MRAS
SQL Server SIP/TLS:5061
(CMS replica) traffic. traffic.

SRTP, ICE:
Enterprise
Enterprise Pool
Pool
SIP/MTLS:5061 SIP/MTLS:5061
SIP/MTLS:5061 SIP/MTLS:5061 SIP/MTLS:5061
Access Edge - SIP/TLS:443 Access Edge - SIP/TLS:443 HTTPS:444
SIP/MTLS:5062 SIP/MTLS:5062
A/V Edge – ICE: STUN/TCP:443, STUN/UDP:3478 SIP/MTLS:5062
A/V Edge – SRTP:443,3478,50,000-59,999
SMB:445

SRTP,ICE: STUN/TCP:443, UDP:3478 SIP/MTLS SRTP, ICE: STUN/TCP:443, UDP:3478 Branch

A/V Edge – SRTP:443,3478,[TCP:50,000-59,999] Appliance
Enterprise Pool Edge Pool
(CMS replica) Edge Pool
Two inbound and Range of ports SIP/MTLS MRAS
Director redirects Web

SRTP/RTCP:49,152-57,500
two outbound is configurable. TCP port range, 50,000-59,999, only needs traffic.
traffic to destination SRTP consists of two
unidirectional to be open outbound.
pool’s Web Service. unidirectional streams. RTCP
streams. TCP/UDP port range, 50,000-59,999, needs SIP/TLS:5061
traffic piggy backs on the SRTP Lync client automatically
to be open inbound and outbound to the
HTTPS:4443 stream. Internet for federation with partners running registers with the pool if
Mediation Pool HTTPS:443 HTTPS:443
(CMS replica) Media codec varies per workload: Office Communications Server 2007. the Branch Appliance
MSMQ - RTAudio MSMQ becomes unavailable
- G.711 Exchange Enterprise Voice
Standard Edition Monitoring applications
If client connects on port 80, Reverse proxy - Siren UM Server
Server it gets redirected to port 443 Server - G.722 Monitoring Server
Connectivity to:
(CMS replica) • IP-PSTN
Port number to service traffic assignment: TCP:443 must be open inbound. Port number to service traffic assignment:
5065 - Application Sharing Conferencing Service gateway 5064 - Telephony Conferencing Service
• IP/PBX SIP/TLS:5067 5067 – Mediation Server Service
TCP:3478 must be open both
External Internal External Internal • Direct SIP 5071 - Response Group Service
inbound and outbound. SIP/TCP:5060,5061
firewall firewall firewall firewall • SIP trunk 5072 - Conferencing Attendant Service
Mediation Pool If gateway does not
Directors 5073 - Conferencing Announcement Service
External Internal (optional) support TLS, connect to
(CMS replica)
firewall firewall gateway on SIP/TCP:5068

LEGEND
CERTIFICATE REQUIREMENTS
Lync Lync Attendant Group Chat
Lync Web App Front End Server 1, Front End Server 2 FQDN: chatsrv.<ad-domain> FQDN: sba.<ad-domain> FQDN: umsrv.<ad-domain>
Phone Edition Console Director 1, Director 2 Edge Server 1, Edge Server 2
FQDN: pool.<ad-domain> Certificate SN: chatsrv.<ad-domain> Certificate SN: sba.<ad-domain> Certificate SN: umsrv.<ad-domain>
FQDN: dir.<ad-domain> Internal FQDN: intsrv.<ad-domain> Conference FQDN: N/A
Certificate SN: pool.<ad-domain> Certificate SAN: N/A Certificate SAN: sba.<ad-domain> Certificate SAN: N/A
Certificate SN: dir.<ad-domain> Certificate SN: intsrv.<ad-domain> Certificate SN: conf.<sip-domain>
Certificate SAN: pool.<ad-domain>, EKU: server, client EKU: server EKU: server
Certificate SAN: dir.<ad-domain>, Certificate SAN: Certificate SAN: N/A
fe.<sip-domain> Root certificate: private CA Root certificate: private CA
DNS Configuration Enterprise pool
sip.<sip-domain>
meet.<sip-domain> Directors
sipinternal.<sip-domain>
sip.<sip-domain> Group Chat Server Branch Appliance
Root certificate:
Exchange UM Server
private CA EKU: server
Root certificate: private CA
EKU:
Root certificate:
server
public CA
· Publish SRV for _sipfederationtls._tcp.<sip-domain>, that resolves to Access Edge FQDN, accesssrv.<sip-domain>. meet.<sip-domain>
dialin.<sip-domain>
· Publish SRV for _sip._tls.<sip-domain>, that resolves to Access Edge FQDN. This is required for federated and anonymous connections dialin.<sip-domain> Access FQDN: accesssrv.<sip-domain> A/V FQDN: av.<sip-domain>
EKU: server Edge Servers
to Web conferences. EKU: server FQDN: medsrv.<ad-domain> FQDN: xmppsrv.<sip-domain> (1) FQDN: xmpp.<sip-domain> (2) Certificate SN: accesssrv.<sip-domain> Certificate SN: av.<sip-domain>
Root certificate: private CA
· Publish SRV for _xmpp-server._tcp.<sip-domain>, that resolves to gateway NIC of the XMPP gateway. Root certificate: private CA Certificate SN: medsrv.<ad-domain> Certificate SN: xmppsrv.<sip-domain> Certificate SN: xmpp.<sip-domain> Certificate SAN: accesssrv.<sip-domain>, Certificate SAN: N/A
· Publish CNAME or A record for lyncdiscoverinternal.<sip-domain> that resolves to IP address of Director, if one is deployed, or pool. Certificate SAN: N/A Certificate SAN: N/A Certificate SAN: N/A sip.<sip-domain> EKU: server
· Publish CNAME for lyncdiscover.<sip-domain> that resolves to IP address of reverse proxy. HTTPS connection is proxied to internal EKU: server EKU: server EKU: server *Required only for public EKU: server, client* Root certificate: private CA
pool’s Web Service. Root certificate: private CA Root certificate: private CA Root certificate: public CA IM connectivity with AOL Root certificate: public CA
· Publish A record for Meet Simple URL that resolves the URL to IP address of Director, if one is deployed, or pool. XMPP Gateway (1)
This FQDN is for connectivity to internal Edge Servers (2)
This FQDN is for connectivity to external XMPP gateways IM
Mediation Server
· Publish A record for Dial-In Simple URL that resolves the URL to IP address of Director, if one is deployed, or pool.

· Publish A record for Access Edge FQDN, accesssrv.<sip-domain> | sip.<sip-domain>, that resolves to Access Edge public IP address.
· Publish A record for A/V Edge FQDN, av.<sip-domain>, that resolves to A/V Edge public IP address.
· Publish A record for Conferencing Edge FQDN, conf.<sip-domain>, that resolves to Conferencing Edge public IP address.
· Publish A record for internal pool to the reverse proxy FQDN, that resolves to public IP address of reverse proxy © 2010 Microsoft Corporation. All rights reserved. Active Directory, Lync, MSN, and any associated logos are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks or trade names mentioned herein are the property of their respective owners.