Internal
External
Firewall
4/21/2015
HTTPS: 443
Certificate
Authority
HTTPS: 4443
XMPP
federation
Active Directory
Domain Services
Reverse proxy
XMPP/TCP: 5269
CLS/MTLS: 50001-50003
File Share
Server
Directors
TCP: 443
Front end
pool
SIP/MTLS: 5061
HTTPS: 4443
XMPP/MTLS: 23456
CLS/MTLS: 50001-50003
Edge Pool
SIP/
MTLS
CLS/MTLS: 50001-50003
DSML/HTTPS: 443
DirSync
C3P/HTTPS: 444
SAML/HTTPS: 443
ADFS
ADFS Proxy
Skype for
Business
federation
MSMQ
Centralized
Logging
Service
Persistent Chat
Compliance
Server
Persistent
Chat Server
Skype
federation
2015 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at SfBdoc2015@microsoft.com.
SIP/MTLS:5041
HTTPS: 443
Internal
Firewall
SIP/TLS: 5061
Legend
SIP/TLS: 5061
IM and Presence
Back-end
SQL Server
Internal
Legend
Skype for Business
2015 users
SRTP/UDP:49152-65535
SRTP/UDP:1024-65535
Directors
HTTPS:443 is
used to
download
conferencing
content.
SMB:445
HTTPS:4443
Front end
pool
SRTP/UDP:49152-65535
HTTPS:443
HTTPS:443
File Share
Server
HTTPS:443
MRAS traffic
SIP/MTLS/TCP:5061
Edge Pool
TLS:5061
PSOM/TLS:8057
Internal
Firewall
HTTPS:443
SIP/TLS:5061
SRTP/UDP:49152-65535
External
Firewall
Source IP
A/V Edge
A/V Edge
Any
Any
Active Directory
Domain Services
SRTP/UDP:1024-65535
External
Peer-to-peer A/V
session.
VIS
Destination IP Source Port
Any
TCP 50,000-59,999
Any
UDP 3478
A/V Edge
Any
A/V Edge
Any
Destination Port
TCP 443
UDP 3478
TCP 443
UDP 3478
Reverse proxy
Office Web
Apps Server
HTTPS:443
SIP Trunk
TCP:5060 TLS:5061
CUCM
TCP:5060
TLS:5061
2015 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at SfBdoc2015@microsoft.com.
VTC
APPLICATION
SHARING
External
Internal
Peer-to-peer application
sharing session.
Legend
External
Firewall
Skype for
Business
federation
Internal
Firewall
MRAS traffic
SIP/MTLS:5061
SIP/MTLS:5062
SRTP: STUN/TCP:443
ICE: STUN/TCP:443
SIP/TLS:5061
Directors
SIP/TLS:5061
SRTP: STUN/TCP:443
ICE: STUN/TCP:443
RDP/SRTP/TCP:49152-65535
RDP/SRTP/TCP:1024-65535
SIP/MTLS:5061
SIP/MTLS
Edge Pool
If client connects on port 80 during
sign-in, it gets redirected to port 443
HTTPS:443
Active Directory
Domain Services
HTTPS:4443
Reverse proxy
A
Source IP Destination IP Source Port
Destination Port
A/V Edge Any
TCP 50,000-59,999 TCP 443
Any
A/V Edge
Any
TCP 443
2015 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at SfBdoc2015@microsoft.com.
Internal
ENTERPRISE VOICE
External
Firewall
Internal
Firewall
Branch Office
Legend
SIP traffic
Call Admission Control (CAC) traffic
RTP/SRTP traffic: A/V Conferencing
ICE traffic
Arrow direction indicates which
server initiates the connection.
Actual traffic is bi-directional.
Active Directory
Domain Services
External
WAN
Connection
For federation, SBA
connects directly with
Director. If no Director
is available, federation
traffic goes directly to
the Edge Server
STUN/TCP:448
SIP/TLS:5061
MRAS traffic
Edge Pool
HTTPS:444
SIP/MTLS:5062
B
Front end pool
Branch
Appliance
SIP/MTLS
SIP/TLS:5061
MRAS traffic
Connectivity to:
IP-PSTN gateway
IP/PBX
Direct SIP
SIP trunk
If no Edge Server
is defined in the
topology, callee
checks the Front
End Server s
Bandwidth Policy
Service.
SIP/MTLS:5061
SIP/MTLS:5061
SIP/MTLS:5062
SRTP: STUN/TCP:443, UDP:3478
ICE: STUN/TCP:443, UDP:3478
SRTP/RTCP:49,152-57,500
Directors
SRTP/UDP:30,000-39,999
Exchange
UM
SIP/TLS:5061,5070
SRTP/RTCP:49,152-57,500
Mediation Pool
(optional)
SIP/TCP:5060,5061
B
Port number to service traffic assignment:
5064 - Telephony Conferencing Service
5067 Mediation Server Service
5071 - Response Group Service
5072 - Conferencing Attendant Service
5073 - Conferencing Announcement Service
5075 - Call Park Service
2015 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at SfBdoc2015@microsoft.com.
CERTIFICATE REQUIREMENTS
Additional elements
Core elements
Reverse proxy
Edge Servers
Edge Server 1, Edge Server 2
Internal FQDN: internal.<ad-domain>
Certificate SN:
internal.<ad-domain>
Certificate SAN:
EKU:
server
Root certificate: private CA
Branch Appliance
Access edge
A/V edge
Internal edge
Conf edge
External network
Internal network
Directors
FQDN:
external Web Service FQDN
Certificate SN: external Web Service FQDN
Certificate SAN: external Web Service FQDN, lyncdiscover.<sip-domain>,
meet URL, dial-in URL, OwaExtWeb.<sip-domain>
EKU:
server
Root certificate: public CA
chatsrv.<ad-domain>
chatsrv.<ad-domain>
N/A
server, client
private CA
Director 1, Director 2
FQDN:
dir.<ad-domain>
Certificate SN: dir.<ad-domain>
Certificate SAN: dir.<ad-domain>, sipinternal.<sip-domain>, sip.<sip-domain>,
lyncdiscoverinternal.<sip-domain>, lyncdiscover.<sip-domain>,
admin URL, meet URL, dial-in URL
EKU:
server
Root certificate: private CA
FQDN:
Certificate SN:
Certificate SAN:
EKU:
Root certificate:
sba.<ad-domain>
sba.<ad-domain>
sba.<ad-domain>
server
private CA
Exchange UM Server
FQDN:
umsrv.<ad-domain>
Certificate SN:
umsrv.<ad-domain>
Certificate SAN: N/A
EKU:
server
Root certificate: private CA
OwaExtWeb.<sip-domain>
OwaExtWeb.<sip-domain>
wacsrv1.<ad-domain>
wacsrv2.<ad-domain>
server
private CA
2015 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at SfBdoc2015@microsoft.com.
Legend
CMS
SMB traffic
HTTPS traffic
External
firewall
Internal
firewall
Install on Enterprise
Edition to provide high
availability.
Enterprise Pool
(CMS master)
TCP:1433
HTTPS:4443
Back-end
SQL Server
Edge Pool
(CMS replica)
SMB:445
Director
(CMS replica)
Mediation Pool
(CMS replica)
Standard
Edition Server
(CMS replica)
Branch Appliance
(CMS replica)
Active Directory
Domain Services
2015 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at SfBdoc2015@microsoft.com.
Enterprise Edition
Resolution
SRV
_sipinternaltls._tcp.<sip-domain> pool FQDN
A/CNAME lyncdiscoverinternal.<sip-domain> HLB FE Pool VIP
A
Pool FQDN
individual FE IPs
A
admin URL
HLB FE Pool VIP
A
meet URL
HLB FE Pool VIP
A
dial-in URL
HLB FE Pool VIP
A
internal Web Services FQDN
HLB FE Pool VIP
A
external Web Services FQDN
Reverse proxy public
IP address
Standard Edition
Resolution
pool FQDN
pool IP address
pool IP address
pool IP address
pool IP address
pool IP address
pool IP address
Reverse proxy public
IP address
PURPOSE
internal user access
internal AutoDiscover Service
Internal pool name
Lync Server Control Panel (LSCP)
Lync Server Web Service
Lync Server Web Service
Lync Server Web Service
Proxied to Lync Server Web Service
RESOLUTION
PURPOSE
SRV
SRV
SRV
A
A
A
A
A/CNAME
A
A
A
_sipfederationtls._tcp.<sip-domain>
_sip._tls.<sip-domain>
_xmpp-server._tcp.<sip-domain>
sip.<sip-domain>
Access Edge FQDN: access.<sip-domain>
A/V Edge FQDN: av.<sip-domain>
Conf Edge FQDN: conf.<sip-domain>
lyncdiscover.<sip-domain>
meet URL
dial-in URL
external Web Services FQDN
OWA
DNS TYPE VALUE
A
A
PURPOSE
internal user access to PowerPoint Presentations
external user access to PowerPoint Presentations
2015 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at SfBdoc2015@microsoft.com.