External

Internal

External
Firewall

This port is used to connect to Web Services:

download the Address Book
connect to Address Book Web query URL
provide distribution list expansion
download meeting content
connect to the Mobility Service
connect to the AutoDiscover Service
connect to Dial-in URL
connect to Lync Web App
connect to CertProvisioningService
External user sign-in process:
1. Client discovers Edge Server:
a. lyncdiscoverinternal.<sip-domain>
b. lyncdiscover.<sip-domain>
c. _sipinternaltls._tcp.<sip-domain>
d. _sipinternal._tcp.<sip-domain>
e. _sip._tls.<sip-domain>
f. sipinternal.<sip-domain>
g. sip.<sip-domain>
h. sipexternal.<sip-domain>
2. Client connects to Edge Server.
3. Edge Server proxies connection to Director.
4. Director authenticates user and proxy
connection to user s home pool.
Internal user sign-in process:
1. Client discovers Enterprise Pool:
a. lyncdiscoverinternal.<sip-domain>
b. lyncdiscover.<sip-domain>
c. _sipinternaltls._tcp.<sip-domain>
d. _sipinternal._tcp.<sip-domain>
e. sipinternal.<sip-domain>
f. sip.<sip-domain>
2. Client connects to Enterprise Pool server.
3. Enterprise pool server authenticates user and
redirects connection to user s home server.

4/21/2015

HTTPS: 443

Certificate
Authority

Skype for Business

2015 users

Director proxies Web traffic to

destination pool s Web Service.

Address book &

Persistent Chat file
share.

HTTPS: 4443

XMPP
federation

Active Directory
Domain Services

Reverse proxy

Publish rule for port 4443 to set

forward host header to true.
This ensures the original URL is
forwarded.

XMPP/TCP: 5269
CLS/MTLS: 50001-50003

File Share
Server

Directors
TCP: 443

Access Edge - SIP/TLS: 443

HTTP: 80

Front end
pool

SIP/MTLS: 5061
HTTPS: 4443
XMPP/MTLS: 23456

Access Edge - SIP/MTLS: 5061

CLS/MTLS: 50001-50003

Edge Pool

SIP/
MTLS
CLS/MTLS: 50001-50003

DSML/HTTPS: 443

DirSync

Ports to load balance by HLB:

- 80 - 8080 - 443 - 4443
- 5061 [can use DNS load balancing]

C3P/HTTPS: 444

SAML/HTTPS: 443

ADFS
ADFS Proxy
Skype for
Business
federation

Single sign-on (SSO)

MSMQ

Centralized
Logging
Service

Persistent Chat
Compliance
Server

Persistent
Chat Server

Port number to service traffic assignment:

5062 IM Conferencing Service
5086 Internal Mobility Service
5087 External Mobility Service

Skype
federation

2015 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at SfBdoc2015@microsoft.com.

SIP/MTLS:5041

Services and Processes

Skype for Business

2015 users

HTTPS: 443

SIP traffic: signaling and IM

XMPP traffic
HTTP(S) traffic
MSMQ Traffic
CLS Traffic
Arrow direction indicates which
server initiates the connection.
Actual traffic is bi-directional.

Internal
Firewall

SIP/TLS: 5061

Legend

SIP/TLS: 5061

IM and Presence

Back-end
SQL Server

A/V AND WEB

CONFERENCING

Internal

Legend
Skype for Business
2015 users

SIP traffic: signaling

HTTP(S) traffic
RTP/SRTP traffic: A/V Conferencing
PSOM traffic: Web Conferencing
ICE traffic
Arrow direction indicates which
server initiates the connection.
Actual traffic is bi-directional.

SRTP/UDP:49152-65535

Codec varies per workload:

G.722 for audio
H264SVC for video

SRTP/UDP:1024-65535

Directors

Access Edge - SIP/TLS:5061

ICE: STUN/TCP:443, UDP:3478

SRTP: STUN/TCP:443, UDP:3478
SIP/MTLS/TCP:5061
PSOM/MTLS/TCP:8057
ICE: STUN/TCP:443, UDP:3478
SRTP: STUN/TCP:443, UDP:3478
SIP/MTLS/TCP:5062

Access Edge - SIP/TLS:443

Web Conf Edge - PSOM/TLS:443
A/V Edge - STUN/TCP:443, UDP:3478

HTTPS:443 is
used to
download
conferencing
content.

SMB:445

Director proxies Web

traffic to destination
pool s Web Service.

HTTPS:4443

Front end
pool

SRTP/UDP:49152-65535

HTTPS:443

HTTPS:443

File Share
Server

HTTPS:443

MRAS traffic

Meeting content + metadata +

compliance file share.

SIP/MTLS/TCP:5061

Edge Pool

If client connects on port

80 during sign-in, it gets
redirected to port 443

Traffic goes directly to Web

Conferencing Service WITHOUT
going through the pool s
hardware load balancer

TLS:5061

Skype for Business

federation

PSOM/TLS:8057

Internal
Firewall

HTTPS:443
SIP/TLS:5061
SRTP/UDP:49152-65535

Codec varies per workload:

G.722, Siren or SILK for audio
H264SVC for video [RTVideo for downlevel clients]

External
Firewall

Source IP
A/V Edge
A/V Edge
Any
Any

Active Directory
Domain Services

SRTP/UDP:1024-65535

External

Skype for Business

2015 users

Skype for Business

2015 users

Peer-to-peer A/V
session.

VIS
Destination IP Source Port
Any
TCP 50,000-59,999
Any
UDP 3478
A/V Edge
Any
A/V Edge
Any

Destination Port
TCP 443
UDP 3478
TCP 443
UDP 3478

Reverse proxy

Codec varies per workload:

G.722 for audio
H264AVC for video

Office Web
Apps Server

HTTPS:443

SIP Trunk
TCP:5060 TLS:5061

CUCM
TCP:5060
TLS:5061

2015 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at SfBdoc2015@microsoft.com.

VTC

APPLICATION
SHARING

External

Internal

Peer-to-peer application
sharing session.

Legend

SIP traffic: signaling

HTTP(S) traffic
RTP/SRTP traffic: A/V Conferencing
ICE traffic
Arrow direction indicates which
server initiates the connection.
Actual traffic is bi-directional.

External
Firewall

Skype for
Business
federation

Internal
Firewall

Skype for Business

2015 users

Skype for Business

2015 users

MRAS traffic
SIP/MTLS:5061
SIP/MTLS:5062
SRTP: STUN/TCP:443
ICE: STUN/TCP:443

Access Edge - SIP/TLS:5061

Access Edge - SIP/TLS:443

SIP/TLS:5061

Directors

SIP/TLS:5061

Skype for Business

2015 users

SRTP: STUN/TCP:443
ICE: STUN/TCP:443

RDP/SRTP/TCP:49152-65535

RDP/SRTP/TCP:1024-65535

SIP/MTLS:5061

Front end pool

SIP/MTLS

Edge Pool
If client connects on port 80 during
sign-in, it gets redirected to port 443
HTTPS:443

Active Directory
Domain Services

HTTPS:4443

Reverse proxy

Port number to service traffic assignment:

5065 - Application Sharing Conferencing Service

A
Source IP Destination IP Source Port
Destination Port
A/V Edge Any
TCP 50,000-59,999 TCP 443
Any
A/V Edge
Any
TCP 443

2015 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at SfBdoc2015@microsoft.com.

Internal

ENTERPRISE VOICE
External
Firewall

Internal
Firewall

Branch Office

Legend
SIP traffic
Call Admission Control (CAC) traffic
RTP/SRTP traffic: A/V Conferencing
ICE traffic
Arrow direction indicates which
server initiates the connection.
Actual traffic is bi-directional.

SRTP: STUN/TCP:443, UDP:3478

Skype for Business

2015 users

Active Directory
Domain Services

ICE: STUN/TCP:443, UDP:3478

External

If no Edge Server is defined in

the topology, callee checks the
Front End Server s Bandwidth
Policy Service.

WAN
Connection
For federation, SBA
connects directly with
Director. If no Director
is available, federation
traffic goes directly to
the Edge Server

STUN/TCP:448
SIP/TLS:5061

MRAS traffic

Edge Pool

HTTPS:444
SIP/MTLS:5062

B
Front end pool

Branch
Appliance

SIP/MTLS

SIP/TLS:5061

MRAS traffic

Connectivity to:
IP-PSTN gateway
IP/PBX
Direct SIP
SIP trunk

If no Edge Server
is defined in the
topology, callee
checks the Front
End Server s
Bandwidth Policy
Service.

SIP/MTLS:5061

SIP/MTLS:5061
SIP/MTLS:5062
SRTP: STUN/TCP:443, UDP:3478
ICE: STUN/TCP:443, UDP:3478

Access Edge - SIP/TLS:443

A/V Edge ICE: STUN/TCP:443, STUN/UDP:3478

SRTP/RTCP:49,152-57,500

Directors

Media codec varies

per workload:
RTAudio, G.711, SILK

SRTP: STUN/TCP:443, UDP:3478

STUN/TCP:443, STUN/UDP:3478
ICE: STUN/TCP:443, UDP:3478
SRTP/RTCP:60,000-64,000
TURN/TCP:448
SIP/TLS:5061

SRTP/UDP:30,000-39,999

Media bypass: audio

routed directly to
gateway bypassing
Mediation Server.

Skype for Business

2015 users

Skype for Business

2015 users

Exchange
UM
SIP/TLS:5061,5070
SRTP/RTCP:49,152-57,500

Mediation Pool
(optional)

SIP/TCP:5060,5061

Lync client automatically

registers with the pool if
the Branch Appliance
becomes unavailable

Enterprise Voice applications

B
Port number to service traffic assignment:
5064 - Telephony Conferencing Service
5067 Mediation Server Service
5071 - Response Group Service
5072 - Conferencing Attendant Service
5073 - Conferencing Announcement Service
5075 - Call Park Service

2015 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at SfBdoc2015@microsoft.com.

CERTIFICATE REQUIREMENTS
Additional elements

Core elements

Reverse proxy

Front End Pool

Front End Server 1, Front End Server 2
FQDN:
pool.<ad-domain>
Certificate SN:
pool.<ad-domain>
Certificate SAN: pool.<ad-domain>, fe.<ad-domain>, sip.<sip-domain>,
lyncdiscoverinternal.<sip-domain>, lyncdiscover.<sip-domain>,
admin URL, meet URL, dial-in URL,
EKU:
server
Root certificate: private CA

Edge Servers
Edge Server 1, Edge Server 2
Internal FQDN: internal.<ad-domain>
Certificate SN:
internal.<ad-domain>
Certificate SAN:
EKU:
server
Root certificate: private CA

Branch Appliance
Access edge
A/V edge

Internal edge

Conf edge

External network

Internal network

External FQDN: access.<sip-domain>

Certificate SN:
access.<sip-domain>
Certificate SAN: access.<sip-domain>, sip.<sip-domain>, conf.<sip-domain>
EKU:
server
Root certificate: public CA

Persistent Chat Server

FQDN:
Certificate SN:
Certificate SAN:
EKU:
Root certificate:

Directors

FQDN:
external Web Service FQDN
Certificate SN: external Web Service FQDN
Certificate SAN: external Web Service FQDN, lyncdiscover.<sip-domain>,
meet URL, dial-in URL, OwaExtWeb.<sip-domain>
EKU:
server
Root certificate: public CA

chatsrv.<ad-domain>
chatsrv.<ad-domain>
N/A
server, client
private CA

Director 1, Director 2
FQDN:
dir.<ad-domain>
Certificate SN: dir.<ad-domain>
Certificate SAN: dir.<ad-domain>, sipinternal.<sip-domain>, sip.<sip-domain>,
lyncdiscoverinternal.<sip-domain>, lyncdiscover.<sip-domain>,
admin URL, meet URL, dial-in URL
EKU:
server
Root certificate: private CA

FQDN:
Certificate SN:
Certificate SAN:
EKU:
Root certificate:

sba.<ad-domain>
sba.<ad-domain>
sba.<ad-domain>
server
private CA

Exchange UM Server
FQDN:
umsrv.<ad-domain>
Certificate SN:
umsrv.<ad-domain>
Certificate SAN: N/A
EKU:
server
Root certificate: private CA

Office Web Apps Server

FQDN:
Certificate SN:
Certificate SAN:
Certificate SAN:
EKU:
Root certificate:

OwaExtWeb.<sip-domain>
OwaExtWeb.<sip-domain>
wacsrv1.<ad-domain>
wacsrv2.<ad-domain>
server
private CA

2015 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at SfBdoc2015@microsoft.com.

Legend

CMS

SMB traffic
HTTPS traffic
External
firewall

Internal
firewall

All changes to this configuration data happen at

the Central Management store, eliminating outof-sync issues. Read-only copies of the data are
replicated to all servers in the topology,
including Edge Servers and Survivable Branch
Appliances.
The Active Directory Domain Services (AD DS)
are still used to store basic user information,
such as the user s SIP URI and phone number.
User policy information is stored in the Central
Management store. The use of Active Directory
Domain Services (AD DS) also provides
backward compatibility with earlier releases of
Lync Server.

To administer servers and services, you use

Skype for Business Server Management Shell or
the Skype for Business Server Control Panel,
which then configure the settings in the Central
Management store. The Central Management
Server, which runs on one Front End pool or one
Standard Edition server in your deployment,
replicates the configuration changes to all of the
servers in your deployment.

Direction of arrow indicates

which server initiates the
connection. Subsequent traffic is
bi-directional.

Install on Enterprise
Edition to provide high
availability.

Default (1433) or SQL

named instance

Enterprise Pool
(CMS master)

TCP:1433

HTTPS:4443

Back-end
SQL Server

Edge Pool
(CMS replica)

Front end Pool

(CMS replica)

SMB:445

The Central Management Store provides a

robust, schematized storage of the data needed
to define, set up, maintain, administer, describe,
and operate a Skype for Business Server
deployment. It also validates the data to ensure
configuration consistency.

Director
(CMS replica)

Mediation Pool
(CMS replica)
Standard
Edition Server
(CMS replica)

Branch Appliance
(CMS replica)

Active Directory
Domain Services

2015 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at SfBdoc2015@microsoft.com.

INTERNAL DNS CONFIGURATION

DNS TYPE VALUE

Enterprise Edition
Resolution
SRV
_sipinternaltls._tcp.<sip-domain> pool FQDN
A/CNAME lyncdiscoverinternal.<sip-domain> HLB FE Pool VIP
A
Pool FQDN
individual FE IPs
A
admin URL
HLB FE Pool VIP
A
meet URL
HLB FE Pool VIP
A
dial-in URL
HLB FE Pool VIP
A
internal Web Services FQDN
HLB FE Pool VIP
A
external Web Services FQDN
Reverse proxy public
IP address

Standard Edition
Resolution
pool FQDN
pool IP address
pool IP address
pool IP address
pool IP address
pool IP address
pool IP address
Reverse proxy public
IP address

PURPOSE
internal user access
internal AutoDiscover Service
Internal pool name
Lync Server Control Panel (LSCP)
Lync Server Web Service
Lync Server Web Service
Lync Server Web Service
Proxied to Lync Server Web Service

EXTERNAL DNS CONFIGURATION

DNS Type VALUE

RESOLUTION

PURPOSE

SRV
SRV
SRV
A
A
A
A
A/CNAME
A
A
A

Access Edge FQDN: access.<sip-domain>

Access Edge FQDN: access.<sip-domain>
Access Edge FQDN: access.<sip-domain>
Access Edge FQDN: access.<sip-domain>
Access Edge IP address
A/V Edge IP address
Conf Edge IP address
reverse proxy public IP address
reverse proxy public IP address
reverse proxy public IP address
reverse proxy public IP address

Federation and public IM connectivity

external user access
XMPP federation
locate Edge Server
Edge Server Access edge
Edge Server A/V edge
Edge Server Conf edge
external AutoDiscover Service
proxied to Lync Server Web Service
proxied to Lync Server Web Service
proxied to Lync Server Web Service

_sipfederationtls._tcp.<sip-domain>
_sip._tls.<sip-domain>
_xmpp-server._tcp.<sip-domain>
sip.<sip-domain>
Access Edge FQDN: access.<sip-domain>
A/V Edge FQDN: av.<sip-domain>
Conf Edge FQDN: conf.<sip-domain>
lyncdiscover.<sip-domain>
meet URL
dial-in URL
external Web Services FQDN

OWA
DNS TYPE VALUE
A
A

Office Web Apps Farm

Resolution
OWA internal URL HLB OWA VIP
OWA external URL Reverse proxy public
IP address

Office Web Apps

Server Resolution
OWA server IP
Reverse proxy
public IP address

PURPOSE
internal user access to PowerPoint Presentations
external user access to PowerPoint Presentations

2015 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at SfBdoc2015@microsoft.com.