Internal Lync client resolution process:

IM AND PRESENCE
1. lyncdiscoverinternal.<sip-domain>
2. lyncdiscover.<sip-domain>
Direction of arrow indicates which 3. _sipinternaltls._tcp.<sip-domain>
server initiates the connection. 4. _sipinternal._tcp.<sip-domain>
SIP traffic: signaling and IM Subsequent traffic is bi-directional. 5. sipinternal.<sip-domain>
6. sip.<sip-domain>
XMPP traffic HTTPS:443
Active Directory
HTTPS traffic Domain Services
This port is used to connect to Lync Web Services:
MSMQ traffic - download the Address Book
- connect to Address Book Web query URL Address book &
Diagram v6.9 CLS traffic - provide distribution list expansion Persistent Chat file share.
- download meeting content
External user sign-in process: - connect to the Mobility Service
1. Client discovers Edge Server: - connect to the AutoDiscover Service
a. lyncdiscoverinternal.<sip-domain> - connect to Dial-in URL File Share
b. lyncdiscover.<sip-domain> - connect to Lync Web App Server
c. _sipinternaltls._tcp.<sip-domain> - connect to CertProvisioningService

HTTPS:443
Publish rule for port 4443 to
@DrRez
d. _sipinternal._tcp.<sip-domain> set forward host header to

SIP/TLS:5061
SIP/TLS:5061
e. _sip._tls.<sip-domain> Director redirects Web
true. This ensures the
f. sipinternal.<sip-domain> traffic to destination
original URL is forwarded.
g. sip.<sip-domain> pool s Web Service. Ports to load balance by HLB:
h. sipexternal.<sip-domain> - 80
2. Client connects to Edge Server. - 8080
3. Edge Server proxies connection to Director. - 443
HTTPS:443 HTTPS:4443 - 4443
4. Director authenticates user and proxies
connection to user s home pool. - 5061 [can use DNS load balancing]
Directors Enterprise
Reverse proxy
Pool
DNS CONFIGURATION http://technet.microsoft.com/en-us/library/gg398758.aspx HTTPS:4443

CLS/MTLS:50001-50003
DNS TYPE VALUE RESOLUTION PURPOSE

INTERNAL DNS CONFIGURATION Access Edge - SIP/TLS:443 Back-end

SRV _sipinternaltls._tcp.<sip-domain> pool FQDN internal user access SIP/MTLS:5061 SIP/MTLS:5061 SQL Server
A/CNAME lyncdiscoverinternal.<sip-domain> pool IP address internal AutoDiscover Service XMPP/TCP:5269
XMPP/MTLS:23456
A admin URL pool IP address Lync Server Control Panel (LSCP) SIP/MTLS
C3P/HTTPS:444

SIP/MTLS:5041
A meet URL pool IP address Lync Server Web Service XMPP Access Edge - SIP/MTLS:5061
CLS/MTLS:50001-50003 CLS/MTLS:50001-50003
A dial-in URL pool IP address Lync Server Web Service federation
A internal Web Services FQDN pool IP address Lync Server Web Service Edge Pool

EXTERNAL DNS CONFIGURATION DSML/HTTPS:443 DirSync

SRV _sipfederationtls._tcp.<sip-domain> Access Edge FQDN: access.<sip-domain> Federation and public IM connectivity MSMQ
SRV _sip._tls.<sip-domain> Access Edge FQDN: access.<sip-domain> external user access
SRV _xmpp-server._tcp.<sip-domain> Access Edge FQDN: access.<sip-domain> XMPP federation Lync
Skype federation Centralized Persistent Chat Persistent
A sip.<sip-domain> Access Edge FQDN: access.<sip-domain> locate Edge Server Port number to service traffic
federation Logging Compliance Chat Server
A Access Edge FQDN: access.<sip-domain> Access Edge IP address Edge Server Access edge assignment:
SAML/HTTPS:443 ADFS Service Server 5062 – IM Conferencing Service
A A/V Edge FQDN: av.<sip-domain> A/V Edge IP address Edge Server A/V edge
5086 – Internal Mobility Service
A Conf Edge FQDN: conf.<sip-domain> Conf Edge IP address Edge Server Conf edge 5087 – External Mobility Service
A/CNAME lyncdiscover.<sip-domain> reverse proxy public IP address external AutoDiscover Service ADFS Proxy CLS/MTLS:50001-50003
A meet URL reverse proxy public IP address proxied to Lync Server Web Service
A dial-in URL reverse proxy public IP address proxied to Lync Server Web Service Single sign-on (SSO)
A external Web Services FQDN reverse proxy public IP address proxied to Lync Server Web Service External Internal
Firewall Firewall

CERTIFICATE REQUIREMENTS

A/V AND WEB CONFERENCING

Front End Server 1, Front End Server 2
Peer-to-peer
A/V session.
Enterprise pool FQDN: pool.<ad-domain>
Certificate SN: pool.<ad-domain> SRTP/UDP:1024-65535
Certificate SAN: pool.<ad-domain>,
fe.<ad-domain>,
SIP traffic: signaling
sip.<sip-domain>,
lyncdiscoverinternal.<sip-domain>,
lyncdiscover.<sip-domain>, HTTPS traffic
admin URL,
meet URL, RTP/SRTP traffic: A/V Conferencing
dial-in URL, Codec varies per workload:
EKU: server PSOM traffic: Web Conferencing - G.722 or Siren for audio
Root certificate: private CA - H264SVC for video [RTVideo for downlevel clients]
ICE traffic
Traffic goes directly to Audio/
Web

SRTP/UDP:49152-65535
Video Conferencing
Conferencing ServiceService
Director 1, Director 2
WITHOUT going through the
SRTP, ICE: STUN/TCP:443, UDP:3478 pool s hardware load balancer.
balancer

PSOM/TLS:8057
FQDN: dir.<ad-domain>
A/V Edge – SRTP:443,3478

Directors
Certificate SN: dir.<ad-domain>

SIP/TLS:5061
HTTPS:443 is

HTTPS:443
Certificate SAN: dir.<ad-domain>, Lync used to
sipinternal.<sip-domain>, If client connects on port 80, federation download
Directors
sip.<sip-domain>, it gets redirected to port 443 conferencing
lyncdiscoverinternal.<sip-domain>, content.
lyncdiscover.<sip-domain>, Meeting content
admin URL, + metadata +
meet URL, compliance file
dial-in URL share.
EKU: server
Root certificate: private CA
Access Edge - SIP/TLS:443 SIP/MTLS:5061 SIP/MTLS:5061

Persistent Chat Server FQDN: chatsrv.<ad-domain> Web Conf Edge - PSOM/TLS:443 PSOM/MTLS:8057
Certificate SN: chatsrv.<ad-domain>
Certificate SAN: N/A A/V Edge - STUN/TCP:443, UDP:3478 SRTP, ICE: STUN/TCP:443, UDP:3478
EKU: server, client
Root certificate: private CA SIP/MTLS:5062 Enterprise
A/V Edge – SRTP:443,3478,[TCP:50,000-59,999] Edge Pool File Share
Pool
Server
TCP port range, 50,000-59,999, only needs to be open outbound.

HTTPS:443
FQDN: medsrv.<ad-domain> TCP/UDP port range, 50,000-59,999, needs to be open inbound MRAS traffic.
Mediation Server
Certificate SN: medsrv.<ad-domain> Two inbound and two and outbound to the Internet for federation with partners running
Director redirects Web
Certificate SAN: N/A outbound Office Communications Server 2007.
traffic to destination
EKU: server unidirectional streams. pool s Web Service.
Root certificate: private CA
TCP:443 must be open HTTPS:4443
inbound. HTTPS:443

HTTPS:443 HTTPS:443
Branch Appliance FQDN: sba.<ad-domain> UDP:3478 must be
Certificate SN: sba.<ad-domain> open both inbound Reverse proxy
Certificate SAN: sba.<ad-domain> and outbound.
EKU: server Office Web
Root certificate: private CA External Internal
Apps Server
firewall firewall

FQDN: wacsrv.<ad-domain>
Office Web Apps Server Certificate SN: wacsrv.<ad-domain>
Certificate SAN: wacsrv.<ad-domain>
EKU: server
Root certificate: private CA
APPLICATION SHARING RDP/SRTP/TCP:1024-65535
Peer-to-peer
Exchange UM Server FQDN: umsrv.<ad-domain> application
Certificate SN: umsrv.<ad-domain> sharing session.
SIP traffic
Certificate SAN: N/A
EKU: server RDP/SRTP traffic
Root certificate: private CA
RDP/SRTP/TCP:49152-65535

HTTPS traffic

FQDN: external Web Service FQDN ICE traffic

Reverse proxy Certificate SN: external Web Service FQDN SRTP,ICE: STUN/TCP:443
SIP/TLS:5061

Certificate SAN: external Web Service FQDN,

lyncdiscover.<sip-domain>, Directors
TCP port range, 50,000-59,999,
meet URL,
only needs to be open outbound.
SIP/TLS:5061

dial-in URL,
wacsrv.<ad-domain>
EKU: server
Root certificate: public CA
MRAS traffic.

Edge Server 1, Edge Server 2 Enterprise

SIP/MTLS:5061 SIP/MTLS:5061 Pool
Edge Servers Internal FQDN: internal.<ad-domain> Access Edge - SIP/TLS:443
Certificate SN: internal.<ad-domain> SIP/MTLS:5062
Certificate SAN:
EKU: server A/V Edge – SRTP:443,[50,000-59,999]
SRTP,ICE: STUN/TCP:443
Root certificate: private CA SIP/MTLS

Access edge External FQDN: access.<sip-domain> Edge Pool

Two inbound Range of ports
Certificate SN: access.<sip-domain>
and two is configurable.
A/V edge Internal edge Certificate SAN: access.<sip-domain>, Port number to service traffic
outbound
sip.<sip-domain>, assignment:
unidirectional
conf edge conf.<sip-domain> 5065 - Application Sharing
streams.
EKU: server Conferencing Service
External network Internal network HTTPS:443 HTTPS:4443
Root certificate: public CA

Reverse proxy
If client connects on port 80,
it gets redirected to port 443

CMS Direction of arrow indicates which

server initiates the connection.
External
firewall
Internal
firewall

SMB traffic Subsequent traffic is bi-directional.

HTTPS traffic Install on Enterprise Edition

to provide high availability.
Default (1433) or SQL If no Edge Server is defined in

Enterprise Pool
(CMS master)
named instance
ENTERPRISE VOICE the topology, callee checks
the Front End Server s
Bandwidth Policy Service.
If no Edge Server is defined in
the topology, callee checks
the Front End Server s
SRTP,ICE: STUN/TCP:443
Bandwidth Policy Service.
SIP traffic
HTTPS:4443 TCP:1433
RTP/SRTP traffic Media bypass: audio routed TURN/TCP:443, UDP:3478
directly to gateway
Back-end bypassing Mediation Server.
Call Admission Control (CAC) traffic
Edge Pool SQL Server
UDP:3478
SRTP/RTCP:30,000-39,999

STUN/UDP:3478

(CMS replica) ICE traffic Media codec varies

per workload:
SRTP/RTCP:30,000-39,999

For federation, SBA WAN

- RTAudio
SRTP/RTCP:60,000-64,000

connects directly with Connection

TURN/TCP:448

- G.711
ICE: STUN/TCP:443,

Director. If no Director
SIP/TLS:5061

is available, federation
Director traffic goes directly to
Directors
STUN/TCP:443,

(CMS replica) Edge Server

SMB:445

Enterprise Pool
TURN/TCP:448
(CMS replica) MRAS traffic. SIP/TLS:5061
SRTP,

Enterprise Pool
SIP/MTLS:5061 SIP/MTLS:5061, 5071
SIP/MTLS:5061
Access Edge - SIP/TLS:443 HTTPS:444
Mediation Pool SIP/MTLS:5062
(CMS replica) A/V Edge – ICE: STUN/TCP:443, STUN/UDP:3478 SIP/MTLS:5062
Branch
SRTP, ICE: STUN/TCP:443, UDP:3478 Appliance
Standard Edition A/V Edge – SRTP:443,3478,[TCP:50,000-59,999]
Server
(CMS replica) Edge Pool
SIP/MTLS MRAS traffic.
SRTP/RTCP:49,152-57,500

SRTP consists of two

unidirectional streams. RTCP SIP/TLS:5061 Lync client automatically
External TCP port range, 50,000-59,999, only needs to
Internal Branch Appliance traffic piggy backs on the SRTP be open outbound. registers with the pool if
firewall (CMS replica)
firewall stream. TCP/UDP port range, 50,000-59,999, needs to the Branch Appliance
Media codec varies per workload: be open inbound and outbound to the becomes unavailable
- RTAudio Internet for federation with partners running Enterprise Voice
- G.711 Office Communications Server 2007. Exchange applications
- Siren UM
Connectivity to: Port number to service traffic assignment:
- G.722
5064 - Telephony Conferencing Service
LEGEND
IP-PSTN
gateway 5067 – Mediation Server Service
TCP:443 must be open inbound.
IP/PBX SIP/TLS:5061,5070 5071 - Response Group Service
External Internal Direct SIP 5072 - Conferencing Attendant Service
UDP:3478 must be open both SIP/TCP:5060,5061
firewall firewall SIP trunk 5073 - Conferencing Announcement Service
inbound and outbound.
Mediation Pool 5075 - Call Park Service
Lync Lync (optional)
Lync Web App Lync for Mac Lync Mobile
2013 Phone

© 2013 Microsoft Corporation. All rights reserved. Active Directory, Lync, Skype, and any associated logos are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks or trade names mentioned herein are the property of their respective owners.