1
© 2010 Microsoft Corporation. All rights reserved. Active Directory, Lync, MSN, and any associated logos are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks or trade names mentioned herein are the property of their respective owners. External Firewall Internal Firewall IM and Presence Workload C3P/HTTPS:444 SIP/MTLS:5061 XMPP/TCP:5269 Reverse proxy Access Edge - SIP/MTLS:5061 Federated Company Yahoo! MSN AOL Jabber Gmail HTTPS:443 SIP/MTLS:5061 Access Edge - SIP/TLS:443 SIP/MTLS:5061 Group Chat Compliance Server HTTPS:443 SIP/TLS:5061 SRV query External user sign-in process: 1. Client resolves DNS SRV record _sip._tls.<sip-domain> to Edge Server. 2. Client connects to Edge Server. 3. Edge Server proxies connection to Director. 4. Director authenticates user and proxies connection to user’s home pool. HTTPS:443 SIP/TLS:5061 MSMQ SIP/MTLS SIP/MTLS:5061 Port number to service traffic assignment : 5062 - IM Conferencing Service MSMQ Monitoring Server Group Chat Server Edge Servers XMPP Gateway Directors Archiving Server Enterprise pool Address book & Group Chat file share. Central Management Service A/V and Web Conferencing Workload Edge Servers External firewall Internal firewall HTTPS:443 SIP/MTLS:5061 SIP/TLS:5061 Two inbound and two outbound unidirectional streams. Media codec varies on workload: - RTAudio for audio - RTVideo for video A/V Edge - STUN/TCP:443, STUN/UDP:3478 A/V Edge – SRTP:443,3478,50,000-59,999 SRTP/UDP:49152-65535 Range of ports is configurable. PSOM/TLS:8057 HTTPS:443 HTTPS:443 is used to download conferencing content. Traffic goes directly to Web Conferencing Service WITHOUT going through the pool’s hardware load balancer Traffic goes directly to A/V Conferencing Service WITHOUT going through the pool’s hardware load balancer. Web Conf Edge - PSOM/TLS:443 Access Edge - SIP/TLS:443 PSOM/MTLS:8057 Directors Monitoring Server SIP/MTLS SIP/MTLS:5061 MSMQ Codec varies per workload: - G.722 or Siren for audio - RTVideo for video Protocol Workloads LEGEND Publish SRV record for _sipfederationtls._tcp.<sip-domain>, that resolves to the Access Edge FQDN, accesssrv.<sip-domain>. Publish SRV record for _sip._tls.<sip-domain>, that resolves to the Access Edge FQDN. This is required for federated and anonymous connections to Web conferences. Publish SRV record for _xmpp-server._tcp.<sip-domain>, that resolves to the gateway NIC of the XMPP gateway. Publish A record for Meet Simple URL that resolves the URL to the IP address of the Director, if one is deployed, or pool. Publish A record for Dial-In Simple URL that resolves the URL to the IP address of the Director, if one is deployed, or pool. Publish A record for Access Edge FQDN, accesssrv.<sip-domain>, that resolves to the Access Edge public IP address. Publish A record for A/V Edge FQDN, av.<sip-domain>, that resolves to the A/V Edge public IP address. Publish A record for Conferencing Edge FQDN, conf.<sip-domain>, that resolves to the Conferencing Edge public IP address. Publish A record for internal pool to the reverse proxy FQDN, that resolves to public IP address of reverse proxy DNS Configuration External firewall Internal firewall SMB traffic Direction of arrow indicates which server initiates the connection. Subsequent traffic is bi-directional. Directors (CMS replica) Standard Edition Server (CMS replica) Central Management Store (CMS master) Enterprise pool (CMS replica) Mediation Server (CMS replica) HTTPS traffic SMB:445 HTTPS:4443 Install on Enterprise Edition to provide high availability. Edge Servers (CMS replica) Diagram v5.5 Author: Rui Maximo — Editor: Kelly Fuller Blue — Designer: Ken Circeo Reviewers: Jens Trier Rasmussen, Paul Brombley, Doug Lawty, Stefan Plizga, Jeff Colvin Central Management Service http://twitter.com/DrRez LEARN MORE External firewall Internal firewall Enterprise Voice Workload Connectivity to: • IP-PSTN gateway • IP/PBX • Direct SIP • SIP trunk A/V Edge - STUN/TCP:443, STUN/UDP:3478 Access Edge - SIP/TLS:443 A/V Edge – SRTP:443,3478,50,000-59,999 SIP/TLS:5061 SRTP/RTCP:60,000-64,000 Media codec varies per workload: - RTAudio - G.711 Range of ports is configurable. SRTP consists of two unidirectional streams. RTCP traffic piggy backs on the SRTP stream. Media codec varies per workload: - RTAudio - G.711 Mediation Server (optional) SIP/MTLS:5061 STUN/TCP:443, STUN/UDP:3478 SIP/TCP:5060,5061 SIP/TLS:5067 SIP/TLS:5061 Port number to service traffic assignment : 5064 - Telephony Conferencing Service 5067 – Mediation Server Service 5071 - Response Group Service 5072 - Conferencing Attendant Service 5073 - Conferencing Announcement Service SIP/MTLS Monitoring Server Exchange UM Server Edge Servers Directors SIP/MTLS:5062 (optional) STUN/TCP:443, STUN/UDP:3478 SIP/MTLS:5062 MRAS traffic. SIP/MTLS:5061 SRTP/RTCP:60,000-64,000 Media bypass: audio routed directly to gateway bypassing Mediation Server. SIP/TLS:5061 SIP/MTLS:5061 TURN/TCP:448,5080 Enterprise pool Branch Appliance TURN/TCP:448,5080 Used by Policy Service. http://go.microsoft.com/fwlink/?LinkId=204623 CERTIFICATE REQUIREMENTS *Required only for public IM connectivity with AIM Edge Server 1, Edge Server 2 Internal FQDN: intsrv.<ad-domain> Certificate SN: intsrv.<ad-domain> Certificate SAN: EKU: server Root certificate: private CA Access FQDN: accesssrv.<sip-domain> Certificate SN: accesssrv.<sip-domain> Certificate SAN: accesssrv.<sip-domain>, sip.<sip-domain> EKU: server, client* Root certificate: public CA Conference FQDN: N/A Certificate SN: conf.<sip-domain> Certificate SAN: N/A EKU: server Root certificate: public CA A/V FQDN: av.<sip-domain> Certificate SN: av.<sip-domain> Certificate SAN: N/A EKU: server Root certificate: private CA Edge Servers Mediation Server FQDN: medsrv.<ad-domain> Certificate SN: medsrv.<ad-domain> Certificate SAN: N/A EKU: server Root certificate: private CA Directors Director 1, Director 2 FQDN: dir.<ad-domain> Certificate SN: dir.<ad-domain> Certificate SAN: dir.<ad-domain>, sipinternal.<sip-domain> sip.<sip-domain> meet.<sip-domain> dialin.<sip-domain> EKU: server Root certificate: private CA Front End Server 1, Front End Server 2 FQDN: pool.<ad-domain> Certificate SN: pool.<ad-domain> Certificate SAN: pool.<ad-domain>, sip.<sip-domain> meet.<sip-domain> dialin.<sip-domain> EKU: server Root certificate: private CA Enterprise pool Application Sharing Workload HTTPS:443 HTTPS:443 External firewall Access Edge - SIP/TLS:443 HTTPS:443 Peer-to-peer application sharing session. RDP/SRTP traffic HTTPS traffic SIP traffic Direction of arrow indicates which server initiates the connection. Subsequent traffic is bi-directional. Internal firewall A/V Edge – SRTP:443,3478,50,000-59,999 Range of ports is configurable. Two inbound and two outbound unidirectional streams. STUN/TCP:443, STUN/UDP:3478 SIP/MTLS:5062 Monitoring Server RDP/SRTP/TCP:1024-65535 SIP/TLS:5061 HTTPS:4443 Port number to service traffic assignment : 5065 - Application Sharing Conferencing Service SIP/MTLS:5061 SIP/MTLS:5061 RDP/SRTP/TCP:49152-65535 Callee checks policy service if call is allowed to establish. Internal user sign-in process: 1. Client resolves DNS SRV record _sipinternaltls._tcp.<sip-domain> to Director. 2. Client connects to Director. 3. Director redirects client to user’s home pool. http://technet.microsoft.com/lync http://go.microsoft.com/fwlink/?LinkId=204593 Active Directory Domain Services HTTPS traffic SIP traffic: signaling RTP/SRTP traffic: A/V Conferencing PSOM traffic: Web Conferencing SIP traffic: signaling and IM XMPP traffic HTTPS traffic MSMQ traffic SIP/TLS:5061 RTP/SRTP traffic SIP traffic Call Admission Control (CAC) traffic WAN Connection Attendant Console Lync Phone Edition Lync Group Chat Lync Web App HTTPS:4443 Branch Appliance FQDN: sba.<ad-domain> Certificate SN: sba.<ad-domain> Certificate SAN: sba.<ad-domain> EKU: server Root certificate: private CA FQDN: xmppsrv.<sip-domain> (1) Certificate SN: xmppsrv.<sip-domain> Certificate SAN: N/A EKU: server Root certificate: private CA XMPP Gateway FQDN: xmpp.<sip-domain> (2) Certificate SN: xmpp.<sip-domain> Certificate SAN: N/A EKU: server Root certificate: public CA (1) This FQDN is for connectivity to internal Edge Servers (2) This FQDN is for connectivity to external XMPP gateways MSMQ If client connects on port 80, it gets redirected to port 443 If client connects on port 80, it gets redirected to port 443 If client connects on port 80, it gets redirected to port 443 HTTPS:443 is used to download address book and updates. Ports to load balanced by HLB : - 443 - 4443 - 5061 - 135 – only if SIP traffic is load balanced by HLB MRAS traffic. Group Chat Server FQDN: chatsrv.<ad-domain> Certificate SN: chatsrv.<ad-domain> Certificate SAN: N/A EKU: server, client Root certificate: private CA Exchange UM Server FQDN: umsrv.<ad-domain> Certificate SN: umsrv.<ad-domain> Certificate SAN: N/A EKU: server Root certificate: private CA HTTPS:4443 SIP/MTLS:5062 MRAS traffic. STUN/TCP:443, STUN/UDP:3478 Reverse proxy Enterprise pool Meeting content + metadata + compliance file share. STUN/TCP:443, STUN/UDP:3478 Edge Servers Reverse proxy Enterprise pool SIP/MTLS MSMQ Directors STUN/TCP:443, STUN/UDP:3478 Port number to service traffic assignment : 5063 - A/V Conferencing Service
![Lync & Juniper - Westcon-Comstormedia.gswi.westcon.com/media/6.1_Westcon_Presentation_Lync_201… · A/V Edge – SRTP:443,3478,[TCP:50,000-59,999] SRTP consists of two unidirectional](https://static.documents.pub/doc/80x56/5af383ea7f8b9a8c30914548/lync-juniper-westcon-av-edge-srtp4433478tcp50000-59999-srtp-consists.jpg)
