© 2010 Microsoft Corporation. All rights reserved. Active Directory, Lync, MSN, and any associated logos are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks or trade names mentioned herein are the property of their respective owners.
External
Firewall
Internal
Firewall
IM and Presence Workload
C3P/HTTPS:444
SIP
/MT
LS
:50
61
XMPP/TCP:5269
Reverse proxy
Access Edge - SIP/MTLS:5061
Federated Company
Yahoo!
MSN
AOL
Jabber
Gmail
HTTPS:443
SIP/MTLS:5061Access Edge - SIP/TLS:443
SIP/MTLS:5061
Group Chat
Compliance
Server
HTTPS:443
SIP
/TL
S:5
06
1
SR
V q
ue
ry
External user sign-in process:
1. Client resolves DNS SRV record _sip._tls.<sip-domain> to Edge Server.
2. Client connects to Edge Server.
3. Edge Server proxies connection to Director.
4. Director authenticates user and proxies connection to user’s home pool.
HT
TP
S:4
43
SIP
/TL
S:5
06
1
MS
MQ
SIP/MTLS
SIP/MTLS:5061
Port number to service traffic
assignment:
5062 - IM Conferencing Service
MS
MQ
Monitoring
Server
Group Chat
Server
Edge Servers
XMPP Gateway
Directors
Archiving
Server
Enterprise
pool
Address book
& Group Chat
file share.
Central Management Service
A/V and Web Conferencing Workload
Edge Servers
External
firewall
Internal
firewall
HTTPS:443
SIP/MTLS:5061
SIP
/TL
S:5
06
1
Two inbound and two outbound
unidirectional streams.
Media codec varies on workload:
- RTAudio for audio
- RTVideo for video
A/V Edge - STUN/TCP:443, STUN/UDP:3478
A/V Edge – SRTP:443,3478,50,000-59,999
SR
TP
/UD
P:4
91
52
-65
53
5
Range of ports
is configurable.
PS
OM
/TL
S:8
05
7
HT
TP
S:4
43
HTTPS:443 is
used to
download
conferencing
content.
Traffic goes directly to Web
Conferencing Service
WITHOUT going through the
pool’s hardware load balancer
Traffic goes directly to A/V
Conferencing Service
WITHOUT going through the
pool’s hardware load balancer.
Web Conf Edge - PSOM/TLS:443
Access Edge - SIP/TLS:443
PSOM/MTLS:8057
Directors
Monitoring
Server
SIP/MTLS
SIP/MTLS:5061
MSMQ
Codec varies per workload:
- G.722 or Siren for audio
- RTVideo for video
Protocol Workloads
LEGEND
Publish SRV record for _sipfederationtls._tcp.<sip-domain>, that resolves to the Access Edge FQDN, accesssrv.<sip-domain>. Publish SRV record for _sip._tls.<sip-domain>, that resolves to the Access Edge FQDN. This is required for federated and anonymous connections to Web conferences.Publish SRV record for _xmpp-server._tcp.<sip-domain>, that resolves to the gateway NIC of the XMPP gateway.Publish A record for Meet Simple URL that resolves the URL to the IP address of the Director, if one is deployed, or pool.Publish A record for Dial-In Simple URL that resolves the URL to the IP address of the Director, if one is deployed, or pool.
Publish A record for Access Edge FQDN, accesssrv.<sip-domain>, that resolves to the Access Edge public IP address. Publish A record for A/V Edge FQDN, av.<sip-domain>, that resolves to the A/V Edge public IP address. Publish A record for Conferencing Edge FQDN, conf.<sip-domain>, that resolves to the Conferencing Edge public IP address.Publish A record for internal pool to the reverse proxy FQDN, that resolves to public IP address of reverse proxy
DNS Configuration
External
firewallInternal
firewall
SMB traffic Direction of arrow indicates which
server initiates the connection.
Subsequent traffic is bi-directional.
Directors
(CMS replica)
Standard Edition
Server
(CMS replica)
Central Management Store
(CMS master)
Enterprise pool
(CMS replica)
Mediation
Server
(CMS replica)
HTTPS traffic
SM
B:4
45
HTTPS:4443
Install on Enterprise Edition
to provide high availability.
Edge Servers
(CMS replica)
Diagram v5.5Author: Rui Maximo — Editor: Kelly Fuller Blue — Designer: Ken Circeo
Reviewers: Jens Trier Rasmussen, Paul Brombley, Doug Lawty, Stefan Plizga, Jeff Colvin
Central Management Service
http://twitter.com/DrRez
LEARN MORE
External
firewall
Internal
firewall
Enterprise Voice Workload
Connectivity to:
• IP-PSTN
gateway
• IP/PBX
• Direct SIP
• SIP trunk
A/V Edge - STUN/TCP:443, STUN/UDP:3478
Access Edge - SIP/TLS:443
A/V Edge – SRTP:443,3478,50,000-59,999
SIP
/TL
S:5
06
1
SR
TP
/RT
CP
:60
,00
0-6
4,0
00
Media codec varies
per workload:
- RTAudio
- G.711
Range of ports
is configurable.
SRTP consists of two
unidirectional streams. RTCP
traffic piggy backs on the SRTP
stream.
Media codec varies per workload:
- RTAudio
- G.711
Mediation Server
(optional)
SIP/MTLS:5061
ST
UN
/TC
P:4
43
, S
TU
N/U
DP
:34
78
SIP/TCP:5060,5061
SIP
/TL
S:5
06
7
SIP/TLS:5061
Port number to service traffic assignment:
5064 - Telephony Conferencing Service
5067 – Mediation Server Service
5071 - Response Group Service
5072 - Conferencing Attendant Service
5073 - Conferencing Announcement Service
SIP/MTLS
Monitoring Server
Exchange
UM Server
Edge Servers
Directors
SIP/MTLS:5062 (optional)
STUN/TCP:443, STUN/UDP:3478
SIP/MTLS:5062
MRAS
traffic.
SIP/MTLS:5061
SR
TP
/RT
CP
:60
,00
0-6
4,0
00
Media bypass: audio routed
directly to gateway
bypassing Mediation
Server.
SIP
/TL
S:5
06
1
SIP/MTLS:5061
TU
RN
/TC
P:4
48,5
08
0
Enterprise pool
Branch
Appliance
TURN/TCP:448,5080
Used by Policy
Service.
http://go.microsoft.com/fwlink/?LinkId=204623
CERTIFICATE REQUIREMENTS
*Required only for public IM connectivity with AIM
Edge Server 1, Edge Server 2Internal FQDN: intsrv.<ad-domain>Certificate SN: intsrv.<ad-domain>Certificate SAN:EKU: serverRoot certificate: private CA
Access FQDN: accesssrv.<sip-domain>Certificate SN: accesssrv.<sip-domain>Certificate SAN: accesssrv.<sip-domain>,
sip.<sip-domain>EKU: server, client*Root certificate: public CA
Conference FQDN: N/ACertificate SN: conf.<sip-domain>Certificate SAN: N/AEKU: serverRoot certificate: public CA
A/V FQDN: av.<sip-domain>Certificate SN: av.<sip-domain>Certificate SAN: N/AEKU: serverRoot certificate: private CA
Edge Servers
Mediation Server
FQDN: medsrv.<ad-domain>Certificate SN: medsrv.<ad-domain>Certificate SAN: N/AEKU: serverRoot certificate: private CA
Directors
Director 1, Director 2FQDN: dir.<ad-domain>Certificate SN: dir.<ad-domain>Certificate SAN: dir.<ad-domain>,
sipinternal.<sip-domain>sip.<sip-domain>meet.<sip-domain>dialin.<sip-domain>
EKU: serverRoot certificate: private CA
Front End Server 1, Front End Server 2FQDN: pool.<ad-domain>Certificate SN: pool.<ad-domain>Certificate SAN: pool.<ad-domain>,
sip.<sip-domain>meet.<sip-domain>dialin.<sip-domain>
EKU: serverRoot certificate: private CA
Enterprise pool
Application Sharing Workload
HTTPS:443
HTTPS:443
External
firewall
Access Edge - SIP/TLS:443
HTTPS:443
Peer-to-peer
application
sharing session.
RDP/SRTP traffic
HTTPS traffic
SIP traffic Direction of arrow indicates which
server initiates the connection.
Subsequent traffic is bi-directional.
Internal
firewall
A/V Edge – SRTP:443,3478,50,000-59,999
Range of ports
is configurable.
Two inbound and
two outbound
unidirectional
streams.
STUN/TCP:443, STUN/UDP:3478
SIP/MTLS:5062
Monitoring
Server
RDP/SRTP/TCP:1024-65535
SIP
/TL
S:5
06
1
HTTPS:4443
Port number to service traffic assignment:
5065 - Application Sharing Conferencing Service
SIP/MTLS:5061 SIP/MTLS:5061
RD
P/S
RT
P/T
CP
:49
15
2-6
55
35
Callee checks policy service if
call is allowed to establish.
Internal user sign-in process:
1. Client resolves DNS SRV record _sipinternaltls._tcp.<sip-domain> to Director.
2. Client connects to Director.
3. Director redirects client to user’s home pool.
http://technet.microsoft.com/lync
http://go.microsoft.com/fwlink/?LinkId=204593
Active Directory
Domain Services
HTTPS traffic
SIP traffic: signaling
RTP/SRTP traffic: A/V Conferencing
PSOM traffic: Web Conferencing
SIP traffic: signaling and IM
XMPP traffic
HTTPS traffic
MSMQ traffic
SIP
/TL
S:5
06
1
RTP/SRTP traffic
SIP traffic
Call Admission Control (CAC) traffic
WAN
Connection
Attendant Console
Lync Phone Edition
Lync Group ChatLync Web App
HTTPS:4443
Branch Appliance
FQDN: sba.<ad-domain>Certificate SN: sba.<ad-domain>Certificate SAN: sba.<ad-domain>EKU: serverRoot certificate: private CA
FQDN: xmppsrv.<sip-domain> (1)
Certificate SN: xmppsrv.<sip-domain>Certificate SAN: N/AEKU: serverRoot certificate: private CA
XMPP Gateway
FQDN: xmpp.<sip-domain> (2)
Certificate SN: xmpp.<sip-domain>Certificate SAN: N/AEKU: serverRoot certificate: public CA
(1) This FQDN is for connectivity to internal Edge Servers (2) This FQDN is for connectivity to external XMPP gateways
MSMQ
If client connects on port 80,
it gets redirected to port 443
If client connects on port 80,
it gets redirected to port 443
If client connects on port 80,
it gets redirected to port 443HTTPS:443 is used to download
address book and updates.
Ports to load balanced by HLB:
- 443
- 4443
- 5061
- 135 – only if SIP traffic is load balanced by HLB
MRAS
traffic.
Group Chat Server
FQDN: chatsrv.<ad-domain>Certificate SN: chatsrv.<ad-domain>Certificate SAN: N/AEKU: server, clientRoot certificate: private CA
Exchange UM Server
FQDN: umsrv.<ad-domain>
Certificate SN: umsrv.<ad-domain>
Certificate SAN: N/AEKU: serverRoot certificate: private CA
HTTPS:4443
SIP/MTLS:5062
MRAS
traffic.
STUN/TCP:443, STUN/UDP:3478
Reverse proxy
Enterprise
pool
Meeting content
+ metadata +
compliance file
share.
STUN/TCP:443, STUN/UDP:3478
Edge Servers
Reverse proxy
Enterprise
pool
SIP/MTLS
MSMQ
Directors
STUN/TCP:443, STUN/UDP:3478
Port number to service traffic
assignment:
5063 - A/V Conferencing Service