IM and Presence WorkloadSIP traffic: signaling and IM XMPP traffic HTTPS traffic MSMQ traffic This port is used to download the Address Book

Internal user sign-in process: 1. Client resolves DNS SRV record _sipinternaltls._tcp. to Director. 2. Client connects to Director. 3. Director redirects client to users home pool.

A/V and Web Conferencing WorkloadSIP traffic: signaling HTTPS:443 HTTPS traffic RTP/SRTP traffic: A/V Conferencing SRV query PSOM traffic: Web Conferencing ICE traffic Codec varies per workload: - G.722 or Siren for audio - RTVideo for video SRTP/UDP:49152-65535 Traffic goes directly to Audio/ Web Video Conferencing Service Conferencing Service WITHOUT going through the pools hardware load balancer. balancer ICE: STUN/TCP:443, UDP:3478 SRTP/UDP:49152-65535 Peer-to-peer A/V session.

LEARN MOREhttp://technet.microsoft.com/lync

HTTPS:443

HTTPS:4443 SIP/TLS:5061 SIP/TLS:5061

Ports to load balanced by HLB: - 443 - 4443 - 5061 - 135 only if SIP traffic is load balanced by HLB Enterprise pool Address book & Group Chat file share.

Directors

HTTPS:443 is used to download conferencing content.

HTTPS:443

SIP/TLS:5061

If client connects on port 80, it gets redirected to port 443

If client connects on port 80, it gets redirected to port 443

ICE: STUN/TCP:443, UDP:3478

PSOM/TLS:8057

External user sign-in process: 1. Client resolves DNS SRV record _sip._tls. to Edge Server. 2. Client connects to Edge Server. 3. Edge Server proxies connection to Director. 4. Director authenticates user and proxies connection to users home pool.

HTTPS:443

Protocol Workloadshttp://twitter.com/DrRez http://go.microsoft.com/fwlink/?LinkId=204593http://nexthop.info

HTTPS:443 is used to download address book and updates.

Active Directory Domain Services

Reverse proxy

Directors

Meeting content + metadata + compliance file share. Enterprise pool

Access Edge - SIP/TLS:443 Web Conf Edge - PSOM/TLS:443

SIP/MTLS:5061

SIP/MTLS:5061 PSOM/MTLS:8057

Yahoo! MSN Federated Company

Diagram v5.9 Author: Rui Maximo Editor: Kelly Fuller Blue Designer: Ken Circeo Reviewers: Jens Trier Rasmussen, Paul Brombley, Doug Lawty, Stefan Plizga, Jeff Colvin, Kaushal Mehta, Richard Pasztor, Thomas Binder, Subbu Chandrasekaran, Randy Wintle

AOL

Access Edge - SIP/TLS:443 Access Edge - SIP/MTLS:5061 Edge Servers SIP/MTLS:5061

SIP/MTLS:5061

SIP/MTLS:5061 SIP/MTLS

A/V Edge - STUN/TCP:443, UDP:3478 A/V Edge SRTP:443,3478,[50,000-59,999] Edge Servers

ICE: STUN/TCP:443, UDP:3478 SIP/MTLS:5062

SRTP/UDP:57501-65335 SIP/MTLS:5063

C3P/HTTPS:444

GmailLDAP/TCP:3268 AD DS Domain Controller (DC) AD DS Global Catalog (GC)

MSMQ

AD DS SyncA.contoso.com LDAP/TCP:3268

Active Directory Domain Services (AD DS)LDAP traffic

Monitoring Server Group Chat Server MSMQ SIP/MTLS:5061

Two inbound and two outbound unidirectional streams.

Port range, 50,000-59,999, only needs to be open outbound to the Internet. Inbound traffic from the Internet only needs to be open for federation with partners still running Office Communications Server 2007.

MRAS traffic.

Jabber

XMPP/TCP:5269

Archiving Server Port number to service traffic assignment: 5062 - IM Conferencing Service

HTTPS:443

HTTPS:4443

A/V Conferencing Server MSMQ

XMPP Gateway

Reverse proxy

LDAP/TCP:389 LDAP/TCP:3268

B.contoso.com

Enterprise pool C.contoso.com

External Firewall

Internal Firewall

Group Chat Compliance Server

Monitoring Server External firewall Internal firewall

Central Management Service Central Management ServiceSMB traffic HTTPS traffic Direction of arrow indicates which server initiates the connection. Subsequent traffic is bi-directional. Install on Enterprise Edition to provide high availability. Central Management Store (CMS master)

Application Sharing WorkloadSIP traffic RDP/SRTP traffic HTTPS traffic HTTPS:443 ICE traffic SRTP,ICE: STUN/TCP:443, UDP:3478 Directors Direction of arrow indicates which server initiates the connection. Subsequent traffic is bi-directional.

RDP/SRTP/TCP:1024-65535

Peer-to-peer application sharing session.

Enterprise Voice WorkloadSIP traffic RTP/SRTP traffic Call Admission Control (CAC) traffic ICE traffic Media bypass: audio routed directly to gateway bypassing Mediation Server. TURN/TCP:443, UDP:3478 SRTP/RTCP:30,000-39,999

If no Edge Server is defined in the topology, callee checks the Front End Servers Bandwidth Policy Service.

If no Edge Server is defined in the topology, callee checks the Front End Servers Bandwidth Policy Service.

RDP/SRTP/TCP:49152-65535

SRTP/RTCP:60,000-64,000

TURN/TCP:448

SIP/TLS:5061

HTTPS:4443

Directors

SIP/TLS:5061

For federation, SBA connects directly with Director. If no Director is available, federation traffic goes directly to Edge Server

WAN Connection

TURN/TCP:448 SIP/TLS:5061 Enterprise pool

Edge Servers (CMS replica)

MRAS traffic.

Enterprise pool SIP/MTLS:5061 Access Edge - SIP/TLS:443 SIP/MTLS:5062 A/V Edge SRTP:443,3478,50,000-59,999 Enterprise pool (CMS replica) Two inbound and two outbound unidirectional streams. Mediation Server (CMS replica) Standard Edition Server (CMS replica) If client connects on port 80, it gets redirected to port 443 Range of ports is configurable. Edge Servers A/V Edge ICE: STUN/TCP:443, STUN/UDP:3478 SRTP,ICE: STUN/TCP:443, UDP:3478 SIP/MTLS A/V Edge SRTP:443,3478,[UDP|TCP:50,000-59,999] SMB:445 SIP/MTLS:5061 Access Edge - SIP/TLS:443

MRAS traffic. SIP/MTLS:5061 SIP/MTLS:5061

HTTPS:444 SIP/MTLS:5062 SIP/MTLS:5062 SRTP,ICE: STUN/TCP:443, UDP:3478 Edge Servers SIP/MTLS:5062 (optional) SIP/MTLS SRTP/RTCP:60,000-64,000 MRAS traffic. Lync client automatically registers with the pool if the Branch Appliance becomes unavailable Monitoring Server Port number to service traffic assignment: 5064 - Telephony Conferencing Service 5067 Mediation Server Service 5071 - Response Group Service 5072 - Conferencing Attendant Service 5073 - Conferencing Announcement Service Branch Appliance

HTTPS:443

HTTPS:4443 HTTPS:443 MSMQ Reverse proxy Monitoring Server Port number to service traffic assignment: 5065 - Application Sharing Conferencing Service

SRTP consists of two unidirectional streams. RTCP traffic piggy backs on the SRTP stream. Media codec varies per workload: - RTAudio - G.711 - Siren - G.722

Port range, 50,000-59,999, only needs to be open outbound to the Internet. Inbound traffic from the Internet only needs to be open for federation with partners still running Office Communications Server 2007.

SIP/TLS:5061 Exchange UM Server Enterprise Voice applications Connectivity to: IP-PSTN gateway IP/PBX Direct SIP SIP trunk

MSMQ

External firewall

Internal firewall Directors (CMS replica) External firewall Internal firewall

External firewall

Internal firewall

SIP/TLS:5067 SIP/TCP:5060,5061 Mediation Server (optional) If gateway does not support TLS, connect to gateway on SIP/TCP:5068

LEGENDLync Lync Phone Edition Attendant Console Group Chat Lync Web App

CERTIFICATE REQUIREMENTSFront End Server 1, Front End Server 2 FQDN: pool. Certificate SN: pool. Certificate SAN: pool., fe. sip. meet. dialin. EKU: server Root certificate: private CA Director 1, Director 2 FQDN: dir. Certificate SN: dir. Certificate SAN: dir., sipinternal. sip. meet. dialin. EKU: server Root certificate: private CA FQDN: Certificate SN: Certificate SAN: EKU: Root certificate: Group Chat Server chatsrv. chatsrv. N/A server, client private CA FQDN: Certificate SN: Certificate SAN: EKU: Root certificate: Branch Appliance sba. sba. sba. server private CA FQDN:

Certificate SN: Certificate SAN:EKU: Root certificate: Exchange UM Server

DNS Configuration Publish SRV record for _sipfederationtls._tcp., that resolves to the Access Edge FQDN, accesssrv.. Publish SRV record for _sip._tls., that resolves to the Access Edge FQDN. This is required for federated and anonymous connections to Web conferences. Publish SRV record for _xmpp-server._tcp., that resolves to the gateway NIC of the XMPP gateway. Publish A record for Meet Simple URL that resolves the URL to the IP address of the Director, if one is deployed, or pool. Publish A record for Dial-In Simple URL that resolves the URL to the IP address of the Director, if one is deployed, or pool. Publish A record for Access Edge FQDN, accesssrv. | sip., that resolves to the Access Edge public IP address. Publish A record for A/V Edge FQDN, av., that resolves to the A/V Edge public IP address. Publish A record for Conferencing Edge FQDN, conf., that resolves to the Conferencing Edge public IP address. Publish A record for internal pool to the reverse proxy FQDN, that resolves to public IP address of reverse proxy

umsrv. umsrv. N/A server private CA

Enterprise pool

Directors

Edge Server 1, Edge Server 2 Internal FQDN: intsrv. Certificate SN: intsrv. Certificate SAN: EKU: server Root certificate: private CA Edge Servers Access FQDN: Certificate SN: Certificate SAN: EKU: Root certificate: accesssrv. accesssrv. accesssrv., sip. server, client* public CA

Conference FQDN: Certificate SN: Certificate SAN: EKU: Root certificate: A/V FQDN: Certificate SN: Certificate SAN: EKU: Root certificate:

N/A conf. N/A server public CA av. av. N/A server private CA

FQDN: Certificate SN: Certificate SAN: EKU: Root certificate: Mediation Server

medsrv. medsrv. N/A server private CA XMPP Gateway

FQDN: Certificate SN: Certificate SAN: EKU: Root certificate:(1)

xmppsrv. (1) xmppsrv. N/A server private CA

FQDN: Certificate SN: Certificate SAN: EKU: Root certificate:(2)

xmpp. (2) xmpp. N/A server public CA

*Required only for public IM connectivity with AIM

This FQDN is for connectivity to internal Edge Servers

This FQDN is for connectivity to external XMPP gateways

2010 Microsoft Corporation. All rights reserved. Active Directory, Lync, MSN, and any associated logos are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks or trade names mentioned herein are the property of their respective owners.

SRTP/RTCP:30,000-39,999

SIP/TLS:5061

Media codec varies per workload: - RTAudio - G.711

STUN/TCP:443, STUN/UDP:3478