IM and Presence WorkloadSIP traffic: signaling and IM XMPP traffic HTTPS traffic MSMQ traffic This port is used to download the Address Book
Internal user sign-in process: 1. Client resolves DNS SRV record _sipinternaltls._tcp. to Director. 2. Client connects to Director. 3. Director redirects client to users home pool.
A/V and Web Conferencing WorkloadSIP traffic: signaling HTTPS:443 HTTPS traffic RTP/SRTP traffic: A/V Conferencing SRV query PSOM traffic: Web Conferencing ICE traffic Codec varies per workload: - G.722 or Siren for audio - RTVideo for video SRTP/UDP:49152-65535 Traffic goes directly to Audio/ Web Video Conferencing Service Conferencing Service WITHOUT going through the pools hardware load balancer. balancer ICE: STUN/TCP:443, UDP:3478 SRTP/UDP:49152-65535 Peer-to-peer A/V session.
LEARN MOREhttp://technet.microsoft.com/lync
HTTPS:443
HTTPS:4443 SIP/TLS:5061 SIP/TLS:5061
Ports to load balanced by HLB: - 443 - 4443 - 5061 - 135 only if SIP traffic is load balanced by HLB Enterprise pool Address book & Group Chat file share.
Directors
HTTPS:443 is used to download conferencing content.
HTTPS:443
SIP/TLS:5061
If client connects on port 80, it gets redirected to port 443
If client connects on port 80, it gets redirected to port 443
ICE: STUN/TCP:443, UDP:3478
PSOM/TLS:8057
External user sign-in process: 1. Client resolves DNS SRV record _sip._tls. to Edge Server. 2. Client connects to Edge Server. 3. Edge Server proxies connection to Director. 4. Director authenticates user and proxies connection to users home pool.
HTTPS:443
Protocol Workloadshttp://twitter.com/DrRez http://go.microsoft.com/fwlink/?LinkId=204593http://nexthop.info
HTTPS:443 is used to download address book and updates.
Active Directory Domain Services
Reverse proxy
Directors
Meeting content + metadata + compliance file share. Enterprise pool
Access Edge - SIP/TLS:443 Web Conf Edge - PSOM/TLS:443
SIP/MTLS:5061
SIP/MTLS:5061 PSOM/MTLS:8057
Yahoo! MSN Federated Company
Diagram v5.9 Author: Rui Maximo Editor: Kelly Fuller Blue Designer: Ken Circeo Reviewers: Jens Trier Rasmussen, Paul Brombley, Doug Lawty, Stefan Plizga, Jeff Colvin, Kaushal Mehta, Richard Pasztor, Thomas Binder, Subbu Chandrasekaran, Randy Wintle
AOL
Access Edge - SIP/TLS:443 Access Edge - SIP/MTLS:5061 Edge Servers SIP/MTLS:5061
SIP/MTLS:5061
SIP/MTLS:5061 SIP/MTLS
A/V Edge - STUN/TCP:443, UDP:3478 A/V Edge SRTP:443,3478,[50,000-59,999] Edge Servers
ICE: STUN/TCP:443, UDP:3478 SIP/MTLS:5062
SRTP/UDP:57501-65335 SIP/MTLS:5063
C3P/HTTPS:444
GmailLDAP/TCP:3268 AD DS Domain Controller (DC) AD DS Global Catalog (GC)
MSMQ
AD DS SyncA.contoso.com LDAP/TCP:3268
Active Directory Domain Services (AD DS)LDAP traffic
Monitoring Server Group Chat Server MSMQ SIP/MTLS:5061
Two inbound and two outbound unidirectional streams.
Port range, 50,000-59,999, only needs to be open outbound to the Internet. Inbound traffic from the Internet only needs to be open for federation with partners still running Office Communications Server 2007.
MRAS traffic.
Jabber
XMPP/TCP:5269
Archiving Server Port number to service traffic assignment: 5062 - IM Conferencing Service
HTTPS:443
HTTPS:4443
A/V Conferencing Server MSMQ
XMPP Gateway
Reverse proxy
LDAP/TCP:389 LDAP/TCP:3268
B.contoso.com
Enterprise pool C.contoso.com
External Firewall
Internal Firewall
Group Chat Compliance Server
Monitoring Server External firewall Internal firewall
Central Management Service Central Management ServiceSMB traffic HTTPS traffic Direction of arrow indicates which server initiates the connection. Subsequent traffic is bi-directional. Install on Enterprise Edition to provide high availability. Central Management Store (CMS master)
Application Sharing WorkloadSIP traffic RDP/SRTP traffic HTTPS traffic HTTPS:443 ICE traffic SRTP,ICE: STUN/TCP:443, UDP:3478 Directors Direction of arrow indicates which server initiates the connection. Subsequent traffic is bi-directional.
RDP/SRTP/TCP:1024-65535
Peer-to-peer application sharing session.
Enterprise Voice WorkloadSIP traffic RTP/SRTP traffic Call Admission Control (CAC) traffic ICE traffic Media bypass: audio routed directly to gateway bypassing Mediation Server. TURN/TCP:443, UDP:3478 SRTP/RTCP:30,000-39,999
If no Edge Server is defined in the topology, callee checks the Front End Servers Bandwidth Policy Service.
If no Edge Server is defined in the topology, callee checks the Front End Servers Bandwidth Policy Service.
RDP/SRTP/TCP:49152-65535
SRTP/RTCP:60,000-64,000
TURN/TCP:448
SIP/TLS:5061
HTTPS:4443
Directors
SIP/TLS:5061
For federation, SBA connects directly with Director. If no Director is available, federation traffic goes directly to Edge Server
WAN Connection
TURN/TCP:448 SIP/TLS:5061 Enterprise pool
Edge Servers (CMS replica)
MRAS traffic.
Enterprise pool SIP/MTLS:5061 Access Edge - SIP/TLS:443 SIP/MTLS:5062 A/V Edge SRTP:443,3478,50,000-59,999 Enterprise pool (CMS replica) Two inbound and two outbound unidirectional streams. Mediation Server (CMS replica) Standard Edition Server (CMS replica) If client connects on port 80, it gets redirected to port 443 Range of ports is configurable. Edge Servers A/V Edge ICE: STUN/TCP:443, STUN/UDP:3478 SRTP,ICE: STUN/TCP:443, UDP:3478 SIP/MTLS A/V Edge SRTP:443,3478,[UDP|TCP:50,000-59,999] SMB:445 SIP/MTLS:5061 Access Edge - SIP/TLS:443
MRAS traffic. SIP/MTLS:5061 SIP/MTLS:5061
HTTPS:444 SIP/MTLS:5062 SIP/MTLS:5062 SRTP,ICE: STUN/TCP:443, UDP:3478 Edge Servers SIP/MTLS:5062 (optional) SIP/MTLS SRTP/RTCP:60,000-64,000 MRAS traffic. Lync client automatically registers with the pool if the Branch Appliance becomes unavailable Monitoring Server Port number to service traffic assignment: 5064 - Telephony Conferencing Service 5067 Mediation Server Service 5071 - Response Group Service 5072 - Conferencing Attendant Service 5073 - Conferencing Announcement Service Branch Appliance
HTTPS:443
HTTPS:4443 HTTPS:443 MSMQ Reverse proxy Monitoring Server Port number to service traffic assignment: 5065 - Application Sharing Conferencing Service
SRTP consists of two unidirectional streams. RTCP traffic piggy backs on the SRTP stream. Media codec varies per workload: - RTAudio - G.711 - Siren - G.722
Port range, 50,000-59,999, only needs to be open outbound to the Internet. Inbound traffic from the Internet only needs to be open for federation with partners still running Office Communications Server 2007.
SIP/TLS:5061 Exchange UM Server Enterprise Voice applications Connectivity to: IP-PSTN gateway IP/PBX Direct SIP SIP trunk
MSMQ
External firewall
Internal firewall Directors (CMS replica) External firewall Internal firewall
External firewall
Internal firewall
SIP/TLS:5067 SIP/TCP:5060,5061 Mediation Server (optional) If gateway does not support TLS, connect to gateway on SIP/TCP:5068
LEGENDLync Lync Phone Edition Attendant Console Group Chat Lync Web App
CERTIFICATE REQUIREMENTSFront End Server 1, Front End Server 2 FQDN: pool. Certificate SN: pool. Certificate SAN: pool., fe. sip. meet. dialin. EKU: server Root certificate: private CA Director 1, Director 2 FQDN: dir. Certificate SN: dir. Certificate SAN: dir., sipinternal. sip. meet. dialin. EKU: server Root certificate: private CA FQDN: Certificate SN: Certificate SAN: EKU: Root certificate: Group Chat Server chatsrv. chatsrv. N/A server, client private CA FQDN: Certificate SN: Certificate SAN: EKU: Root certificate: Branch Appliance sba. sba. sba. server private CA FQDN:
Certificate SN: Certificate SAN:EKU: Root certificate: Exchange UM Server
DNS Configuration Publish SRV record for _sipfederationtls._tcp., that resolves to the Access Edge FQDN, accesssrv.. Publish SRV record for _sip._tls., that resolves to the Access Edge FQDN. This is required for federated and anonymous connections to Web conferences. Publish SRV record for _xmpp-server._tcp., that resolves to the gateway NIC of the XMPP gateway. Publish A record for Meet Simple URL that resolves the URL to the IP address of the Director, if one is deployed, or pool. Publish A record for Dial-In Simple URL that resolves the URL to the IP address of the Director, if one is deployed, or pool. Publish A record for Access Edge FQDN, accesssrv. | sip., that resolves to the Access Edge public IP address. Publish A record for A/V Edge FQDN, av., that resolves to the A/V Edge public IP address. Publish A record for Conferencing Edge FQDN, conf., that resolves to the Conferencing Edge public IP address. Publish A record for internal pool to the reverse proxy FQDN, that resolves to public IP address of reverse proxy
umsrv. umsrv. N/A server private CA
Enterprise pool
Directors
Edge Server 1, Edge Server 2 Internal FQDN: intsrv. Certificate SN: intsrv. Certificate SAN: EKU: server Root certificate: private CA Edge Servers Access FQDN: Certificate SN: Certificate SAN: EKU: Root certificate: accesssrv. accesssrv. accesssrv., sip. server, client* public CA
Conference FQDN: Certificate SN: Certificate SAN: EKU: Root certificate: A/V FQDN: Certificate SN: Certificate SAN: EKU: Root certificate:
N/A conf. N/A server public CA av. av. N/A server private CA
FQDN: Certificate SN: Certificate SAN: EKU: Root certificate: Mediation Server
medsrv. medsrv. N/A server private CA XMPP Gateway
FQDN: Certificate SN: Certificate SAN: EKU: Root certificate:(1)
xmppsrv. (1) xmppsrv. N/A server private CA
FQDN: Certificate SN: Certificate SAN: EKU: Root certificate:(2)
xmpp. (2) xmpp. N/A server public CA
*Required only for public IM connectivity with AIM
This FQDN is for connectivity to internal Edge Servers
This FQDN is for connectivity to external XMPP gateways
2010 Microsoft Corporation. All rights reserved. Active Directory, Lync, MSN, and any associated logos are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks or trade names mentioned herein are the property of their respective owners.
SRTP/RTCP:30,000-39,999
SIP/TLS:5061
Media codec varies per workload: - RTAudio - G.711
STUN/TCP:443, STUN/UDP:3478