Contenu connexe
Similaire à Microsoft lync server 2010 protocol workloads poster
Similaire à Microsoft lync server 2010 protocol workloads poster (20)
Microsoft lync server 2010 protocol workloads poster
- 1. © 2010 Microsoft Corporation. All rights reserved. Active Directory, Lync, MSN, and any associated logos are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks or trade names mentioned herein are the property of their respective owners.
External
Firewall
Internal
Firewall
IM and Presence Workload
C3P/HTTPS:444
SIP/MTLS:5061
XMPP/TCP:5269
Reverse proxy
Access Edge - SIP/MTLS:5061
Federated
Company
Yahoo!
MSN
AOL
Jabber
Gmail
HTTPS:443
SIP/MTLS:5061
Access Edge - SIP/TLS:443
SIP/MTLS:5061
Group Chat
Compliance
Server
HTTPS:443
SIP/TLS:5061
SRVquery
External user sign-in process:
1. Client resolves DNS SRV record _sip._tls.<sip-domain> to Edge Server.
2. Client connects to Edge Server.
3. Edge Server proxies connection to Director.
4. Director authenticates user and proxies connection to user’s home pool.
HTTPS:443
SIP/TLS:5061
MSMQ
SIP/MTLS
SIP/MTLS:5041
MSMQ
Monitoring
Server
Group Chat
Server
Edge Pool
XMPP Gateway
Directors
Archiving
Server
Enterprise
Pool
Address book
& Group Chat
file share.
Central Management Service
A/V and Web Conferencing Workload
Edge Pool
External
firewall
Internal
firewall
HTTPS:443
SIP/MTLS:5061
SIP/TLS:5061
Two inbound and two
outbound unidirectional
streams.
TCP:443 must be open
inbound.
UDP:3478 must be
open both inbound and
outbound.
A/V Edge - STUN/TCP:443, UDP:3478
A/V Edge – SRTP:443,3478,[TCP:50,000-59,999]
SRTP/UDP:49152-65535
PSOM/TLS:8057
HTTPS:443
HTTPS:443 is
used to
download
conferencing
content.
Traffic goes directly to Web
Conferencing Service
WITHOUT going through the
pool’s hardware load balancer
Traffic goes directly to Audio/
Video Conferencing Service
WITHOUT going through the
pool’s hardware load balancer.
Web Conf Edge - PSOM/TLS:443
Access Edge - SIP/TLS:443
Directors
Monitoring
Server
SIP/MTLS:5061
MSMQ
Protocol Workloads
LEGEND
· Publish SRV for _sipfederationtls._tcp.<sip-domain>, that resolves to Access Edge FQDN, accesssrv.<sip-domain>.
· Publish SRV for _sip._tls.<sip-domain>, that resolves to Access Edge FQDN. This is required for federated and anonymous connections to Web conferences.
· Publish SRV for _xmpp-server._tcp.<sip-domain>, that resolves to gateway NIC of the XMPP gateway.
· Publish CNAME or A record for lyncdiscoverinternal.<sip-domain> that resolves to IP address of Director, if one is deployed, or pool.
· Publish CNAME for lyncdiscover.<sip-domain> that resolves to IP address of reverse proxy. HTTPS connection is proxied to internal pool’s Web Service.
· Publish A record for Meet Simple URL that resolves the URL to IP address of Director, if one is deployed, or pool.
· Publish A record for Dial-In Simple URL that resolves the URL to IP address of Director, if one is deployed, or pool.
· Publish A record for Access Edge FQDN, accesssrv.<sip-domain> | sip.<sip-domain>, that resolves to Access Edge public IP address.
· Publish A record for A/V Edge FQDN, av.<sip-domain>, that resolves to A/V Edge public IP address.
· Publish A record for Conferencing Edge FQDN, conf.<sip-domain>, that resolves to Conferencing Edge public IP address.
· Publish A record for internal pool to the reverse proxy FQDN, that resolves to public IP address of reverse proxy
DNS Configuration
External
firewall
Internal
firewall
SMB traffic Direction of arrow indicates which
server initiates the connection.
Subsequent traffic is bi-directional.
Directors
(CMS replica)
Standard Edition
Server
(CMS replica)
Enterprise Pool
(CMS master)
Enterprise Pool
(CMS replica)
Mediation Pool
(CMS replica)
HTTPS traffic
SMB:445
HTTPS:4443
Edge Pool
(CMS replica)
Diagram v5.15 Author: Rui Maximo — Editor: Kelly Fuller Blue — Designer: Ken Circeo
Reviewers: Jens Trier Rasmussen, Paul Brombley, Doug Lawty, Stefan Plizga, Jeff Colvin, Kaushal Mehta,
Richard Pasztor, Thomas Binder, Subbu Chandrasekaran, Randy Wintle, Rob L., Stefan Heidl, Fabian Kunz,
Jeff Schertz
Central Management Service
http://twitter.com/DrRez
LEARN MORE
External
firewall
Internal
firewall
Enterprise Voice Workload
Connectivity to:
• IP-PSTN
gateway
• IP/PBX
• Direct SIP
• SIP trunk
A/V Edge – ICE: STUN/TCP:443, STUN/UDP:3478
Access Edge - SIP/TLS:443
A/V Edge – SRTP:443,3478,[TCP:50,000-59,999]
SIP/TLS:5061
SRTP consists of two
unidirectional streams. RTCP
traffic piggy backs on the SRTP
stream.
Media codec varies per workload:
- RTAudio
- G.711
- Siren
- G.722
TCP:443 must be open inbound.
UDP:3478 must be open both
inbound and outbound.
Mediation Pool
(optional)
STUN/TCP:443,STUN/UDP:3478
SIP/TCP:5060,5061
Monitoring Server
Exchange
UM Server
Edge Pool
Directors
SIP/MTLS:5062
MRAS
traffic.
SIP/MTLS:5061
SRTP/RTCP:30,000-39,999
Enterprise Pool
Branch
Appliance
SIP/MTLS:5062
http://nexthop.info
CERTIFICATE REQUIREMENTS
*Required only for public
IM connectivity with AOL
IM
Edge Server 1, Edge Server 2
Internal FQDN: intsrv.<ad-domain>
Certificate SN: intsrv.<ad-domain>
Certificate SAN:
EKU: server
Root certificate: private CA
External FQDN: edge.<sip-domain>
Certificate SN: edge.<sip-domain>
Certificate SAN: sip.<sip-domain>,
conf.<sip-domain>
EKU: server, client*
Root certificate: public CA
Edge Servers
Mediation Server
FQDN: medsrv.<ad-domain>
Certificate SN: medsrv.<ad-domain>
Certificate SAN: N/A
EKU: server
Root certificate: private CA
Directors
Director 1, Director 2
FQDN: dir.<ad-domain>
Certificate SN: dir.<ad-domain>
Certificate SAN: dir.<ad-domain>,
sipinternal.<sip-domain>
sip.<sip-domain>
meet.<sip-domain>
dialin.<sip-domain>
EKU: server
Root certificate: private CA
Front End Server 1, Front End Server 2
FQDN: pool.<ad-domain>
Certificate SN: pool.<ad-domain>
Certificate SAN: pool.<ad-domain>,
fe.<sip-domain>
sip.<sip-domain>
meet.<sip-domain>
dialin.<sip-domain>
EKU: server
Root certificate: private CA
Enterprise pool
Application Sharing Workload
HTTPS:443
HTTPS:443
External
firewall
Access Edge - SIP/TLS:443
HTTPS:443
Peer-to-peer
application
sharing session.
RDP/SRTP traffic
HTTPS traffic
SIP traffic Direction of arrow indicates which
server initiates the connection.
Subsequent traffic is bi-directional.
Internal
firewall
A/V Edge – SRTP:443,3478,50,000-59,999
Range of ports
is configurable.
Two inbound and
two outbound
unidirectional
streams.
Monitoring
Server
RDP/SRTP/TCP:1024-65535
SIP/TLS:5061
HTTPS:4443
Port number to service traffic assignment:
5065 - Application Sharing Conferencing Service
SIP/MTLS:5061 SIP/MTLS:5061
RDP/SRTP/TCP:49152-65535
Internal user sign-in process:
1. Client resolves DNS SRV record _sipinternaltls._tcp.<sip-domain> to Director.
2. Client connects to Director.
3. Director redirects client to user’s home pool.
http://technet.microsoft.com/lync
http://go.microsoft.com/fwlink/?LinkId=204593
Active Directory
Domain Services
HTTPS traffic
SIP traffic: signaling
RTP/SRTP traffic: A/V Conferencing
PSOM traffic: Web Conferencing
SIP traffic: signaling and IM
XMPP traffic
HTTPS traffic
MSMQ traffic
SIP/TLS:5061
RTP/SRTP traffic
SIP traffic
Call Admission Control (CAC) traffic
WAN
Connection
Attendant
Console
Lync
Phone Edition
Lync Group Chat
Lync Web App
Branch Appliance
FQDN: sba.<ad-domain>
Certificate SN: sba.<ad-domain>
Certificate SAN: sba.<ad-domain>
EKU: server
Root certificate: private CA
FQDN: xmppsrv.<sip-domain> (1)
Certificate SN: xmppsrv.<sip-domain>
Certificate SAN: N/A
EKU: server
Root certificate: private CA
XMPP Gateway
FQDN: xmpp.<sip-domain> (2)
Certificate SN: xmpp.<sip-domain>
Certificate SAN: N/A
EKU: server
Root certificate: public CA
(1)
This FQDN is for connectivity to internal Edge Servers (2)
This FQDN is for connectivity to external XMPP gateways
If client connects on port 80,
it gets redirected to port 443
This port is used to:
- download the Address Book
- connect to the Mobility Service
- connect to the AutoDiscovery Service
Ports to load balanced by HLB:
- 443
- 4443
- 5061
- 135 – only if SIP traffic is load balanced by HLB
MRAS
traffic.
Group Chat Server
FQDN: chatsrv.<ad-domain>
Certificate SN: chatsrv.<ad-domain>
Certificate SAN: N/A
EKU: server, client
Root certificate: private CA
Exchange UM Server
FQDN: umsrv.<ad-domain>
Certificate SN: umsrv.<ad-domain>
Certificate SAN: N/A
EKU: server
Root certificate: private CA
MRAS
traffic.
Edge Pool
Enterprise
Pool
SIP/MTLS
MSMQ
Directors
If client connects on port 80,
it gets redirected to port 443
TCP port range, 50,000-59,999, only needs
to be open outbound.
TCP/UDP port range, 50,000-59,999, needs
to be open inbound and outbound to the
Internet for federation with partners running
Office Communications Server 2007.
AD DS Sync
LDAP/TCP:389
AD DS
Domain Controller
(DC)
LDAP traffic
Enterprise Pool
LDAP/TCP:3268
C.contoso.com
SRTP/UDP:49152-65535
ICE: STUN/TCP:443, UDP:3478
Peer-to-peer
A/V session.
ICE traffic
ICE traffic
ICE traffic
TURN/TCP:448
Media codec varies
per workload:
- RTAudio
- G.711
SRTP/RTCP:60,000-64,000
Media bypass: audio routed
directly to gateway
bypassing Mediation
Server.
TURN/TCP:443, UDP:3478
Codec varies per workload:
- G.722 or Siren for audio
- RTVideo for video
Port number to service traffic
assignment:
5062 – IM Conferencing Service
5086 – Internal Mobility Service
5087 – External Mobility Service
TURN/TCP:448
Port number to service traffic assignment:
5064 - Telephony Conferencing Service
5067 – Mediation Server Service
5071 - Response Group Service
5072 - Conferencing Attendant Service
5073 - Conferencing Announcement Service
5075 - Call Pak Service
SRTP/RTCP:49,152-57,500
AD DS
Global Catalog
(GC)A.contoso.com
B.contoso.com
LDAP/TCP:3268
LDAP/TCP:3268
Enterprise Voice
applications
Active Directory Domain Services (AD DS)
TCP port range, 50,000-59,999, only needs
to be open outbound.
TCP/UDP port range, 50,000-59,999, needs
to be open inbound and outbound to the
Internet for federation with partners running
Office Communications Server 2007.
SIP/TLS:5061
Lync client automatically
registers with the pool if
the Branch Appliance
becomes unavailable
SRTP/RTCP:30,000-39,999
SRTP, ICE: STUN/TCP:443, UDP:3478
SRTP, ICE: STUN/TCP:443, UDP:3478
SRTP,ICE: STUN/TCP:443
SRTP,ICE: STUN/TCP:443
This port is used to connect to Lync Web Services:
- download the Address Book
- provide distribution list expansion
- download meeting content
- connect to the Mobility Service
- connect to the AutoDiscovery Service
Meeting content
+ metadata +
compliance file
share.
SIP/MTLS:5063
SRTP/UDP:57501-65335
A/V Conferencing
Server
If no Edge Server is defined in
the topology, callee checks
the Front End Server’s
Bandwidth Policy Service.
If no Edge Server is defined in
the topology, callee checks
the Front End Server’s
Bandwidth Policy Service.
SIP/MTLS
SIP/TLS:5067
If gateway does not
support TLS, connect to
gateway on SIP/TCP:5068
MSMQ
SIP/TLS:5061
MRAS
traffic.
For federation, SBA
connects directly with
Director. If no Director
is available, federation
traffic goes directly to
Edge Server
HTTPS:4443
HTTPS:4443
Publish rule for port 4443 to
set “forward host header” to
true. This ensures the
original URL is forwarded.
Director redirects Web
traffic to destination
pool’s Web Service.
Reverse proxy
Director redirects Web
traffic to destination
pool’s Web Service.
SIP/MTLS:5062
Director redirects Web
traffic to destination
pool’s Web Service.
PSOM/MTLS:8057
SIP/MTLS:5062
TCP:1433
Back-end
SQL Server
Install on Enterprise Edition
to provide high availability.
Enterprise
Pool
Reverse proxy
HTTPS:4443
SRTP, ICE: STUN/TCP:443, UDP:3478
HTTPS:444
SIP/MTLS:5061 SIP/MTLS:5061
SRTP,ICE:STUN/TCP:443,UDP:3478
![© 2010 Microsoft Corporation. All rights reserved. Active Directory, Lync, MSN, and any associated logos are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks or trade names mentioned herein are the property of their respective owners.
External
Firewall
Internal
Firewall
IM and Presence Workload
C3P/HTTPS:444
SIP/MTLS:5061
XMPP/TCP:5269
Reverse proxy
Access Edge - SIP/MTLS:5061
Federated
Company
Yahoo!
MSN
AOL
Jabber
Gmail
HTTPS:443
SIP/MTLS:5061
Access Edge - SIP/TLS:443
SIP/MTLS:5061
Group Chat
Compliance
Server
HTTPS:443
SIP/TLS:5061
SRVquery
External user sign-in process:
1. Client resolves DNS SRV record _sip._tls.<sip-domain> to Edge Server.
2. Client connects to Edge Server.
3. Edge Server proxies connection to Director.
4. Director authenticates user and proxies connection to user’s home pool.
HTTPS:443
SIP/TLS:5061
MSMQ
SIP/MTLS
SIP/MTLS:5041
MSMQ
Monitoring
Server
Group Chat
Server
Edge Pool
XMPP Gateway
Directors
Archiving
Server
Enterprise
Pool
Address book
& Group Chat
file share.
Central Management Service
A/V and Web Conferencing Workload
Edge Pool
External
firewall
Internal
firewall
HTTPS:443
SIP/MTLS:5061
SIP/TLS:5061
Two inbound and two
outbound unidirectional
streams.
TCP:443 must be open
inbound.
UDP:3478 must be
open both inbound and
outbound.
A/V Edge - STUN/TCP:443, UDP:3478
A/V Edge – SRTP:443,3478,[TCP:50,000-59,999]
SRTP/UDP:49152-65535
PSOM/TLS:8057
HTTPS:443
HTTPS:443 is
used to
download
conferencing
content.
Traffic goes directly to Web
Conferencing Service
WITHOUT going through the
pool’s hardware load balancer
Traffic goes directly to Audio/
Video Conferencing Service
WITHOUT going through the
pool’s hardware load balancer.
Web Conf Edge - PSOM/TLS:443
Access Edge - SIP/TLS:443
Directors
Monitoring
Server
SIP/MTLS:5061
MSMQ
Protocol Workloads
LEGEND
· Publish SRV for _sipfederationtls._tcp.<sip-domain>, that resolves to Access Edge FQDN, accesssrv.<sip-domain>.
· Publish SRV for _sip._tls.<sip-domain>, that resolves to Access Edge FQDN. This is required for federated and anonymous connections to Web conferences.
· Publish SRV for _xmpp-server._tcp.<sip-domain>, that resolves to gateway NIC of the XMPP gateway.
· Publish CNAME or A record for lyncdiscoverinternal.<sip-domain> that resolves to IP address of Director, if one is deployed, or pool.
· Publish CNAME for lyncdiscover.<sip-domain> that resolves to IP address of reverse proxy. HTTPS connection is proxied to internal pool’s Web Service.
· Publish A record for Meet Simple URL that resolves the URL to IP address of Director, if one is deployed, or pool.
· Publish A record for Dial-In Simple URL that resolves the URL to IP address of Director, if one is deployed, or pool.
· Publish A record for Access Edge FQDN, accesssrv.<sip-domain> | sip.<sip-domain>, that resolves to Access Edge public IP address.
· Publish A record for A/V Edge FQDN, av.<sip-domain>, that resolves to A/V Edge public IP address.
· Publish A record for Conferencing Edge FQDN, conf.<sip-domain>, that resolves to Conferencing Edge public IP address.
· Publish A record for internal pool to the reverse proxy FQDN, that resolves to public IP address of reverse proxy
DNS Configuration
External
firewall
Internal
firewall
SMB traffic Direction of arrow indicates which
server initiates the connection.
Subsequent traffic is bi-directional.
Directors
(CMS replica)
Standard Edition
Server
(CMS replica)
Enterprise Pool
(CMS master)
Enterprise Pool
(CMS replica)
Mediation Pool
(CMS replica)
HTTPS traffic
SMB:445
HTTPS:4443
Edge Pool
(CMS replica)
Diagram v5.15 Author: Rui Maximo — Editor: Kelly Fuller Blue — Designer: Ken Circeo
Reviewers: Jens Trier Rasmussen, Paul Brombley, Doug Lawty, Stefan Plizga, Jeff Colvin, Kaushal Mehta,
Richard Pasztor, Thomas Binder, Subbu Chandrasekaran, Randy Wintle, Rob L., Stefan Heidl, Fabian Kunz,
Jeff Schertz
Central Management Service
http://twitter.com/DrRez
LEARN MORE
External
firewall
Internal
firewall
Enterprise Voice Workload
Connectivity to:
• IP-PSTN
gateway
• IP/PBX
• Direct SIP
• SIP trunk
A/V Edge – ICE: STUN/TCP:443, STUN/UDP:3478
Access Edge - SIP/TLS:443
A/V Edge – SRTP:443,3478,[TCP:50,000-59,999]
SIP/TLS:5061
SRTP consists of two
unidirectional streams. RTCP
traffic piggy backs on the SRTP
stream.
Media codec varies per workload:
- RTAudio
- G.711
- Siren
- G.722
TCP:443 must be open inbound.
UDP:3478 must be open both
inbound and outbound.
Mediation Pool
(optional)
STUN/TCP:443,STUN/UDP:3478
SIP/TCP:5060,5061
Monitoring Server
Exchange
UM Server
Edge Pool
Directors
SIP/MTLS:5062
MRAS
traffic.
SIP/MTLS:5061
SRTP/RTCP:30,000-39,999
Enterprise Pool
Branch
Appliance
SIP/MTLS:5062
http://nexthop.info
CERTIFICATE REQUIREMENTS
*Required only for public
IM connectivity with AOL
IM
Edge Server 1, Edge Server 2
Internal FQDN: intsrv.<ad-domain>
Certificate SN: intsrv.<ad-domain>
Certificate SAN:
EKU: server
Root certificate: private CA
External FQDN: edge.<sip-domain>
Certificate SN: edge.<sip-domain>
Certificate SAN: sip.<sip-domain>,
conf.<sip-domain>
EKU: server, client*
Root certificate: public CA
Edge Servers
Mediation Server
FQDN: medsrv.<ad-domain>
Certificate SN: medsrv.<ad-domain>
Certificate SAN: N/A
EKU: server
Root certificate: private CA
Directors
Director 1, Director 2
FQDN: dir.<ad-domain>
Certificate SN: dir.<ad-domain>
Certificate SAN: dir.<ad-domain>,
sipinternal.<sip-domain>
sip.<sip-domain>
meet.<sip-domain>
dialin.<sip-domain>
EKU: server
Root certificate: private CA
Front End Server 1, Front End Server 2
FQDN: pool.<ad-domain>
Certificate SN: pool.<ad-domain>
Certificate SAN: pool.<ad-domain>,
fe.<sip-domain>
sip.<sip-domain>
meet.<sip-domain>
dialin.<sip-domain>
EKU: server
Root certificate: private CA
Enterprise pool
Application Sharing Workload
HTTPS:443
HTTPS:443
External
firewall
Access Edge - SIP/TLS:443
HTTPS:443
Peer-to-peer
application
sharing session.
RDP/SRTP traffic
HTTPS traffic
SIP traffic Direction of arrow indicates which
server initiates the connection.
Subsequent traffic is bi-directional.
Internal
firewall
A/V Edge – SRTP:443,3478,50,000-59,999
Range of ports
is configurable.
Two inbound and
two outbound
unidirectional
streams.
Monitoring
Server
RDP/SRTP/TCP:1024-65535
SIP/TLS:5061
HTTPS:4443
Port number to service traffic assignment:
5065 - Application Sharing Conferencing Service
SIP/MTLS:5061 SIP/MTLS:5061
RDP/SRTP/TCP:49152-65535
Internal user sign-in process:
1. Client resolves DNS SRV record _sipinternaltls._tcp.<sip-domain> to Director.
2. Client connects to Director.
3. Director redirects client to user’s home pool.
http://technet.microsoft.com/lync
http://go.microsoft.com/fwlink/?LinkId=204593
Active Directory
Domain Services
HTTPS traffic
SIP traffic: signaling
RTP/SRTP traffic: A/V Conferencing
PSOM traffic: Web Conferencing
SIP traffic: signaling and IM
XMPP traffic
HTTPS traffic
MSMQ traffic
SIP/TLS:5061
RTP/SRTP traffic
SIP traffic
Call Admission Control (CAC) traffic
WAN
Connection
Attendant
Console
Lync
Phone Edition
Lync Group Chat
Lync Web App
Branch Appliance
FQDN: sba.<ad-domain>
Certificate SN: sba.<ad-domain>
Certificate SAN: sba.<ad-domain>
EKU: server
Root certificate: private CA
FQDN: xmppsrv.<sip-domain> (1)
Certificate SN: xmppsrv.<sip-domain>
Certificate SAN: N/A
EKU: server
Root certificate: private CA
XMPP Gateway
FQDN: xmpp.<sip-domain> (2)
Certificate SN: xmpp.<sip-domain>
Certificate SAN: N/A
EKU: server
Root certificate: public CA
(1)
This FQDN is for connectivity to internal Edge Servers (2)
This FQDN is for connectivity to external XMPP gateways
If client connects on port 80,
it gets redirected to port 443
This port is used to:
- download the Address Book
- connect to the Mobility Service
- connect to the AutoDiscovery Service
Ports to load balanced by HLB:
- 443
- 4443
- 5061
- 135 – only if SIP traffic is load balanced by HLB
MRAS
traffic.
Group Chat Server
FQDN: chatsrv.<ad-domain>
Certificate SN: chatsrv.<ad-domain>
Certificate SAN: N/A
EKU: server, client
Root certificate: private CA
Exchange UM Server
FQDN: umsrv.<ad-domain>
Certificate SN: umsrv.<ad-domain>
Certificate SAN: N/A
EKU: server
Root certificate: private CA
MRAS
traffic.
Edge Pool
Enterprise
Pool
SIP/MTLS
MSMQ
Directors
If client connects on port 80,
it gets redirected to port 443
TCP port range, 50,000-59,999, only needs
to be open outbound.
TCP/UDP port range, 50,000-59,999, needs
to be open inbound and outbound to the
Internet for federation with partners running
Office Communications Server 2007.
AD DS Sync
LDAP/TCP:389
AD DS
Domain Controller
(DC)
LDAP traffic
Enterprise Pool
LDAP/TCP:3268
C.contoso.com
SRTP/UDP:49152-65535
ICE: STUN/TCP:443, UDP:3478
Peer-to-peer
A/V session.
ICE traffic
ICE traffic
ICE traffic
TURN/TCP:448
Media codec varies
per workload:
- RTAudio
- G.711
SRTP/RTCP:60,000-64,000
Media bypass: audio routed
directly to gateway
bypassing Mediation
Server.
TURN/TCP:443, UDP:3478
Codec varies per workload:
- G.722 or Siren for audio
- RTVideo for video
Port number to service traffic
assignment:
5062 – IM Conferencing Service
5086 – Internal Mobility Service
5087 – External Mobility Service
TURN/TCP:448
Port number to service traffic assignment:
5064 - Telephony Conferencing Service
5067 – Mediation Server Service
5071 - Response Group Service
5072 - Conferencing Attendant Service
5073 - Conferencing Announcement Service
5075 - Call Pak Service
SRTP/RTCP:49,152-57,500
AD DS
Global Catalog
(GC)A.contoso.com
B.contoso.com
LDAP/TCP:3268
LDAP/TCP:3268
Enterprise Voice
applications
Active Directory Domain Services (AD DS)
TCP port range, 50,000-59,999, only needs
to be open outbound.
TCP/UDP port range, 50,000-59,999, needs
to be open inbound and outbound to the
Internet for federation with partners running
Office Communications Server 2007.
SIP/TLS:5061
Lync client automatically
registers with the pool if
the Branch Appliance
becomes unavailable
SRTP/RTCP:30,000-39,999
SRTP, ICE: STUN/TCP:443, UDP:3478
SRTP, ICE: STUN/TCP:443, UDP:3478
SRTP,ICE: STUN/TCP:443
SRTP,ICE: STUN/TCP:443
This port is used to connect to Lync Web Services:
- download the Address Book
- provide distribution list expansion
- download meeting content
- connect to the Mobility Service
- connect to the AutoDiscovery Service
Meeting content
+ metadata +
compliance file
share.
SIP/MTLS:5063
SRTP/UDP:57501-65335
A/V Conferencing
Server
If no Edge Server is defined in
the topology, callee checks
the Front End Server’s
Bandwidth Policy Service.
If no Edge Server is defined in
the topology, callee checks
the Front End Server’s
Bandwidth Policy Service.
SIP/MTLS
SIP/TLS:5067
If gateway does not
support TLS, connect to
gateway on SIP/TCP:5068
MSMQ
SIP/TLS:5061
MRAS
traffic.
For federation, SBA
connects directly with
Director. If no Director
is available, federation
traffic goes directly to
Edge Server
HTTPS:4443
HTTPS:4443
Publish rule for port 4443 to
set “forward host header” to
true. This ensures the
original URL is forwarded.
Director redirects Web
traffic to destination
pool’s Web Service.
Reverse proxy
Director redirects Web
traffic to destination
pool’s Web Service.
SIP/MTLS:5062
Director redirects Web
traffic to destination
pool’s Web Service.
PSOM/MTLS:8057
SIP/MTLS:5062
TCP:1433
Back-end
SQL Server
Install on Enterprise Edition
to provide high availability.
Enterprise
Pool
Reverse proxy
HTTPS:4443
SRTP, ICE: STUN/TCP:443, UDP:3478
HTTPS:444
SIP/MTLS:5061 SIP/MTLS:5061
SRTP,ICE:STUN/TCP:443,UDP:3478](https://image.slidesharecdn.com/microsoftlyncserver2010protocolworkloadsposter-130910150501-phpapp01/85/microsoft-lync-server-2010-protocol-workloads-poster-1-320.jpg)
