© 2010 Microsoft Corporation. All rights reserved. Active Directory, Lync, MSN, and any associated logos are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks or trade names mentioned herein are the property of their respective owners. External Firewall Internal Firewall IM and Presence Workload C3P/HTTPS:444 SIP/MTLS:5061 XMPP/TCP:5269 Reverse proxy Access Edge - SIP/MTLS:5061 Federated Company Yahoo! MSN AOL Jabber Gmail HTTPS:443 SIP/MTLS:5061 Access Edge - SIP/TLS:443 SIP/MTLS:5061 Group Chat Compliance Server HTTPS:443 SIP/TLS:5061 SRV query External user sign-in process: 1. Client resolves DNS SRV record _sip._tls.<sip-domain> to Edge Server. 2. Client connects to Edge Server. 3. Edge Server proxies connection to Director. 4. Director authenticates user and proxies connection to user’s home pool. HTTPS:443 SIP/TLS:5061 MSMQ SIP/MTLS SIP/MTLS:5041 MSMQ Monitoring Server Group Chat Server Edge Servers XMPP Gateway Directors Archiving Server Enterprise pool Address book & Group Chat file share. Central Management Service A/V and Web Conferencing Workload Edge Servers External firewall Internal firewall HTTPS:443 SIP/MTLS:5061 SIP/TLS:5061 Two inbound and two outbound unidirectional streams. A/V Edge - STUN/TCP:443, UDP:3478 A/V Edge – SRTP:443,3478,[50,000-59,999] SRTP/UDP:49152-65535 PSOM/TLS:8057 HTTPS:443 HTTPS:443 is used to download conferencing content. Traffic goes directly to Web Conferencing Service WITHOUT going through the pool’s hardware load balancer Traffic goes directly to Audio/ Video Conferencing Service WITHOUT going through the pool’s hardware load balancer. Web Conf Edge - PSOM/TLS:443 Access Edge - SIP/TLS:443 Directors Monitoring Server SIP/MTLS:5061 MSMQ Protocol Workloads LEGEND · Publish SRV for _sipfederationtls._tcp.<sip-domain>, that resolves to Access Edge FQDN, accesssrv.<sip-domain>. · Publish SRV for _sip._tls.<sip-domain>, that resolves to Access Edge FQDN. This is required for federated and anonymous connections to Web conferences. · Publish SRV for _xmpp-server._tcp.<sip-domain>, that resolves to gateway NIC of the XMPP gateway. · Publish CNAME or A record for lyncdiscoverinternal.<sip-domain> that resolves to IP address of Director, if one is deployed, or pool. · Publish CNAME for lyncdiscover.<sip-domain> that resolves to IP address of reverse proxy. HTTPS connection is proxied to internal pool’s Web Service. · Publish A record for Meet Simple URL that resolves the URL to IP address of Director, if one is deployed, or pool. · Publish A record for Dial-In Simple URL that resolves the URL to IP address of Director, if one is deployed, or pool. · Publish A record for Access Edge FQDN, accesssrv.<sip-domain> | sip.<sip-domain>, that resolves to Access Edge public IP address. · Publish A record for A/V Edge FQDN, av.<sip-domain>, that resolves to A/V Edge public IP address. · Publish A record for Conferencing Edge FQDN, conf.<sip-domain>, that resolves to Conferencing Edge public IP address. · Publish A record for internal pool to the reverse proxy FQDN, that resolves to public IP address of reverse proxy DNS Configuration External firewall Internal firewall SMB traffic Direction of arrow indicates which server initiates the connection. Subsequent traffic is bi-directional. Directors (CMS replica) Standard Edition Server (CMS replica) Central Management Store (CMS master) Enterprise pool (CMS replica) Mediation Server (CMS replica) HTTPS traffic SMB:445 HTTPS:4443 Install on Enterprise Edition to provide high availability. Edge Servers (CMS replica) Diagram v5.11 Author: Rui Maximo — Editor: Kelly Fuller Blue — Designer: Ken Circeo Reviewers: Jens Trier Rasmussen, Paul Brombley, Doug Lawty, Stefan Plizga, Jeff Colvin, Kaushal Mehta, Richard Pasztor, Thomas Binder, Subbu Chandrasekaran, Randy Wintle, Rob L. Central Management Service http://twitter.com/DrRez LEARN MORE External firewall Internal firewall Enterprise Voice Workload Connectivity to: • IP-PSTN gateway • IP/PBX • Direct SIP • SIP trunk A/V Edge – ICE: STUN/TCP:443, STUN/UDP:3478 Access Edge - SIP/TLS:443 A/V Edge – SRTP:443,3478,[UDP|TCP:50,000-59,999] SIP/TLS:5061 SRTP consists of two unidirectional streams. RTCP traffic piggy backs on the SRTP stream. Media codec varies per workload: - RTAudio - G.711 - Siren - G.722 Mediation Server (optional) SIP/MTLS:5061 STUN/TCP:443, STUN/UDP:3478 SIP/TCP:5060,5061 Monitoring Server Exchange UM Server Edge Servers Directors SIP/MTLS:5062 MRAS traffic. SIP/MTLS:5061 SRTP/RTCP:30,000-39,999 Enterprise pool Branch Appliance SIP/MTLS:5062 http://nexthop.info CERTIFICATE REQUIREMENTS *Required only for public IM connectivity with AIM Edge Server 1, Edge Server 2 Internal FQDN: intsrv.<ad-domain> Certificate SN: intsrv.<ad-domain> Certificate SAN: EKU: server Root certificate: private CA Access FQDN: accesssrv.<sip-domain> Certificate SN: accesssrv.<sip-domain> Certificate SAN: accesssrv.<sip-domain>, sip.<sip-domain> EKU: server, client* Root certificate: public CA Conference FQDN: N/A Certificate SN: conf.<sip-domain> Certificate SAN: N/A EKU: server Root certificate: public CA A/V FQDN: av.<sip-domain> Certificate SN: av.<sip-domain> Certificate SAN: N/A EKU: server Root certificate: private CA Edge Servers Mediation Server FQDN: medsrv.<ad-domain> Certificate SN: medsrv.<ad-domain> Certificate SAN: N/A EKU: server Root certificate: private CA Directors Director 1, Director 2 FQDN: dir.<ad-domain> Certificate SN: dir.<ad-domain> Certificate SAN: dir.<ad-domain>, sipinternal.<sip-domain> sip.<sip-domain> meet.<sip-domain> dialin.<sip-domain> EKU: server Root certificate: private CA Front End Server 1, Front End Server 2 FQDN: pool.<ad-domain> Certificate SN: pool.<ad-domain> Certificate SAN: pool.<ad-domain>, fe.<sip-domain> sip.<sip-domain> meet.<sip-domain> dialin.<sip-domain> EKU: server Root certificate: private CA Enterprise pool Application Sharing Workload HTTPS:443 HTTPS:443 External firewall Access Edge - SIP/TLS:443 HTTPS:443 Peer-to-peer application sharing session. RDP/SRTP traffic HTTPS traffic SIP traffic Direction of arrow indicates which server initiates the connection. Subsequent traffic is bi-directional. Internal firewall A/V Edge – SRTP:443,3478,50,000-59,999 Range of ports is configurable. Two inbound and two outbound unidirectional streams. Monitoring Server RDP/SRTP/TCP:1024-65535 SIP/TLS:5061 HTTPS:4443 Port number to service traffic assignment: 5065 - Application Sharing Conferencing Service SIP/MTLS:5061 SIP/MTLS:5061 RDP/SRTP/TCP:49152-65535 Internal user sign-in process: 1. Client resolves DNS SRV record _sipinternaltls._tcp.<sip-domain> to Director. 2. Client connects to Director. 3. Director redirects client to user’s home pool. http://technet.microsoft.com/lync http://go.microsoft.com/fwlink/?LinkId=204593 Active Directory Domain Services HTTPS traffic SIP traffic: signaling RTP/SRTP traffic: A/V Conferencing PSOM traffic: Web Conferencing SIP traffic: signaling and IM XMPP traffic HTTPS traffic MSMQ traffic SIP/TLS:5061 RTP/SRTP traffic SIP traffic Call Admission Control (CAC) traffic WAN Connection Attendant Console Lync Phone Edition Lync Group Chat Lync Web App Branch Appliance FQDN: sba.<ad-domain> Certificate SN: sba.<ad-domain> Certificate SAN: sba.<ad-domain> EKU: server Root certificate: private CA FQDN: xmppsrv.<sip-domain> (1) Certificate SN: xmppsrv.<sip-domain> Certificate SAN: N/A EKU: server Root certificate: private CA XMPP Gateway FQDN: xmpp.<sip-domain> (2) Certificate SN: xmpp.<sip-domain> Certificate SAN: N/A EKU: server Root certificate: public CA (1) This FQDN is for connectivity to internal Edge Servers (2) This FQDN is for connectivity to external XMPP gateways If client connects on port 80, it gets redirected to port 443 This port is used to: - download the Address Book - connect to the Mobility Service - connect to the AutoDiscovery Service Ports to load balanced by HLB: - 443 - 4443 - 5061 - 135 – only if SIP traffic is load balanced by HLB MRAS traffic. Group Chat Server FQDN: chatsrv.<ad-domain> Certificate SN: chatsrv.<ad-domain> Certificate SAN: N/A EKU: server, client Root certificate: private CA Exchange UM Server FQDN: umsrv.<ad-domain> Certificate SN: umsrv.<ad-domain> Certificate SAN: N/A EKU: server Root certificate: private CA HTTPS:4443 MRAS traffic. Reverse proxy Edge Servers Enterprise pool SIP/MTLS MSMQ Directors If client connects on port 80, it gets redirected to port 443 HTTPS:444 Port range, 50,000-59,999, only needs to be open outbound to the Internet. Inbound traffic from the Internet only needs to be open for federation with partners still running Office Communications Server 2007. AD DS Sync LDAP/TCP:389 AD DS Domain Controller (DC) LDAP traffic Enterprise pool LDAP/TCP:3268 C.contoso.com SRTP/UDP:49152-65535 ICE: STUN/TCP:443, UDP:3478 Peer-to-peer A/V session. ICE traffic ICE traffic ICE traffic TURN/TCP:448 Media codec varies per workload: - RTAudio - G.711 SRTP/RTCP:60,000-64,000 Media bypass: audio routed directly to gateway bypassing Mediation Server. TURN/TCP:443, UDP:3478 Codec varies per workload: - G.722 or Siren for audio - RTVideo for video Port number to service traffic assignment: 5062 – IM Conferencing Service 5086 – Internal Mobility Service 5087 – External Mobility Service TURN/TCP:448 Port number to service traffic assignment: 5064 - Telephony Conferencing Service 5067 – Mediation Server Service 5071 - Response Group Service 5072 - Conferencing Attendant Service 5073 - Conferencing Announcement Service SRTP/RTCP:49,152-57,500 AD DS Global Catalog (GC) A.contoso.com B.contoso.com LDAP/TCP:3268 LDAP/TCP:3268 Enterprise Voice applications Active Directory Domain Services (AD DS) Port range, 50,000-59,999, only needs to be open outbound to the Internet. Inbound traffic from the Internet only needs to be open for federation with partners still running Office Communications Server 2007. SIP/TLS:5061 Lync client automatically registers with the pool if the Branch Appliance becomes unavailable SRTP/RTCP:30,000-39,999 ICE: STUN/TCP:443, UDP:3478 SRTP,ICE: STUN/TCP:443, UDP:3478 ICE: STUN/TCP:443, UDP:3478 SRTP,ICE: STUN/TCP:443, UDP:3478 SRTP,ICE: STUN/TCP:443, UDP:3478 This port is used to: - download the Address Book - connect to the Mobility Service - connect to the AutoDiscovery Service Enterprise pool Meeting content + metadata + compliance file share. SIP/MTLS:5063 SRTP/UDP:57501-65335 A/V Conferencing Server If no Edge Server is defined in the topology, callee checks the Front End Server’s Bandwidth Policy Service. If no Edge Server is defined in the topology, callee checks the Front End Server’s Bandwidth Policy Service. SIP/MTLS SIP/TLS:5067 If gateway does not support TLS, connect to gateway on SIP/TCP:5068 MSMQ SIP/MTLS:5062 (optional) SIP/TLS:5061 MRAS traffic. For federation, SBA connects directly with Director. If no Director is available, federation traffic goes directly to Edge Server HTTPS:4443 HTTPS:4443 HLB: Publish rule for port 4443 to set “forward host header” to true. This ensures the original URL is forwarded. Director redirects Web traffic to destination pool’s Web Service. Reverse proxy Director redirects Web traffic to destination pool’s Web Service. SIP/MTLS:5062 Director redirects Web traffic to destination pool’s Web Service. PSOM/MTLS:8057 SIP/MTLS:5062