Topic Last Modified: 2011-05-02
In Microsoft Lync Server 2010, a Director is a separate server role that can serve as an internal next hop server to which an Edge Server routes inbound SIP traffic destined for internal servers. Directors are used to authenticate enterprise users connecting from outside the corporate firewall and to route these users to their home pools. A Director does not home any users or provide presence or conferencing services.
Each Director requires a default certificate, a web internal certificate, and a web external certificate. In most cases, a single certificate is used for all three. For details about the certificate requirements for Directors, see Certificate Requirements for Internal Servers in the Planning documentation.
By design, Edge Servers, including stand-alone servers and servers in an administrative domain in a perimeter network, do not require communication with Active Directory for user communications using Lync Server. By authenticating inbound SIP traffic that Edge Servers receive from external users, the Director relieves internal servers where users are homed, including Standard Edition server and servers in a Front End pool, from the overhead of performing authentication of external users. It also helps insulate Standard Edition servers and Front End pools from malicious traffic, such as denial-of-service (DoS) and other distributed Internet attacks. In the event of such an attack, the invalid external traffic ends at the Director, so it does not reach the servers where users are homed and internal users should not see any effect on performance. If your organization is going to enable external user access, we recommend that you deploy a Director. The Director cannot be collocated with any other server roles. Multiple Directors can be load balanced. For details about deploying Directors, see Define the Director in the Deployment documentation and Setting Up the Director in the Deployment documentation.
Best Practices
- Deploy a Director as the next-hop internal server for the Edge
Server.
- Configure the Director as the first point of authentication for
SIP traffic from outside users. (If the Director is the next hop
server, this is configured automatically.)
- Configure the Director to monitor all outside user traffic for
security auditing. (If the Director is the next hop server, this is
configured automatically.)