In Lync Web App, the same token is used for the session token and the authentication token. You can enhance the security of tokens by using short timeouts on Lync Web App virtual servers that service external requests. You can set different timeout values for public and private computers in the external virtual server’s properties.

The following are the requirements and recommendations regarding encryption:

• You must use TLS/MTLS for all communications between Lync Web App and servers that are running Microsoft Lync Server 2010.
  
  
• You should always use HTTPS unless SSL offloading is used for performance reasons and other effective security safeguards are in place.
  
  
• You may use HTTP for communications between a hardware load balancer or other device and the Lync Web App if SSL offloading is used for performance reasons. In this case, the physical link should be secured.
  
  
• Do not use HTTP between the client and the Lync Web App.