Topic Last Modified: 2011-03-23

Most Edge components are deployed in a perimeter network (also known as a DMZ, demilitarized zone, or screened subnet). The following components make up the edge topology of the perimeter network. Except where noted, the components are part of all three reference architectures and are in the perimeter network. Edge components include the following:

Edge Server

The Edge Server controls traffic across the firewall and usage of the internal deployment by external users. The Edge Server runs the following services:

  • Access Edge service   The Access Edge service provides a single, trusted connection point for both outbound and inbound Session Initiation Protocol (SIP) traffic.

  • Web Conferencing Edge service   The Web Conferencing Edge service enables external users to join meetings that are hosted on your internal Microsoft Lync Server 2010 communications software deployment.

  • A/V Edge service   The A/V Edge service makes audio, video, application sharing, and file transfer available to external users. Your users can add audio and video to meetings that include external participants, and they can share audio and video directly with an external user in point-to-point sessions. The A/V Edge service also provides support for desktop sharing and file transfer.

Authorized external users can access the Edge Servers in order to connect to your internal Lync Server deployment, but the Edge Servers do not provide any other access to the internal network.

Reverse Proxy

The reverse proxy is required for the following:

  • To allow users to connect to meetings or dial-in conferences using simple URLs

  • To enable external users to download meeting content

  • To enable external users to expand distribution groups

  • To allow the user to obtain a user-based certificate for client certificate based authentication

  • To enable remote users to download files from the Address Book Server or to submit queries to the Address Book Web Query service

  • To enable remote users to obtain updates to client and device software

External users do not need a VPN connection to your organization in order to participate in Lync Server-based communications. External users who are connected to your organization’s internal network over a VPN bypass the reverse proxy.


You can deploy your edge topology with only an external firewall or both external and internal firewalls. The reference architectures include two firewalls. Using two firewalls is the recommended approach because it ensures strict routing from one network edge to the other, and it protects your internal deployment behind two levels of firewall.


In Lync Server 2010 a Director is a separate server role in Lync Server 2010 that does not home user accounts, or provide presence or conferencing services. Instead, it can serve as an internal next hop server to which an Edge Server routes inbound SIP traffic destined for internal servers. The Director authenticates inbound requests and redirects them to the user’s home pool or server.

If your organization is going to enable external access, we recommend that you deploy a Director. By authenticating inbound SIP traffic from remote users, the Director relieves Standard Edition servers and Front End Servers in Enterprise Edition Front End pools from the overhead of performing authentication of remote users. It also helps insulate Standard Edition servers and Front End Servers in Enterprise Edition Front End pools from malicious traffic such as denial-of-service (DoS) attacks. If the network is flooded with invalid external traffic in such an attack, this traffic ends at the Director, and internal users should not see any effect on performance. For details about the use of Directors, see Director.

Hardware Load Balancers

The Lync Server 2010 scaled consolidated Edge topology is optimized for DNS load balancing for new deployments federating primarily with other organizations using Lync Server 2010. If high availability is required for any of the following scenarios, a hardware load balancer must be used for the following:

  • Federation with organizations using Office Communications Server 2007 R2 or Office Communications Server 2007

  • Exchange UM for remote users

  • Connectivity to public IM users

You cannot use DNS load balancing on one interface and hardware load balancing on another. You must use hardware load balancing on both interfaces or DNS load balancing for both. A combination is not supported.

Regardless of whether you use hardware load balancing for your Edge Server pool, you will need a hardware load balancer if there are two or more reverse proxy servers deployed.

If you are using a hardware load balancer, the load balancer deployed for connections with the internal network must be configured to load-balance only the traffic to the Access Edge service and the A/V Edge service. It cannot load balance the traffic to the internal Web Conferencing Edge service.
The direct server return (DSR) NAT is not supported with Lync Server 2010.

To determine whether your hardware load balancer supports the necessary features required by Lync Server 2010, see "Lync Server 2010 Load Balancer Partners" at