Topic Last Modified: 2014-01-13
The Lync Server 2013, Edge Server functionality described in this scenario architecture is very similar to what was implemented in Lync Server 2010. The most noticeable addition is the port 5269 over TCP entry for the extensible messaging and presence protocol (XMPP). Lync Server 2013 optionally deploys an XMPP proxy on the Edge Server or Edge pool and the XMPP gateway server on the Front End Server or Front End pool.
In addition to IPv4, the Edge Server now supports IPv6. For clarity, only IPv4 is used in the scenarios.
Scaled Consolidated Edge using Hardware Load Balancing
Port and Protocol Details
It is recommended that you open only the ports required to support the functionality for which you are providing external access.
For remote access to work for any edge service, it is mandatory that SIP traffic is allowed to flow bi-directionally as shown in the Inbound/Outbound edge traffic figure. Stated another way, the SIP messaging to and from the Access Edge service is involved in instant messaging (IM), presence, web conferencing, audio/video (A/V) and federation.
Firewall Summary for Scaled Consolidated Edge, Hardware Load Balanced: External Interface – Node 1 and Node 2 (Example)
Role/Protocol/TCP or UDP/Port | Source IP address | Destination IP address | Notes |
---|---|---|---|
Access/HTTP/TCP/80 |
Edge Server Access Edge service public IP address |
Any |
Certificate revocation/CRL check and retrieval |
Access/DNS/TCP/53 |
Edge Server Access Edge service public IP address |
Any |
DNS query over TCP |
Access/DNS/UDP/53 |
Edge Server Access Edge service public IP address |
Any |
DNS query over UDP |
A/V/RTP/TCP/50,000-59,999 |
Edge Server A/V Edge service IP address |
Any |
Required for federating with partners running Office Communications Server 2007, Office Communications Server 2007 R2, Lync Server 2010 and Lync Server 2013. |
A/V/RTP/UDP/50,000-59,999 |
Edge Server A/V Edge service public IP address |
Any |
Required only for federation with partners running Office Communications Server 2007. |
A/V/RTP/TCP/50,000-59,999 |
Any |
Edge Server A/V Edge service public IP address |
Required only for federation with partners running Office Communications Server 2007 |
A/V/RTP/UDP/50,000-59,999 |
Any |
Edge Server A/V Edge service public IP address |
Required only for federation with partners running Office Communications Server 2007 |
A/V/STUN,MSTURN/UDP/3478 |
Edge Server A/V Edge service public IP address |
Any |
3478 outbound is used to determine the version of Edge Server that Lync Server is communicating with and also for media traffic from Edge Server-to-Edge Server. Required for federation with Lync Server 2010, Windows Live Messenger, and Office Communications Server 2007 R2, and also if multiple Edge pools are deployed within a company. |
A/V/STUN,MSTURN/UDP/3478 |
Any |
Edge Server A/V Edge service public IP address |
STUN/TURN negotiation of candidates over UDP/3478 |
A/V/STUN,MSTURN/TCP/443 |
Any |
Edge Server A/V Edge service public IP address |
STUN/TURN negotiation of candidates over TCP/443 |
A/V/STUN,MSTURN/TCP/443 |
Edge Server A/V Edge service public IP address |
Any |
STUN/TURN negotiation of candidates over TCP/443 |
Firewall Summary for Scaled Consolidated Edge, Hardware Load Balanced: Internal Interface Node 1 and Node 2
Role/Protocol/TCP or UDP/Port | Source IP address | Destination IP address | Notes |
---|---|---|---|
XMPP/MTLS/TCP/23456 |
Any (can be defined as Front End Server address, or Front End pool virtual IP address running the XMPP Gateway service) |
Edge Server internal interface |
Outbound XMPP traffic from XMPP Gateway service running on Front End Server or Front End pool |
HTTPS/TCP/4443 |
Any (can be defined as the Front End Server server IP or pool that holds the Central Management store) |
Edge Server Internal interface |
Replication of changes from the Central Management store to the Edge Server |
PSOM/MTLS/TCP/8057 |
Any (can be defined as Director IP, Front End Server IP or Pool virtual IP) |
Edge Server Internal interface |
Web conferencing traffic from Internal deployment to Internal Edge Server interface |
STUN/MSTURN/UDP/3478 |
Any (can be defined as Director IP, Front End Server IP or Pool virtual IP) |
Edge Server Internal interface |
Preferred path for A/V media transfer between internal and external users, Survivable Branch Appliance or Survivable Branch Server |
STUN/MSTURN/TCP/443 |
Any (can be defined as Director IP, Front End Server IP or Pool virtual IP) |
Edge Server Internal interface |
Fallback path for A/V media transfer between internal and external users, Survivable Branch Appliance or Survivable Branch Server if UDP communication cannot be established, TCP is used for file transfer and desktop sharing |
MTLS/TCP/50001 |
Any |
Edge Server internal interface |
Centralized Logging Service controller using Lync Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection |
MTLS/TCP/50002 |
Any |
Edge Server internal interface |
Centralized Logging Service controller using Lync Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection |
MTLS/TCP/50003 |
Any |
Edge Server internal interface |
Centralized Logging Service controller using Lync Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection |
Hardware load balancers have specific requirements when deployed to provide availability and load balancing for Lync Server. The requirements are defined in the following figure and tables. Third party vendors may use different terminology for the requirements defined here. It will be necessary to map the requirements of Lync Server to the features and configuration options provided by your hardware load balancer vendor.
When configuring hardware load balancers, consider the following requirements:
-
Source Network Address Translation (SNAT) can be configured on the hardware load balancer (HLB) for Access Edge service and Web Conferencing Edge service
-
SNAT cannot be configured on the A/V Edge service– the A/V Edge service must respond with the real server address, not the HLB virtual IP (VIP), for simple traversal of UDP over NAT (STUN)/traversal using relay NAT (TURN)/federation TURN (FTURN) to work properly
-
Public IP addresses are used on each server interface and on the VIPs of the HLB, and your public IP address requirements are N+1, where there is a public IP address for each real server interface and one for each HLB VIP. Where you have 2 Edge servers in the pool, this results in 9 public IP addresses, where 3 are used for the HLB VIPs, and one for each Edge server interface (a total of six for the servers)
-
For the Access Edge service and Web Conferencing Edge service, (and using NAT on the HLB) the client contacts the VIP, the VIP changes the source IP address from the client to its own IP address. The server interface addresses the return address to the VIP, the VIP changes the source address from the server interface IP address and sends the packet to the client
-
For the A/V Edge service, the VIP must NOT change the source IP address, and the real server address is returned to the client directly – you cannot configure NAT on the HLB for AV traffic
-
For AV, the external firewall will retain the real server public IP address for all packets
-
Once established, client to A/V Edge service communication is to the real server, not the HLB
-
Internal edge to internal servers and clients must be routed, and persistent routes are set for all internal networks that host servers or clients
-
The HLB Access Edge service VIP will act as the default gateway for each Edge server interface
External Port Settings Required for Scaled Consolidated Edge, Hardware Load Balanced: External Interface Virtual IPs
Role/Protocol/TCP or UDP/Port | Source IP address | Destination IP address | Notes |
---|---|---|---|
XMPP/TCP/5269 |
Any |
XMPP Proxy service (shares IP address with Access Edge service) |
XMPP Proxy service accepts traffic from XMPP contacts in defined XMPP federations |
XMPP/TCP/5269 |
XMPP Proxy service (shares IP address with Access Edge service) |
Any |
XMPP Proxy service sends traffic to XMPP contacts in defined XMPP federations |
Access/SIP(TLS)/TCP/443 |
Any |
Access Edge service public VIP address |
Client-to-server SIP traffic for external user access |
Access/SIP(MTLS)/TCP/5061 |
Any |
Access Edge service public VIP address |
SIP signaling, federated and public IM connectivity using SIP |
Access/SIP(MTLS)/TCP/5061 |
Access Edge service public VIP address |
Federated partner |
SIP signaling, federated and public IM connectivity using SIP |
Web Conferencing/PSOM(TLS)/TCP/443 |
Any |
Edge Server Web Conferencing Edge service public VIP address |
Web Conferencing media |
A/V/STUN,MSTURN/UDP/3478 |
Any |
Edge Server A/V Edge service public VIP address |
STUN/TURN negotiation of candidates over UDP/3478 |
A/V/STUN,MSTURN/TCP/443 |
Any |
Edge Server A/V Edge service public VIP address |
STUN/TURN negotiation of candidates over TCP/443 |
Firewall Summary for Scaled Consolidated Edge, Hardware Load Balanced: Internal Interface Virtual IPs
Role/Protocol/TCP or UDP/Port | Source IP address | Destination IP address | Notes |
---|---|---|---|
Access/SIP(MTLS)/TCP/5061 |
Any (can be defined as Director, Director pool virtual IP address, Front End Server or Front End pool virtual IP address) |
Edge Server Internal VIP interface |
Outbound SIP traffic (from Director, Director pool virtual IP address, Front End Server or Front End pool virtual IP address)to Internal Edge VIP |
Access/SIP(MTLS)/TCP/5061 |
Edge Server Internal VIP interface |
Any (can be defined as Director, Director pool virtual IP address, Front End Server or Front End pool virtual IP address) |
Inbound SIP traffic (to Director, Director pool virtual IP address, Front End Server or Front End pool virtual IP address) from Edge Server internal interface |
SIP/MTLS/TCP/5062 |
Any (can be defined as Front End Server IP address, or Front End pool IP address or any Survivable Branch Appliance or Survivable Branch Server using this Edge Server) |
Edge Server Internal VIP interface |
Authentication of A/V users (A/V authentication service) from Front End Server or Front End pool IP address or any Survivable Branch Appliance or Survivable Branch Server using this Edge Server |
STUN/MSTURN/UDP/3478 |
Any |
Edge Server Internal VIP interface |
Preferred path for A/V media transfer between internal and external users |
STUN/MSTURN/TCP/443 |
Any |
Edge Server Internal VIP interface |
Fallback path for A/V media transfer between internal and external users if UDP communication cannot be established, TCP is used for file transfer and desktop sharing |
STUN/MSTURN/TCP/443 |
Edge Server Internal VIP interface |
Any |
Fallback path for A/V media transfer between internal and external users if UDP communication cannot be established, TCP is used for file transfer and desktop sharing |