Topic Last Modified: 2012-12-04
The Lync Server 2013, Edge Server functionality described in this scenario architecture is very similar to what was implemented in Lync Server 2010. The most noticeable addition is the port 5269 over TCP entry for the extensible messaging and presence protocol (XMPP). Lync Server 2013 optionally deploys an XMPP proxy on the Edge Server or Edge pool and the XMPP gateway server on the Front End Server or Front End pool.
In addition to IPv4, the Edge Server now supports IPv6. For clarity, only IPv4 is used in the scenarios.
Enterprise perimeter network for scaled consolidated edge with private IP addresses using NAT
Port and Protocol Details
It is recommended that you open only the ports required to support the functionality for which you are providing external access.
For remote access to work for any edge service, it is mandatory that SIP traffic is allowed to flow bi-directionally as shown in the Inbound/Outbound edge traffic figure. Stated another way, the SIP messaging to and from the Access Edge service is involved in instant messaging (IM), presence, web conferencing, audio/video (A/V) and federation.
Firewall Summary for Scaled Consolidated Edge, DNS Load Balancing with Private IP Addresses Using NAT: External Interface – Node 1 and Node 2 (Example)
Role/Protocol/TCP or UDP/Port | Source IP address | Destination IP address | Notes |
---|---|---|---|
XMPP/TCP/5269 |
Any |
XMPP Proxy service (shares IP address with Access Edge service) |
XMPP Proxy service accepts traffic from XMPP contacts in defined XMPP federations |
XMPP/TCP/5269 |
XMPP Proxy service (shares IP address with Access Edge service) |
Any |
XMPP Proxy service sends traffic to XMPP contacts in defined XMPP federations |
Access/HTTP/TCP/80 |
Edge Server Access Edge service |
Any |
Certificate revocation/CRL check and retrieval |
Access/DNS/TCP/53 |
Edge Server Access Edge service |
Any |
DNS query over TCP |
Access/DNS/UDP/53 |
Edge Server Access Edge service |
Any |
DNS query over UDP |
Access/SIP(TLS)/TCP/443 |
Any |
Edge Server Access Edge service |
Client-to-server SIP traffic for external user access |
Access/SIP(MTLS)/TCP/5061 |
Any |
Edge Server Access Edge service |
For federated and public IM connectivity using SIP |
Access/SIP(MTLS)/TCP/5061 |
Edge Server Access Edge service |
Any |
For federated and public IM connectivity using SIP |
Web Conferencing/PSOM(TLS)/TCP/443 |
Any |
Edge Server Web Conferencing Edge service |
Web Conferencing media |
A/V/RTP/TCP/50,000-59,999 |
Edge Server A/V Edge service |
Any |
Required for federating with partners running Office Communications Server 2007, Office Communications Server 2007 R2, Lync Server 2010 and Lync Server 2013. |
A/V/RTP/UDP/50,000-59,999 |
Edge Server A/V Edge service |
Any |
Required only for federation with partners running Office Communications Server 2007. |
A/V/RTP/TCP/50,000-59,999 |
Any |
Edge Server A/V Edge service |
Required only for federation with partners running Office Communications Server 2007 |
A/V/RTP/UDP/50,000-59,999 |
Any |
Edge Server A/V Edge service |
Required only for federation with partners running Office Communications Server 2007 |
A/V/STUN,MSTURN/UDP/3478 |
Edge Server A/V Edge service |
Any |
3478 outbound is used to determine the version of Edge Server that Lync Server is communicating with and also for media traffic from Edge Server-to-Edge Server. Required for federation with Lync Server 2010, Windows Live Messenger, and Office Communications Server 2007 R2, and also if multiple Edge pools are deployed within a company. |
A/V/STUN,MSTURN/UDP/3478 |
Any |
Edge Server A/V Edge service |
STUN/TURN negotiation of candidates over UDP/3478 |
A/V/STUN,MSTURN/TCP/443 |
Any |
Edge Server A/V Edge service |
STUN/TURN negotiation of candidates over TCP/443 |
A/V/STUN,MSTURN/TCP/443 |
Edge Server A/V Edge service |
Any |
STUN/TURN negotiation of candidates over TCP/443 |
Firewall Summary for Scaled Consolidated Edge, DNS Load Balancing with Private IP Addresses Using NAT: Internal Interface – Node 1 and Node 2 (Example)
Protocol/TCP or UDP/Port | Source IP address | Destination IP address | Comments |
---|---|---|---|
XMPP/MTLS/TCP/23456 |
Any (can be defined as Front End Server address, or Front End pool IP address running the XMPP Gateway service) |
Edge Server internal interface IP address |
Outbound XMPP traffic from XMPP Gateway service running on Front End Server or Front End pool |
SIP/MTLS/TCP/5061 |
Any (can be defined as Director, Director pool IP address, Front End Server or Front End pool IP address) |
Edge Server internal interface |
Outbound SIP traffic (from Director, Director pool IP address, Front End Server or Front End pool IP address) to Edge Server internal interface |
SIP/MTLS/TCP/5061 |
Edge Server internal interface |
Any (can be defined as Director, Director pool IP address, Front End Server or Front End pool IP address) |
Inbound SIP traffic (to Director, Director pool IP address, Front End Server or Front End pool IP address) from Edge Server internal interface |
PSOM/MTLS/TCP/8057 |
Any (can be defined as Front End Server IP address, or each Front End Server IP address in a Front End pool) |
Edge Server internal interface |
Web conferencing traffic from Front End Server or each Front End Server if in a pool, to Edge Server internal interface |
SIP/MTLS/TCP/5062 |
Any (can be defined as Front End Server IP address, or Front End pool IP address or any Survivable Branch Appliance or Survivable Branch Server using this Edge Server) |
Edge Server internal interface |
Authentication of A/V users (A/V authentication service) from Front End Server or Front End pool IP address or any Survivable Branch Appliance or Survivable Branch Server using this Edge Server |
STUN/MSTURN/UDP/3478 |
Any |
Edge Server internal interface |
Preferred path for A/V media transfer between internal and external users, Survivable Branch Appliance or Survivable Branch Server |
STUN/MSTURN/TCP/443 |
Any |
Edge Server internal interface |
Fallback path for A/V media transfer between internal and external users, Survivable Branch Appliance or Survivable Branch Server if UDP communication cannot be established, TCP is used for file transfer and desktop sharing |
HTTPS/TCP/4443 |
Any (can be defined as the Front End Server IP address, or pool that holds the Central Management store) |
Edge Server internal interface |
Replication of changes from the Central Management store to the Edge Server |
MTLS/TCP/50001 |
Any |
Edge Server internal interface |
Centralized Logging Service controller using Lync Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection |
MTLS/TCP/50002 |
Any |
Edge Server internal interface |
Centralized Logging Service controller using Lync Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection |
MTLS/TCP/50003 |
Any |
Edge Server internal interface |
Centralized Logging Service controller using Lync Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection |
Firewall Summary for Federation
Role/Protocol/TCP or UDP/Port | Source IP address | Destination IP address | Notes |
---|---|---|---|
Access/SIP(MTLS)/TCP/5061 |
Access Edge service public IP address |
Any |
For federated and public IM connectivity using SIP |
Firewall Summary – Public Instant Messaging Connectivity
Role/Protocol/TCP or UDP/Port | Source IP address | Destination IP address | Notes |
---|---|---|---|
Access/SIP(MTLS)/TCP/5061 |
Public IM connectivity partners |
Edge Server Access Edge service |
For federated and public IM connectivity using SIP |
Access/SIP(MTLS)/TCP/5061 |
Edge Server Access Edge service |
Public IM connectivity partners |
For federated and public IM connectivity using SIP |
Access/SIP(TLS)/TCP/443 |
Clients |
Edge Server Access Edge service |
Client-to-server SIP traffic for external user access |
A/V/RTP/TCP/50,000-59,999 |
Edge Server A/V Edge service |
Live Messenger clients |
Used for A/V sessions with Windows Live Messenger if public IM connectivity is configured. |
A/V/STUN,MSTURN/UDP/3478 |
Edge Server A/V Edge service |
Live Messenger clients |
Required for public IM connectivity with Windows Live Messenger |
A/V/STUN,MSTURN/UDP/3478 |
Live Messenger clients |
Edge Server A/V Edge service |
Required for public IM connectivity with Windows Live Messenger |
Firewall Summary for Extensible Messaging and Presence Protocol
Protocol/TCP or UDP/Port | Source (IP address) | Destination (IP address) | Comments |
---|---|---|---|
XMPP/TCP/5269 |
Any |
Edge Server Access Edge service interface IP address |
Standard server-to-server communication port for XMPP. Allows communication to the Edge Server XMPP proxy from federated XMPP partners |
XMPP/TCP/5269 |
Edge Server Access Edge service interface IP address |
Any |
Standard server-to-server communication port for XMPP. Allows communication from the Edge Server XMPP proxy to federated XMPP partners |
XMPP/MTLS/TCP/23456 |
Any |
Each internal Edge Server interface IP |
Internal XMPP traffic from the XMPP Gateway on the Front End Server or Front End pool to the Edge Server internal IP address or each Edge pool member’s internal IP address |