Topic Last Modified: 2012-12-04

The Lync Server 2013, Edge Server functionality described in this scenario architecture is very similar to what was implemented in Lync Server 2010. The most noticeable addition is the port 5269 over TCP entry for the extensible messaging and presence protocol (XMPP). Lync Server 2013 optionally deploys an XMPP proxy on the Edge Server or Edge pool and the XMPP gateway server on the Front End Server or Front End pool.

In addition to IPv4, the Edge Server now supports IPv6. For clarity, only IPv4 is used in the scenarios.

Enterprise perimeter network for scaled consolidated edge with private IP addresses using NAT

Port and Protocol Details

It is recommended that you open only the ports required to support the functionality for which you are providing external access.

For remote access to work for any edge service, it is mandatory that SIP traffic is allowed to flow bi-directionally as shown in the Inbound/Outbound edge traffic figure. Stated another way, the SIP messaging to and from the Access Edge service is involved in instant messaging (IM), presence, web conferencing, audio/video (A/V) and federation.

Firewall Summary for Scaled Consolidated Edge, DNS Load Balancing with Private IP Addresses Using NAT: External Interface – Node 1 and Node 2 (Example)

Role/Protocol/TCP or UDP/Port Source IP address Destination IP address Notes

XMPP/TCP/5269

Any

XMPP Proxy service (shares IP address with Access Edge service)

XMPP Proxy service accepts traffic from XMPP contacts in defined XMPP federations

XMPP/TCP/5269

XMPP Proxy service (shares IP address with Access Edge service)

Any

XMPP Proxy service sends traffic to XMPP contacts in defined XMPP federations

Access/HTTP/TCP/80

Edge Server Access Edge service

Any

Certificate revocation/CRL check and retrieval

Access/DNS/TCP/53

Edge Server Access Edge service

Any

DNS query over TCP

Access/DNS/UDP/53

Edge Server Access Edge service

Any

DNS query over UDP

Access/SIP(TLS)/TCP/443

Any

Edge Server Access Edge service

Client-to-server SIP traffic for external user access

Access/SIP(MTLS)/TCP/5061

Any

Edge Server Access Edge service

For federated and public IM connectivity using SIP

Access/SIP(MTLS)/TCP/5061

Edge Server Access Edge service

Any

For federated and public IM connectivity using SIP

Web Conferencing/PSOM(TLS)/TCP/443

Any

Edge Server Web Conferencing Edge service

Web Conferencing media

A/V/RTP/TCP/50,000-59,999

Edge Server A/V Edge service

Any

Required for federating with partners running Office Communications Server 2007, Office Communications Server 2007 R2, Lync Server 2010 and Lync Server 2013.

A/V/RTP/UDP/50,000-59,999

Edge Server A/V Edge service

Any

Required only for federation with partners running Office Communications Server 2007.

A/V/RTP/TCP/50,000-59,999

Any

Edge Server A/V Edge service

Required only for federation with partners running Office Communications Server 2007

A/V/RTP/UDP/50,000-59,999

Any

Edge Server A/V Edge service

Required only for federation with partners running Office Communications Server 2007

A/V/STUN,MSTURN/UDP/3478

Edge Server A/V Edge service

Any

3478 outbound is used to determine the version of Edge Server that Lync Server is communicating with and also for media traffic from Edge Server-to-Edge Server. Required for federation with Lync Server 2010, Windows Live Messenger, and Office Communications Server 2007 R2, and also if multiple Edge pools are deployed within a company.

A/V/STUN,MSTURN/UDP/3478

Any

Edge Server A/V Edge service

STUN/TURN negotiation of candidates over UDP/3478

A/V/STUN,MSTURN/TCP/443

Any

Edge Server A/V Edge service

STUN/TURN negotiation of candidates over TCP/443

A/V/STUN,MSTURN/TCP/443

Edge Server A/V Edge service

Any

STUN/TURN negotiation of candidates over TCP/443

Firewall Summary for Scaled Consolidated Edge, DNS Load Balancing with Private IP Addresses Using NAT: Internal Interface – Node 1 and Node 2 (Example)

Protocol/TCP or UDP/Port Source IP address Destination IP address Comments

XMPP/MTLS/TCP/23456

Any (can be defined as Front End Server address, or Front End pool IP address running the XMPP Gateway service)

Edge Server internal interface IP address

Outbound XMPP traffic from XMPP Gateway service running on Front End Server or Front End pool

SIP/MTLS/TCP/5061

Any (can be defined as Director, Director pool IP address, Front End Server or Front End pool IP address)

Edge Server internal interface

Outbound SIP traffic (from Director, Director pool IP address, Front End Server or Front End pool IP address) to Edge Server internal interface

SIP/MTLS/TCP/5061

Edge Server internal interface

Any (can be defined as Director, Director pool IP address, Front End Server or Front End pool IP address)

Inbound SIP traffic (to Director, Director pool IP address, Front End Server or Front End pool IP address) from Edge Server internal interface

PSOM/MTLS/TCP/8057

Any (can be defined as Front End Server IP address, or each Front End Server IP address in a Front End pool)

Edge Server internal interface

Web conferencing traffic from Front End Server or each Front End Server if in a pool, to Edge Server internal interface

SIP/MTLS/TCP/5062

Any (can be defined as Front End Server IP address, or Front End pool IP address or any Survivable Branch Appliance or Survivable Branch Server using this Edge Server)

Edge Server internal interface

Authentication of A/V users (A/V authentication service) from Front End Server or Front End pool IP address or any Survivable Branch Appliance or Survivable Branch Server using this Edge Server

STUN/MSTURN/UDP/3478

Any

Edge Server internal interface

Preferred path for A/V media transfer between internal and external users, Survivable Branch Appliance or Survivable Branch Server

STUN/MSTURN/TCP/443

Any

Edge Server internal interface

Fallback path for A/V media transfer between internal and external users, Survivable Branch Appliance or Survivable Branch Server if UDP communication cannot be established, TCP is used for file transfer and desktop sharing

HTTPS/TCP/4443

Any (can be defined as the Front End Server IP address, or pool that holds the Central Management store)

Edge Server internal interface

Replication of changes from the Central Management store to the Edge Server

MTLS/TCP/50001

Any

Edge Server internal interface

Centralized Logging Service controller using Lync Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection

MTLS/TCP/50002

Any

Edge Server internal interface

Centralized Logging Service controller using Lync Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection

MTLS/TCP/50003

Any

Edge Server internal interface

Centralized Logging Service controller using Lync Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection

Firewall Summary for Federation

Role/Protocol/TCP or UDP/Port Source IP address Destination IP address Notes

Access/SIP(MTLS)/TCP/5061

Access Edge service public IP address

Any

For federated and public IM connectivity using SIP

Firewall Summary – Public Instant Messaging Connectivity

Role/Protocol/TCP or UDP/Port Source IP address Destination IP address Notes

Access/SIP(MTLS)/TCP/5061

Public IM connectivity partners

Edge Server Access Edge service

For federated and public IM connectivity using SIP

Access/SIP(MTLS)/TCP/5061

Edge Server Access Edge service

Public IM connectivity partners

For federated and public IM connectivity using SIP

Access/SIP(TLS)/TCP/443

Clients

Edge Server Access Edge service

Client-to-server SIP traffic for external user access

A/V/RTP/TCP/50,000-59,999

Edge Server A/V Edge service

Live Messenger clients

Used for A/V sessions with Windows Live Messenger if public IM connectivity is configured.

A/V/STUN,MSTURN/UDP/3478

Edge Server A/V Edge service

Live Messenger clients

Required for public IM connectivity with Windows Live Messenger

A/V/STUN,MSTURN/UDP/3478

Live Messenger clients

Edge Server A/V Edge service

Required for public IM connectivity with Windows Live Messenger

Firewall Summary for Extensible Messaging and Presence Protocol

Protocol/TCP or UDP/Port Source (IP address) Destination (IP address) Comments

XMPP/TCP/5269

Any

Edge Server Access Edge service interface IP address

Standard server-to-server communication port for XMPP. Allows communication to the Edge Server XMPP proxy from federated XMPP partners

XMPP/TCP/5269

Edge Server Access Edge service interface IP address

Any

Standard server-to-server communication port for XMPP. Allows communication from the Edge Server XMPP proxy to federated XMPP partners

XMPP/MTLS/TCP/23456

Any

Each internal Edge Server interface IP

Internal XMPP traffic from the XMPP Gateway on the Front End Server or Front End pool to the Edge Server internal IP address or each Edge pool member’s internal IP address