Topic Last Modified: 2014-03-18

You should consider the following requirements for users and your network infrastructure while planning for a hybrid deployment.


You must have the following available in your environment in order to implement and configure a Lync Server 2013 hybrid deployment.

  • An Office 365 tenant running Lync Online 2013. If you created your online tenant prior to March, 2013, you can request that your tenant be migrated to Lync Online 2013.

  • An Active Directory Federation Services (AD FS) Server running Windows 2008 R2 SP1 or the latest service pack. For additional system requirements for AD FS, see Active Directory Federation Services 2.0.

  • An on-premises deployment of Lync Server 2013 or Lync Server 2010 with Cumulative Updates for Lync Server 2010: February 2013.

  • Lync Server 2013 administrative tools.

  • A Directory Synchronization server. For details about Directory Synchronization, see Directory Synchronization Tool.

Lync Client Support

There are some differences in the features supported in Lync clients, as well as the features available in on-premises and online environments. Before you decide where you want to home users in your organization, you can view the client support for the various configurations of Lync Server. The following clients are supported with Lync Online in a Lync hybrid deployment:

  • Lync 2013

  • Lync Windows Store app

  • Lync Web App

  • Lync Mobile

  • Lync for Mac 2011

  • Lync Room System

  • Lync Basic 2013

For details about client support, see the following topics:

Topology Requirements

To configure your Lync Server 2013 deployment for hybrid with Lync Online, you need to have one of the following supported topologies:

  • Microsoft Office Communications Server 2007 R2 with Lync Server 2013 on-premises. The Lync Server 2013 federation Edge Server and the next hop server from the federation Edge Server must be running Lync Server 2013, and there must be a Central Management Store deployed. The Edge Server and pool must be deployed on-premises.

  • Microsoft Lync Server 2010 with Cumulative Updates for Lync Server 2010: February 2013 applied, and the Lync Server 2013 administrative tools installed on-premises. The federation Edge Server and next hop server from the federation Edge Server must be running either Microsoft Lync Server 2010 with the latest cumulative updates.

    The Lync Server 2013 administrative tools should be installed on a separate server that has access to connect to the existing Lync Server 2010 deployment. The Move-CsUser cmdlet to move users from your on-premises deployment to Lync Online must be run from the Lync Server 2013 administrative tools connected to your on-premises deployment.
  • A Lync Server 2013 deployment with all servers running Lync Server 2013.

For more information about supported topologies, see Supported Lync Server 2013 topologies. For troubleshooting information about hybrid deployments and connecting PowerShell to Lync Online, see Lync Online: Lync PowerShell and Hybrid Troubleshooting.

Requirements for Federation Allowed/Blocked Lists

The Allowed domains list includes domains that have a partner Edge fully qualified domain name (FQDN) configured. These are sometimes referred to as allowed partner servers or direct federation partners. You should be familiar with the difference between Open Federation and Closed Federation, referred to as partner discovery and allowed partner domain list, respectively, in on-premises deployments.

The following requirements must be met to successfully configure a hybrid deployment:

  • Domain matching must be configured the same for your on-premises deployment and your Office 365 tenant. If partner discovery is enabled on the on-premises deployment, then open federation must be configured for your online tenant. If partner discovery is not enabled, then closed federation must be configured for your online tenant.

  • The Blocked domains list in the on-premises deployment must exactly match the Blocked domains list for your online tenant.

  • The Allowed domains list in the on-premises deployment must exactly match the Allowed domains list for your online tenant.

  • Federation must be enabled for the external communications for the online tenant, which is configured by using the Lync Online Control Panel.

DNS Settings

When creating DNS SRV records for hybrid deployments, the records, _sipfederationtls._tcp.<domain> and _sip._tls.<domain>, should point to the on-premises Access Proxy.

Firewall Considerations

Computers on your network must be able to perform standard Internet DNS lookups. If these computers can reach standard Internet sites, your network meets this requirement.

Depending on the location of your Microsoft Online Services data center, you must also configure your network firewall devices to accept connections based on wildcard domain names (for example, all traffic from * If your organization’s firewalls do not support wildcard name configurations, you will have to manually determine the IP address ranges that you would like to allow and the specified ports.

Refer to the Help topic Office 365 URLs and IP address ranges.

Port and Protocol Requirements

In addition to the port requirements for internal Lync Server 2013 communication, you must also configure the following ports.

Protocol / Port Applications

TCP 443

Open inbound

  • Active Directory Federation Services (federation server role)

    For more information, see Understanding AD FS Role Services.

  • Active Directory Federation Services (proxy server role)

  • Microsoft Online Services Portal

  • My Company Portal

  • Outlook Web App

  • Lync client (communication to Lync Online from on-premises Lync Server)

TCP 80 and 443

Open inbound

  • Microsoft Online Services Directory Synchronization Tool

TCP 5061

Open inbound/outbound on the Edge Server


Open inbound/outbound for data sharing sessions


Open inbound/outbound for audio, video, application sharing sessions


Open inbound/outbound for audio and video sessions

RTP/TCP 50000-59999

Open outbound for audio and video sessions

If you need to federate with partners running Office Communications Server 2007, you will need to open inbound/outbound RTP/UDP and RTP/TCP ports 50000-59999. For more information about A/V firewall requirements see, Determine External A/V Firewall and Port Requirements. For more information on ports and protocols, see Port summary - Scaled consolidated edge with hardware load balancers.

User Accounts and Data

In a Lync Server 2013 hybrid deployment, any user that you want to home in Lync Online must first be created in the on-premises deployment, so that the user account is created in Active Directory Domain Services. You can then move the user to Lync Online, which will move the user’s contact list.

If the user is created by using the online portal for Office 365, the user account will not be synchronized with on-premises Active Directory, and the user will not exist in the on-premises Active Directory.

You should also consider the following user-related issues when planning for a hybrid deployment.

  • User contacts   The limit for contacts for Lync Online users is 250. Any contacts beyond that number will be removed from the user’s contact list.

  • Instant Messaging and Presence   User contact lists, groups, and access control lists (ACLs) are migrated with the user account.

  • Conferencing data, meeting content, and scheduled meetings   This content is not migrated with the user account. Users must reschedule meetings after their accounts are migrated to Lync Online.

User Policies and Features

  • In a Lync Server 2013 hybrid environment, users can be enabled for Instant Messaging, voice, and meetings either on-premises or online, but not both simultaneously.

  • Lync Client    Some users may require a new client version when they are moved to Lync Online. For Office Communications Server 2007 R2, users must be moved to a Lync Server 2013 pool prior to migration to Lync Online.

    For more information about client support, see Clients for Lync Online and Supported Lync clients and network port configurations .

  • On-premises policies and configuration (non-user)   Online and on-premises policies require separate configuration. You cannot set global policies that apply to both.