Topic Last Modified: 2014-01-13

The Lync Server 2013, Edge Server functionality described in this scenario architecture is very similar to what was implemented in Lync Server 2010. The most noticeable addition is the port 5269 over TCP entry for the extensible messaging and presence protocol (XMPP). Lync Server 2013 optionally deploys an XMPP proxy on the Edge Server or Edge pool and the XMPP gateway server on the Front End Server or Front End pool.

In addition to IPv4, the Edge Server now supports IPv6. For clarity, only IPv4 is used in the scenarios.

Scaled Consolidated Edge using Hardware Load Balancing

Edge Server Perimeter Network ports and protocols

Port and Protocol Details

It is recommended that you open only the ports required to support the functionality for which you are providing external access.

For remote access to work for any edge service, it is mandatory that SIP traffic is allowed to flow bi-directionally as shown in the Inbound/Outbound edge traffic figure. Stated another way, the SIP messaging to and from the Access Edge service is involved in instant messaging (IM), presence, web conferencing, audio/video (A/V) and federation.

Firewall Summary for Scaled Consolidated Edge, Hardware Load Balanced: External Interface – Node 1 and Node 2 (Example)

Role/Protocol/TCP or UDP/Port Source IP address Destination IP address Notes

Access/HTTP/TCP/80

Edge Server Access Edge service public IP address

Any

Certificate revocation/CRL check and retrieval

Access/DNS/TCP/53

Edge Server Access Edge service public IP address

Any

DNS query over TCP

Access/DNS/UDP/53

Edge Server Access Edge service public IP address

Any

DNS query over UDP

A/V/RTP/TCP/50,000-59,999

Edge Server A/V Edge service IP address

Any

Required for federating with partners running Office Communications Server 2007, Office Communications Server 2007 R2, Lync Server 2010 and Lync Server 2013.

A/V/RTP/UDP/50,000-59,999

Edge Server A/V Edge service public IP address

Any

Required only for federation with partners running Office Communications Server 2007.

A/V/RTP/TCP/50,000-59,999

Any

Edge Server A/V Edge service public IP address

Required only for federation with partners running Office Communications Server 2007

A/V/RTP/UDP/50,000-59,999

Any

Edge Server A/V Edge service public IP address

Required only for federation with partners running Office Communications Server 2007

A/V/STUN,MSTURN/UDP/3478

Edge Server A/V Edge service public IP address

Any

3478 outbound is used to determine the version of Edge Server that Lync Server is communicating with and also for media traffic from Edge Server-to-Edge Server. Required for federation with Lync Server 2010, Windows Live Messenger, and Office Communications Server 2007 R2, and also if multiple Edge pools are deployed within a company.

A/V/STUN,MSTURN/UDP/3478

Any

Edge Server A/V Edge service public IP address

STUN/TURN negotiation of candidates over UDP/3478

A/V/STUN,MSTURN/TCP/443

Any

Edge Server A/V Edge service public IP address

STUN/TURN negotiation of candidates over TCP/443

A/V/STUN,MSTURN/TCP/443

Edge Server A/V Edge service public IP address

Any

STUN/TURN negotiation of candidates over TCP/443

Firewall Summary for Scaled Consolidated Edge, Hardware Load Balanced: Internal Interface Node 1 and Node 2

Role/Protocol/TCP or UDP/Port Source IP address Destination IP address Notes

XMPP/MTLS/TCP/23456

Any (can be defined as Front End Server address, or Front End pool virtual IP address running the XMPP Gateway service)

Edge Server internal interface

Outbound XMPP traffic from XMPP Gateway service running on Front End Server or Front End pool

HTTPS/TCP/4443

Any (can be defined as the Front End Server server IP or pool that holds the Central Management store)

Edge Server Internal interface

Replication of changes from the Central Management store to the Edge Server

PSOM/MTLS/TCP/8057

Any (can be defined as Director IP, Front End Server IP or Pool virtual IP)

Edge Server Internal interface

Web conferencing traffic from Internal deployment to Internal Edge Server interface

STUN/MSTURN/UDP/3478

Any (can be defined as Director IP, Front End Server IP or Pool virtual IP)

Edge Server Internal interface

Preferred path for A/V media transfer between internal and external users, Survivable Branch Appliance or Survivable Branch Server

STUN/MSTURN/TCP/443

Any (can be defined as Director IP, Front End Server IP or Pool virtual IP)

Edge Server Internal interface

Fallback path for A/V media transfer between internal and external users, Survivable Branch Appliance or Survivable Branch Server if UDP communication cannot be established, TCP is used for file transfer and desktop sharing

MTLS/TCP/50001

Any

Edge Server internal interface

Centralized Logging Service controller using Lync Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection

MTLS/TCP/50002

Any

Edge Server internal interface

Centralized Logging Service controller using Lync Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection

MTLS/TCP/50003

Any

Edge Server internal interface

Centralized Logging Service controller using Lync Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection

Hardware load balancers have specific requirements when deployed to provide availability and load balancing for Lync Server. The requirements are defined in the following figure and tables. Third party vendors may use different terminology for the requirements defined here. It will be necessary to map the requirements of Lync Server to the features and configuration options provided by your hardware load balancer vendor.

When configuring hardware load balancers, consider the following requirements:

  • Source Network Address Translation (SNAT) can be configured on the hardware load balancer (HLB) for Access Edge service and Web Conferencing Edge service

  • SNAT cannot be configured on the A/V Edge service– the A/V Edge service must respond with the real server address, not the HLB virtual IP (VIP), for simple traversal of UDP over NAT (STUN)/traversal using relay NAT (TURN)/federation TURN (FTURN) to work properly

  • Public IP addresses are used on each server interface and on the VIPs of the HLB, and your public IP address requirements are N+1, where there is a public IP address for each real server interface and one for each HLB VIP. Where you have 2 Edge servers in the pool, this results in 9 public IP addresses, where 3 are used for the HLB VIPs, and one for each Edge server interface (a total of six for the servers)

  • For the Access Edge service and Web Conferencing Edge service, (and using NAT on the HLB) the client contacts the VIP, the VIP changes the source IP address from the client to its own IP address. The server interface addresses the return address to the VIP, the VIP changes the source address from the server interface IP address and sends the packet to the client

  • For the A/V Edge service, the VIP must NOT change the source IP address, and the real server address is returned to the client directly – you cannot configure NAT on the HLB for AV traffic

  • For AV, the external firewall will retain the real server public IP address for all packets

  • Once established, client to A/V Edge service communication is to the real server, not the HLB

  • Internal edge to internal servers and clients must be routed, and persistent routes are set for all internal networks that host servers or clients

  • The HLB Access Edge service VIP will act as the default gateway for each Edge server interface

Edge Server ports and protocols details

External Port Settings Required for Scaled Consolidated Edge, Hardware Load Balanced: External Interface Virtual IPs

Role/Protocol/TCP or UDP/Port Source IP address Destination IP address Notes

XMPP/TCP/5269

Any

XMPP Proxy service (shares IP address with Access Edge service)

XMPP Proxy service accepts traffic from XMPP contacts in defined XMPP federations

XMPP/TCP/5269

XMPP Proxy service (shares IP address with Access Edge service)

Any

XMPP Proxy service sends traffic to XMPP contacts in defined XMPP federations

Access/SIP(TLS)/TCP/443

Any

Access Edge service public VIP address

Client-to-server SIP traffic for external user access

Access/SIP(MTLS)/TCP/5061

Any

Access Edge service public VIP address

SIP signaling, federated and public IM connectivity using SIP

Access/SIP(MTLS)/TCP/5061

Access Edge service public VIP address

Federated partner

SIP signaling, federated and public IM connectivity using SIP

Web Conferencing/PSOM(TLS)/TCP/443

Any

Edge Server Web Conferencing Edge service public VIP address

Web Conferencing media

A/V/STUN,MSTURN/UDP/3478

Any

Edge Server A/V Edge service public VIP address

STUN/TURN negotiation of candidates over UDP/3478

A/V/STUN,MSTURN/TCP/443

Any

Edge Server A/V Edge service public VIP address

STUN/TURN negotiation of candidates over TCP/443

Firewall Summary for Scaled Consolidated Edge, Hardware Load Balanced: Internal Interface Virtual IPs

Role/Protocol/TCP or UDP/Port Source IP address Destination IP address Notes

Access/SIP(MTLS)/TCP/5061

Any (can be defined as Director, Director pool virtual IP address, Front End Server or Front End pool virtual IP address)

Edge Server Internal VIP interface

Outbound SIP traffic (from Director, Director pool virtual IP address, Front End Server or Front End pool virtual IP address)to Internal Edge VIP

Access/SIP(MTLS)/TCP/5061

Edge Server Internal VIP interface

Any (can be defined as Director, Director pool virtual IP address, Front End Server or Front End pool virtual IP address)

Inbound SIP traffic (to Director, Director pool virtual IP address, Front End Server or Front End pool virtual IP address) from Edge Server internal interface

SIP/MTLS/TCP/5062

Any (can be defined as Front End Server IP address, or Front End pool IP address or any Survivable Branch Appliance or Survivable Branch Server using this Edge Server)

Edge Server Internal VIP interface

Authentication of A/V users (A/V authentication service) from Front End Server or Front End pool IP address or any Survivable Branch Appliance or Survivable Branch Server using this Edge Server

STUN/MSTURN/UDP/3478

Any

Edge Server Internal VIP interface

Preferred path for A/V media transfer between internal and external users

STUN/MSTURN/TCP/443

Any

Edge Server Internal VIP interface

Fallback path for A/V media transfer between internal and external users if UDP communication cannot be established, TCP is used for file transfer and desktop sharing

STUN/MSTURN/TCP/443

Edge Server Internal VIP interface

Any

Fallback path for A/V media transfer between internal and external users if UDP communication cannot be established, TCP is used for file transfer and desktop sharing