External Internal

IM and Presence
Skype for Business
users
Legend

SIP traffic: signaling and IM Skype for Business Active Directory

External Firewall Internal Firewall Address book
users Domain Services & Persistent
XMPP traffic
Chat file share

SIP/TLS: 5061

SIP/TLS: 5061

HTTPS: 443
HTTPS traffic Director proxies Web traffic to LPE devices
destination pool’s Web service. also require
MSMQ traffic port 80.
HTTPS:443 HTTPS: 4443
CLS traffic A
Arrow direction indicates which Publish rule for port 4443 to C
server initiates the connection. Reverse proxy set “forward host header” to
Actual traffic is bi-directional. true. This ensures the original File Share Server
URL is forwarded.

Services and Processes B XMPP/TCP: 5269

Certificate
This port is used to connect to Web Services: Authority
A Directors
• download the Address Book
• connect to Address Book Web query URL XMPP federation

HTTP: 80
• provide distribution list expansion SIP/MTLS: 5061
• download meeting content
Access Edge – SIP/TLS: 443 HTTPS: 4443 SIP/MTLS
• connect to the Mobility Service
• connect to the AutoDiscover Service Front end pool
XMPP/MTLS: 23456
• connect to Dial-in URL
• connect to Lync Web App Access Edge – SIP/MTLS: 5061 CLS/MTLS: 50001-50003
TCP: 443

• connect to CertProvisioningService
External user sign-in process: Edge Pool
B 1. Client discovers Edge Server:
C3P/HTTPS: 444
a. lyncdiscoverinternal.<sip-domain>
b. lyncdiscover.<sip-domain> SIP/
c. _sipinternaltls._tcp.<sip-domain> MSMQ MTLS:
d. _sipinternal._tcp.<sip-domain> DSML/HTTPS: 443 5041
e. _sip._tls.<sip-domain>
f. sipinternal.<sip-domain>
g. sip.<sip-domain> Skype for Business DirSync Centralized Logging Persistent Chat Persistent Chat
h. sipexternal.<sip-domain>
2. Client connects to Edge Server.
federation Service Compliance Server Server
3. Edge Server proxies connection to Director. and Public IM
4. Director authenticates user and proxy
connection to user’s home pool.
Ports to load balance by HLB:
Internal user sign-in process: SAML/HTTPS: 443 - 80 - 8080 - 443 - 4443
C 1. Client discovers Enterprise Pool: - 5061 [can use DNS load balancing]
a. lyncdiscoverinternal.<sip-domain>
b. lyncdiscover.<sip-domain>
c. _sipinternaltls._tcp.<sip-domain> Skype Office 365 ADFS Proxy ADFS Back-end SQL
d. _sipinternal._tcp.<sip-domain> Directory Server
e. sipinternal.<sip-domain> Search Single sign-on
f. sip.<sip-domain> (SSO) Port number to service traffic assignment:
2. Client connects to Enterprise Pool server. 5062 – IM Conferencing Service
3. Enterprise pool server authenticates user and 5086 – Internal Mobility Service
redirects connection to user’s home server. 5087 – External Mobility Service

Version date 7/6/2018

© 2018 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at SfBdoc201 5@microsoft.com.
 External Internal
A/V and Web
Conferencing Peer-to-peer A/V
session. Active Directory
Domain Services
SRTP/UDP:1024-65535
External Firewall Internal Firewall
Legend
B
Skype for Business Skype for Business
SIP traffic: signaling users users SRTP/
UDP:49152-
HTTP(S) traffic 65535
RTP/SRTP traffic: A/V Conferencing
C
PSOM traffic: Web Conferencing Traffic goes directly to
ICE traffic Access Edge – SIP/TLS:5061 A/V Conferencing
Service WITHOUT

SRTP/UDP:49152-65535
Arrow direction indicates which going through the
server initiates the connection. A E pool’s hardware load
Actual traffic is bi-directional. balancer

PSOM/TLS:8057
Skype for Business

SIP/TLS:5061
federation

HTTPS:443
Directors
Meeting content +
ICE: STUN/TCP:443, UDP:3478
metadata +
A SRTP: STUN/TCP:443, UDP:3478 compliance file share.
Source IP Destination IP Source Port Destination Port Access Edge – SIP/TLS:443 SIP/MTLS/TCP:5061 SIP/MTLS/TCP:5061

A/V Edge Any TCP 50,000-59,999 TCP 443 Web Conf Edge - PSOM/TLS:443 PSOM/MTLS/TCP:8057
A/V Edge Any UDP 3478 UDP 3478
Any A/V Edge Any TCP 443 ICE: STUN/TCP:443, UDP:3478 SMB:445
A/V Edge – STUN/TCP:443, UDP:3478
Any A/V Edge Any UDP 3478
SRTP: STUN/TCP:443, UDP:3478
Skype for Business
Edge Pool SIP/MTLS/TCP:5062

TLS:5061
users Front end pool File Share Server
Codec varies per workload:
B • G.722 for audio MRAS traffic Director proxies
• H264SVC for video E

HTTPS:443
Web traffic to
destination pool’s
Codec varies per workload: Web Service.
C • G.722, Siren or SILK for audio
SRTP/
HTTPS:4443 UDP:49152-
• H264SVC for video [RTVideo for 65535
downlevel clients] HTTPS:443 HTTPS:443
VIS D
Codec varies per workload: If client connects on
D • G.722 for audio
HTTPS:443
port 80 during sign-in, Reverse proxy
• H264AVC for video it gets redirected to

TCP:5060

SIP Trunk
TLS:5061
port 443
Office Web
HTTPS: 443 is used to download Apps Server VTC
E conferencing content, including
TCP:5060
Powerpoint files and sharing. TLS:5061

CUCM

Version date 7/6/2018

© 2018 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at SfBdoc201 5@microsoft.com.
 External Internal
Application
Sharing Peer-to-peer
application
sharing session
External Firewall Internal Firewall
Legend

SIP traffic: signaling SRTP: STUN/TCP:443 RDP/SRTP/TCP:1024-65535

HTTP(S) traffic ICE: STUN/TCP:443

Skype for Business
RTP/SRTP traffic: A/V Conferencing users
Skype for Business
ICE traffic users

RDP/SRTP/TCP:49152-65535
Arrow direction indicates which
server initiates the connection.
Actual traffic is bi-directional. Skype for Business
federation

SIP/TLS:5061

SIP/TLS:5061
Port number to service
A traffic assignment:
A Directors 5065 - Application
Sharing Conferencing
Source IP Destination IP Source Port Destination Port Service
A/V Edge Any TCP 50,000-59,999 TCP 443 Access Edge - SIP/TLS:5061 SIP/MTLS:5061
Any A/V Edge Any TCP 443
Access Edge - SIP/TLS:443 SIP/MTLS:5062
SRTP: STUN/TCP:443 SIP/MTLS
Skype for Business
Edge Pool ICE: STUN/TCP:443
users Front end pool

MRAS traffic

Active Directory
Domain Services
HTTPS:443 HTTPS:4443

If client connects on
port 80 during sign-in, Reverse proxy
it gets redirected to
port 443

Version date 7/6/2018

© 2018 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at SfBdoc201 5@microsoft.com.
 Internal Branch Office
Enterprise Voice
Legend
Active Directory
Domain Services
SIP traffic External Firewall Internal Firewall
Call Admission Control (CAC) traffic SRTP: STUN/TCP:443, UDP:3478
If no Edge Server is
RTP/SRTP traffic: A/V Conferencing ICE: STUN/TCP:443, UDP:3478 defined in the topology,
callee checks the Front
ICE traffic SRTP/UDP:30,000-39,999 End Server’s Bandwidth
Policy Service.
Arrow direction indicates which SRTP/RTCP:60,000-64,000
server initiates the connection. Skype for Business Skype for Business
Media codec varies
Actual traffic is bi-directional. users users
Media bypass: per workload:
RTAudio, G.711, SILK

SRTP: STUN/TCP:443, UDP:3478

audio routed

ICE: STUN/TCP:443, UDP:3478

SRTP/RTCP:49,152-57,500
directly to
gateway
bypassing For federation, SBA
Mediation Server. connects directly with STUN/TCP:448
Director. If no Director is
SIP/TLS:5061

TURN/TCP:448
available, federation

SIP/TLS:5061
Lync client
External traffic goes directly to
automatically
the Edge Server.
registers with the
WAN pool if the Branch
MRAS traffic
Directors Connection Appliance becomes
unavailable.
SIP/MTLS:5061 SIP/MTLS:5061, 5071
Access Edge - SIP/TLS:443 SIP/MTLS:5062 HTTPS:444
A/V Edge – ICE: STUN/TCP:443, STUN/UDP:3478 ICE: STUN/TCP:443, UDP:3478 SIP/MTLS:5062

SRTP: STUN/TCP:443, UDP:3478 SRTP: STUN/TCP:443, UDP:3478

Skype for Business Front end pool SIP/MTLS Branch Appliance

Edge Pool
users

Port number to service traffic assignment:

SIP/TLS:5061
5064 - Telephony Conferencing Service
MRAS traffic 5067 – Mediation Server Service
5071 - Response Group Service
5072 - Conferencing Attendant Service
5073 - Conferencing Announcement Service
Enterprise Voice applications 5075 - Call Park Service
Connectivity to:
Exchange UM
• IP-PSTN gateway
SIP/TLS:5061,5070
• IP/PBX
• Direct SIP SRTP/RTCP:49,152-57,500
• SIP trunk
Mediation Pool SIP/TCP:5060,5061
(optional)

Version date 7/6/2018

© 2018 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at SfBdoc201 5@microsoft.com.
 Certificate Requirements

Core elements Additional elements

Front End Pool Reverse proxy

Front End Server 1, Front End Server 2 FQDN: external Web Service FQDN
FQDN: pool.<ad-domain> Certificate SN: external Web Service FQDN
Certificate SN: pool.<ad-domain> Certificate SAN: external Web Service FQDN, lyncdiscover.<sip-domain>,
Certificate SAN: pool.<ad-domain>, fe.<ad-domain>, sip.<sip-domain>, meet URL, dial-in URL, OwaExtWeb.<sip-domain>
lyncdiscoverinternal.<sip-domain>, lyncdiscover.<sip-domain>, EKU: server
admin URL, meet URL, dial-in URL, Root certificate: public CA
EKU: server
Root certificate: private CA
Branch Appliance
Edge Servers
FQDN: sba.<ad-domain>
Edge Server 1, Edge Server 2 Certificate SN: sba.<ad-domain>
Internal FQDN: internal.<ad-domain> External network Internal network
Certificate SAN: sba.<ad-domain>
Certificate SN: internal.<ad-domain>
Certificate SAN: Access edge EKU: server
EKU: server Root certificate: private CA
A/V edge Internal edge
Root certificate: private CA
Conf edge
External FQDN: access.<sip-domain>
Certificate SN: access.<sip-domain> Exchange UM Server
Certificate SAN: access.<sip-domain>, sip.<sip-domain>, conf.<sip-domain> FQDN: umsrv.<ad-domain>
EKU: server
Certificate SN: umsrv.<ad-domain>
Root certificate: public CA
Certificate SAN: N/A
EKU: server
Persistent Chat Server Root certificate: private CA
FQDN: chatsrv.<ad-domain>
Certificate SN: chatsrv.<ad-domain>
Certificate SAN: N/A Office Web Apps Server
EKU: server, client
Root certificate: private CA FQDN: OwaExtWeb.<sip-domain>
Certificate SN: OwaExtWeb.<sip-domain>
Directors Certificate SAN: wacsrv1.<ad-domain>
Director 1, Director 2 Certificate SAN: wacsrv2.<ad-domain>
FQDN: dir.<ad-domain> EKU: server
Certificate SN: dir.<ad-domain> Root certificate: private CA
Certificate SAN: dir.<ad-domain>, sipinternal.<sip-domain>, sip.<sip-domain>,
lyncdiscoverinternal.<sip-domain>, lyncdiscover.<sip-domain>,
admin URL, meet URL, dial-in URL
EKU: server
Root certificate: private CA

Version date 7/6/2018

© 2018 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at SfBdoc201 5@microsoft.com.
 Internal
CMS
Legend

SMB traffic Install on Enterprise Edition

External Firewall Internal Firewall to provide high availability. Default (1433) or SQL
HTTPS traffic
named instance
Arrow direction indicates which
server initiates the connection.
Subsequent traffic is bi-directional.
HTTPS:4443 TCP:1433

The Central Management Store provides a

robust, schematized storage of the data
needed to define, set up, maintain, Edge Pool Enterprise Pool Back-end
administer, describe, and operate a Skype for (CMS replica) (CMS master) SQL Server
Business Server deployment. It also validates
the data to ensure configuration consistency.
All changes to this configuration data happen
at the Central Management store, eliminating
“out-of-sync” issues. Read-only copies of the
data are replicated to all servers in the
topology, including Edge Servers and
Survivable Branch Appliances. Front-end Pool
(CMS replica)

SMB:445
The Active Directory Domain Services (AD
DS) are still used to store basic user Director
information, such as the user’s SIP URI and (CMS replica)
phone number. User policy information is
stored in the Central Management store. The
use of Active Directory Domain Services (AD
DS) also provides backward compatibility
with earlier releases of Lync Server. Mediation Pool
To administer servers and services, you use (CMS replica)
Skype for Business Server Management Shell Standard
or the Skype for Business Server Control Edition Server
Panel, which then configure the settings in (CMS replica)
the Central Management store. The Central
Management Server, which runs on one Front
End pool or one Standard Edition server in
your deployment, replicates the
configuration changes to all of the servers in Branch Appliance
your deployment. (CMS replica)
Active Directory
Domain Services

Version date 7/6/2018

© 2018 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at SfBdoc2015@microsoft.com.
 DNS Configuration

Internal DNS Configuration

DNS Type Value Enterprise Edition Resolution Standard Edition Resolution Purpose
SRV _sipinternaltls._tcp.<sip-domain> pool FQDN pool FQDN internal user access
A/CNAME lyncdiscoverinternal.<sip-domain> HLB FE Pool VIP pool IP address internal AutoDiscover Service
A Pool FQDN individual FE IPs pool IP address Internal pool name
A admin URL HLB FE Pool VIP pool IP address Lync Server Control Panel (LSCP)
A meet URL HLB FE Pool VIP pool IP address Lync Server Web Service
A dial-in URL HLB FE Pool VIP pool IP address Lync Server Web Service
A internal Web Services FQDN HLB FE Pool VIP pool IP address Lync Server Web Service
A external Web Services FQDN Reverse proxy public IP address Reverse proxy public IP address Proxied to Lync Server Web Service

External DNS Configuration

DNS Type Value Resolution Purpose

SRV _sipfederationtls._tcp.<sip-domain> Access Edge FQDN: access.<sip-domain> Federation and public IM connectivity
SRV _sip._tls.<sip-domain> Access Edge FQDN: access.<sip-domain> external user access
SRV _xmpp-server._tcp.<sip-domain> Access Edge FQDN: access.<sip-domain> XMPP federation
A sip.<sip-domain> Access Edge FQDN: access.<sip-domain> locate Edge Server
A Access Edge FQDN: access.<sip-domain> Access Edge IP address Edge Server Access edge
A A/V Edge FQDN: av.<sip-domain> A/V Edge IP address Edge Server A/V edge
A Conf Edge FQDN: conf.<sip-domain> Conf Edge IP address Edge Server Conf edge
A/CNAME lyncdiscover.<sip-domain> reverse proxy public IP address external AutoDiscover Service
A meet URL reverse proxy public IP address proxied to Lync Server Web Service
A dial-in URL reverse proxy public IP address proxied to Lync Server Web Service
A external Web Services FQDN reverse proxy public IP address proxied to Lync Server Web Service

OWA

DNS Type Value Office Web Apps Farm Resolution Office Web Apps Server Resolution Purpose
A OWA internal URL HLB OWA VIP OWA server IP internal user access to PowerPoint Presentations
A OWA external URL Reverse proxy public IP address Reverse proxy public IP address external user access to PowerPoint Presentations

Version date 7/6/2018

© 2018 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at SfBdoc201 5@microsoft.com.
Broadcast
Conferencing Microsoft Broadcast Solution

1. Join meeting using link 2a. Authentication (if closed meeting)

Legend HTTPS:443 Join Page
HTTPS:443 Authentication request (closed meeting only)
HTTPS traffic

Arrow direction indicates which 2b. Authentication 3. Streaming starts, technology depends on client
server initiates the connection.
Actual traffic is bi-directional.

HTTPS:443
Azure
MPEG-DASH +AES
HTTPS:443 HLS +AES
HTTPS:443 Attendee
Join Service Broadcast Pool Media Smooth Streaming +AES Browser
Azure Services + CDN
(UCWA) Active Directory
3. Get AES Key

HTTPS:443
HTTPS:443 Request Key with Token
Connection to Token Verification
UCWA with HTTPS:443 Return Key
meetings settings Key Services AES Key

On Premises Hybrid Environment

Producer
Online
User Pool

Calling join service/ Active Directory

authentication, getting DirSync User Pool ADFS Proxy Font End Domain Services
conference link Server pool

Version date 7/6/2018

© 2018 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at SfBdoc201 5@microsoft.com.