Determining Your Infrastructure Requirements for Microsoft Lync Server 2010

Published: September 2010

This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. This document is confidential and proprietary to Microsoft. It is disclosed and can be used only pursuant to a non-disclosure agreement. Copyright © 2010 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, ActiveSync, ActiveX, Excel, Forefront, Groove, Hyper-V, Internet Explorer, Lync, MSDN, MSN, OneNote, Outlook, PowerPoint, RoundTable, SharePoint, Silverlight, SQL Server, Visio, Visual C++, Windows, Windows Media, Windows PowerShell, Windows Server, and Windows Vista are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

Contents
Determining Your Infrastructure Requirements............................................................................1 Determining Your System Requirements..................................................................................1 Hardware and Software Platform Requirements...................................................................1 Additional Software Requirements........................................................................................2 Network Infrastructure Requirements.......................................................................................4 Active Directory Domain Services Requirements, Support, and Topologies.............................6 Active Directory Domain Services Support...........................................................................6 Supported Active Directory Topologies..................................................................................7 Active Directory Infrastructure Requirements......................................................................12 Domain Name System (DNS) Requirements.........................................................................13 Determining DNS Requirements.........................................................................................14 DNS Requirements for Front End Pools.............................................................................17 DNS Requirements for Standard Edition Servers...............................................................20 DNS Requirements for Simple URLs..................................................................................21 DNS Requirements for Automatic Client Sign-In.................................................................23 Certificate Infrastructure Requirements..................................................................................25 Certificate Requirements for Internal Servers.....................................................................26 Certificate Requirements for External User Access............................................................31 Port Requirements.................................................................................................................33 Ports and Protocols.............................................................................................................33 IPsec Exceptions................................................................................................................44 Internet Information Services (IIS) Requirements...................................................................46 IIS Requirements for Front End Pools and Standard Edition Servers.................................47

Determining Your Infrastructure Requirements
You need to identify and understand the infrastructure requirements for your deployment, so you can plan how to meet those requirements before you deploy Microsoft Lync Server 2010 communications software. • • • • • • Network Infrastructure Requirements Active Directory Infrastructure Requirements Domain Name System (DNS) Requirements Certificate Infrastructure Requirements Port Requirements Internet Information Services (IIS) Requirements

Determining Your System Requirements
All servers running Microsoft Lync Server 2010 communications software must meet certain minimum system requirements. System requirements for Lync Server 2010 include the server hardware, the operating system to be installed on each server, and related software requirements, such as the Windows updates and other software that must be installed on the servers. Important: Lync Server 2010 is available only in a 64-bit edition, which requires 64-bit hardware and a 64-bit edition of Windows Server. A 32-bit edition of Lync Server 2010 is not available with this release. The exception is the Microsoft Lync Server 2010, Planning Tool, which is available in a 32-bit edition. • • Hardware and Software Platform Requirements Additional Software Requirements

Hardware and Software Platform Requirements
Platform requirements for Microsoft Lync Server 2010 communications software include the server hardware and the operating systems to be installed on the servers. These server requirements apply to each server on which you plan to deploy Lync Server 2010, including each Front End Server, each Edge Server, and each add additional Lync Server role. Server requirements also include the hardware and software for the database servers in your deployment, such as the Back End Server. For details about the supported platforms for servers in a physical topology and clients, see the Supported Hardware and Server and Tools Operating System Support sections in the Supportability documentation. For details about supported hardware for virtualized topologies, see Running in a Virtualized Environment in the Planning for Other Features documentation.

Determining Your Infrastructure Requirements for Microsoft Lync Server 2010

Note: For details about other system requirements for client computers and devices, see Client Software and Infrastructure Support in the Supportability documentation.

Additional Software Requirements
In addition to the hardware and operating system requirements for server platforms, Microsoft Lync Server 2010 communications software requires the installation of additional software on the servers you deploy. Note: For details about the platform requirements for Lync Server 2010 servers, see Hardware and Software Platform Requirements. For details about system requirements for client computers and devices, see the Planning for Clients and Devices documentation. Windows Update Requirements Before deploying Microsoft Lync Server 2010 communications software, you must install the following operating system updates: • Knowledge Base article 968929, "Windows Management Framework (Windows PowerShell 2.0, WinRM 2.0, and BITS 4.0)," at http://go.microsoft.com/fwlink/?linkid=197390 • For each server that has Internet Information Services (IIS) installed, you must install the following updates: • IIS URL Rewrite module at http://go.microsoft.com/fwlink/?linkid=197391 • IIS Application Request Routing module at http://go.microsoft.com/fwlink/? linkid=197392 Message Queuing Microsoft Lync Server 2010 communications software uses the Message Queuing (also known as MSMQ) technology with the following server roles: • • • • • Front End Server Mediation Server Archiving Server Monitoring Server A/V Conferencing Server

The Message Queuing service must be enabled on all servers prior to deploying any of the above listed server roles. Message Queuing can be installed as an optional feature in Windows Server 2008. Microsoft .NET Framework Requirements Microsoft .NET Framework 3.5 with SP1 is required for Microsoft Lync Server 2010. Setup prompts you to install this prerequisite, and it automatically installs it if it is not already installed on the computer. .NET Framework 4.0 can be installed on the same computer as well, but does not take the place of .NET Framework 3.5 with SP1, which is the required version for Lync Server 2010.

2

The Windows Media Format Runtime is required to run the Windows Media Audio (WMA) files that these applications play for announcements and music. and it automatically installs it if it is not already installed on the computer. you need to manually install this prerequisite on the server where you plan to install. Microsoft Visual C++ 2008 Redistributable Package Requirements The Microsoft Visual C++ 2008 redistributable is required to run Microsoft Lync Server 2010 communications software.5 Service Pack 1 (Full Package) at http://go.microsoft. see the Topology Builder Requirements for Installation. Publishing. Setup terminates.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Note: If you install Lync Server 2010 by using the command line.NET Framework 3.mum /ignorecheck 3 .NET Framework 3.NET 3. We recommend that you install Windows Media Format Runtime before you install Microsoft Lync Server 2010 communications software. Lync Server 2010 only supports the 64-bit edition of the . as well as the appropriate updates. Download the Microsoft .5 with SP1. If Lync Server 2010 does not find this software on the server. Note: If you install Lync Server 2010 by using the command line. To install the Windows Media Format Runtime on servers running Windows Server 2008 R2. and Administration and Requirements for the Planning Tool sections. installation of the administrative tools and the Planning Tool requires installation of Microsoft . If you choose not to install it. you must install Windows Media Format Runtime on Front End Servers.16385. Download the Microsoft Visual C++ 2008 Redistributable Package (x64) at http://go.5 SP1 package.NET Framework. Notes: • After installing the .7600.com/fwlink/?linkid=197399. it will prompt you to install it and then you must restart the server to complete installation. Announcement. Windows Media Format Runtime Requirements To use the Call Park.com/fwlink/?linkid=197398. use the following command: %systemroot%\system32\dism.exe /online /add-package /packagepath: %windir%\servicing\Packages\Microsoft-Windows-Media-FormatPackage~31bf3856ad364e35~amd64~~6. you need to manually install this prerequisite on the server.microsoft. you should immediately install the following updates: Additionally.1. Setup prompts you to install this prerequisite. For details. and Response Group applications. If you install Lync Server 2010 by using the Lync Server Deployment Wizard.

especially when supporting audio/video (A/V) conferencing and application sharing.com/fwlink/?linkid=197390. 4 . as well as the server operating system. whether the site has only a single Edge Server deployed or has multiple Edge Servers deployed). Network Infrastructure Requirements The network adapter card of each server in the Microsoft Lync Server 2010 communications software topology must support at least 1 gigabit per second (Gbps).microsoft.microsoft. use the following command: %systemroot%\system32\pkgmgr.5 from the Microsoft Download Center at http://go.mum Windows PowerShell Version 2. The size of the LAN is dependent on the size of the topology: • In Standard Edition topologies. For details about downloading Windows PowerShell version 2.18000. You must remove previous versions of Windows PowerShell prior to installing Windows PowerShell version 2. Download Windows Installer 4.0. and BITS 4. you should connect all server roles within the Lync Server 2010 topology using a low latency and high bandwidth local area network (LAN). uninstall.com/fwlink/?linkid=197395.0.0. For details about this requirement.0). "Windows Management Framework (Windows PowerShell 2. Windows Installer version 4. In general. most servers should be in a network that supports more than 1 Gbps. you can integrate by using either T1/E1 lines or SIP trunking.0. used to automate the administration of Lync Server 2010. Audio/Video Network Requirements Network requirements for audio/video in a Lync Server 2010 deployment include the following: • The external firewall can be configured as a NAT (that is. For PSTN integration.6001.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 To install the Windows Media Format Runtime on servers running Windows Server 2008.5 is available as a redistributable component for the Windows Server operating system.0 Lync Server 2010 Management Shell is a management interface of Microsoft Lync Server 2010. see Firewall and Port Requirements for External User Access in the Planning for External User Access documentation. see Knowledge Base article 968929.0. • In Front End pool topologies. Windows Installer Version 4. WinRM 2. It requires Windows PowerShell command-line interface version 2. and maintain various server roles.exe /quiet /ip /m:%windir %\servicing\Packages\Microsoft-Windows-Media-FormatPackage~31bf3856ad364e35~amd64~~6." at http://go.5 Microsoft Lync Server 2010 communications software uses Windows Installer technology to install. a scripting language and command-shell environment.0. servers should be in a network that supports 1 Gbps Ethernet or equivalent.

you let the elasticity of the Lync Server media endpoints absorb the difference between that traffic volume and the peak traffic level. In an under-provisioned network. Also. For details. if enabled. and it is important to find and eliminate the weak points. • To cope with unexpected spikes in traffic above this level and increased usage over time. do the following: • Provision your network links to support throughput of 45 kilobits per second (Kbps) per audio stream and 300 Kbps per video stream. see IPsec Exceptions. do not assume that this adaptability will support an underprovisioned network. In this scenario. To ensure optimal media quality. A bidirectional audio or video session consists of two streams. Lync Server media endpoints can adapt to varying network conditions and support loads of three times the throughput (see previous paragraph) for audio and video while still retaining acceptable quality. However. the media subsystem is designed to work within this existing infrastructure. • Provision your network to ensure a maximum end-to-end delay (latency) of 150 milliseconds (ms) under peak load. • If you use IPsec. at the cost of some reduction in the voice quality.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 • If your organization uses a Quality of Service (QoS) infrastructure. 5 . Conferencing Network Requirements The bandwidth that is used to download conference content from the IIS server depends on the size of the content that is uploaded. there is a decrease in the headroom otherwise available to absorb sudden peaks in traffic. you may need to consider provisioning for a lower volume of traffic. consider disabling video for certain users. Latency is the one network impairment that Lync Server media components cannot reduce. we recommend disabling IPsec over the port ranges used for A/V traffic. during peak usage periods. temporary high packet loss) is reduced. • For network links where provisioning is extremely costly and difficult. • For links that cannot be correctly provisioned in the short term (for example a site with very poor WAN links). the ability of the Lync Server media endpoints to dynamically deal with varying network conditions (for example.

instead of relying on Active Directory Domain Services (AD DS) for this information as in previous versions. In Lync Server 2010. the Response Group application and the Conferencing Attendant application) • • • Data published for backward compatibility A service connection point (SCP) for the Central Management store Kerberos Authentication Account (an optional computer object) This section describes the AD DS support requirements for Lync Server 2010. much of this information is stored in the Central Management store instead of AD DS. are still stored in AD DS. Lync Server 2010 still stores the following in AD DS: • Schema extensions • User object extensions • Extensions for Office Communications Server 2007 and Office Communications Server 2007 R2 classes to maintain backwards compatibility with previous supported versions • Data (stored in Lync Server extended schema and in existing classes) • User SIP URI and other user settings • Contact objects for applications (for example. For details about topology support. Support.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Active Directory Domain Services Requirements. In This Section • • • Active Directory Domain Services Support Supported Active Directory Topologies Active Directory Infrastructure Requirements Active Directory Domain Services Support Microsoft Lync Server 2010 communications software uses the Central Management store to store configuration data for servers and services. Supported Domain Controller Operating Systems Lync Server 2010 supports domain controllers running the following operating systems: • • • Windows Server 2008 R2 operating system Windows Server 2008 operating system Windows Server 2008 Enterprise 32-Bit 6 . as well as Office Communications Server 2007 and Office Communications Server 2007 R2 schema extensions. and Topologies Previous versions of Office Communications Server relied on Active Directory Domain Services (AD DS) to store all global settings and groups necessary for the deployment and management of Office Communications Server. see Supported Active Directory Topologies. but User object schema extensions.

For example. Lync Server 2010 can be deployed in a locked-down Active Directory environment. For details about what is required to deploy Lync Server in a locked-down environment. Support for Read-Only Domain Controllers Lync Server 2010 supports Active Directory Domain Services (AD DS) deployments that include read-only domain controllers or read-only global catalog servers. Users and Computer objects are often placed in specific organizational units (OUs) with permissions inheritance disabled to help secure administrative delegation and to enable use of Group Policy objects (GPOs) to enforce security policies. but a root domain named local is not supported.microsoft. see "Preparing a Locked Down Active Directory Domain Services" in the Deployment documentation. as long as there are writable domain controllers available. or at least Windows Server 2003. For details. Windows Server 2008. All forests in which you deploy Lync Server 2010 must be raised to a forest functional level of Windows Server 2008 R2. Locked Down AD DS Environments In a locked-down AD DS environment. The following topologies are supported: • • • • • Single forest with single domain Single forest with a single tree and multiple domains Single forest with multiple trees and disjoint namespaces Multiple forests in a central forest topology Multiple forests in a resource forest topology The following figure identifies the icons used in the illustrations in this section. at http://go. a forest with a root domain named contoso. or at least Windows Server 2003. Domain Names Lync Server does not support single-labeled domains.local is supported.com/fwlink/?LinkId=143752. see the Knowledge Based article. Supported Active Directory Topologies Microsoft Lync Server 2010 communications software supports the same Active Directory Domain Services (AD DS) topologies as Microsoft Office Communications Server 2007 R2 and Microsoft Office Communications Server 2007. 7 .Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 • • The 32-bit or 64-bit versions of the Windows Server 2003 R2 operating system The 32-bit or 64-bit versions of the Windows Server 2003 Forest and Domain Functional Level You must raise all domains in which you deploy Lync Server 2010 to a domain functional level of Windows Server 2008 R2. Windows Server 2008. “Information about configuring Windows for domains with single-label DNS names”.

you must deploy all the Front End Servers in the pool within a single domain. Multiple Domains Another Active Directory topology supported by Lync Server is a single forest that consists of a root domain and one or more child domains. In this type of Active Directory topology. User accounts include the following: • • User accounts within the same domain as the Lync Server pool User accounts in a different domain from the Lync Server pool 8 . Single Domain The simplest Active Directory topology supported by Lync Server 2010. a single domain forest. the domain where you create users can be different from the domain where you deploy Lync Server. and the arrow points to the domain where the Lync Server pool resides. In this figure. is a common topology. Single domain topology Single Forest. if you deploy a Front End pool. Lync Server support for Windows universal administrator groups enables cross-domain administration. The following figure illustrates a Lync Server deployment in a single domain Active Directory topology.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Key to topology illustrations Single Forest. a user icon shows the domain where the user account is homed. However. The following figure illustrates a deployment in a single forest with multiple domains.

a user icon shows the domain where the user account is homed. In this figure. User accounts include the following: • • • User accounts within the same domain as the Lync Server pool User accounts in a different domain from (but the same tree as) the Lync Server pool User accounts in a different tree from the Lync Server pool 9 . Multiple Trees A multiple-tree forest topology consists of two or more domains that define independent tree structures and separate Active Directory namespaces. a solid line points to a Lync Server pool that resides in the same or a different domain.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 • User accounts in a child domain of the domain with the Lync Server pool Single forest with multiple domains Single Forest. and a dashed line points to Lync Server pool that resides in a different tree. The following figure illustrates a single forest with multiple trees.

Users can view presence of other users in any forest. A central forest has the following advantages: • • • Lync Server servers are centralized within a single forest.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Single forest with multiple trees Multiple Forests. In this figure. Central forest topologies use contact objects in the central forest to represent users in the other forests. The following figure illustrates a central forest topology. such as Microsoft Identity Integration Server (MIIS). The schema in the separate user forests does not need to be extended. or Microsoft Identity Lifecycle Manager (ILM) 2007 Feature Pack 1 (FP1). Microsoft Forefront Identity Manager (FIM) 2010. 10 . Users can search for and communicate with other users in any forest. Central Forest Lync Server 2010 supports multiple forests that are configured in a central forest topology. and each user-only domain. which is in the central forest. which is in a separate forest. there are two-way trust relationships between the domain that hosts Lync Server. • The directory synchronization product automates the addition and deletion of contact objects in the central forest as user accounts are created or removed. manages the life cycle of user accounts within the organization: When a new user account is created in one of the forests or a user account is deleted from a forest. A directory synchronization product. The central forest also hosts user accounts for any users in this forest. the directory synchronization product synchronizes the corresponding contact in the central forest.

Resource Forest In a resource forest topology. one forest is dedicated to running server applications. the disabled user accounts might already exist. manages the life cycle of user accounts. such as Microsoft Exchange Server and Lync Server. The resource forest acts as a shared services environment for the other forests where user objsects reside. such as MIIS. This topology provides the benefit of limiting the need to extend the Active Directory schema to a single forest (that is. or Microsoft Identity Lifecycle Manager (ILM) 2007 Feature Pack 1 (FP1). A directory synchronization product. The resource forest hosts the server applications and a synchronized representation of the active user object. This topology can be used to provide a shared infrastructure for services in organizations that manage multiple forests or to separate the administration of Active Directory objects from other administration. you create one disabled user object in the resource forest for every user account in the user forests. 11 .Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Central forest topology Multiple Forests. The user forests have a forest-level trust relationship with the resource forest. When you deploy Lync Server in this type of topology. the directory synchronization product synchronizes the corresponding user representation in the resource forest. the resource forest). The following diagram illustrates a resource forest topology. Microsoft Forefront Identity Manager (FIM) 2010. When a new user account is created in one of the user forests or a user account is deleted from a forest. Companies that need to isolate Active Directory administration for security reasons often choose this topology. but it does not contain logon-enabled user accounts. If Microsoft Exchange is already deployed in the resource forest.

• All domains in which you deploy Lync Server 2010 are raised to a domain functional level of Windows Server 2008 R2. Windows Server 2008 Enterprise 32-Bit. or Windows Server 2003. see "Raising domain and forest functional levels" at http://go. Note: To change your domain or forest functional level. Windows Server 2008. Lync Server 2010 supports the universal groups in the Windows Server 2008 and Windows Server 2003 operating systems. • The forest in which you deploy Lync Server 2010 is raised to a forest functional level of Windows Server 2008 R2.microsoft. or the 32-bit or 64-bit versions of the Windows Server 2003 operating system. Members of universal groups can include other groups and accounts from any domain in the domain tree or forest and can be assigned permissions in any 12 .Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Resource forest topology Active Directory Infrastructure Requirements Before you start the process of preparing Active Directory Domain Services (AD DS) for Microsoft Lync Server 2010 communications software. Windows Server 2008.com/fwlink/?LinkId=125762. Windows Server 2008 operating system. the 32-bit or 64-bit versions of the Windows Server 2003 R2 operating system. ensure that your Active Directory infrastructure meets the following prerequisites: • All domain controllers (which includes all global catalog servers) in the forest where you deploy Lync Server 2010 run Windows Server 2008 R2 operating system. or Windows Server 2003.

if your organization wants to support it). • To allow external UC devices to connect to Device Update Service through Edge Servers or the HTTP reverse proxy and obtain updates. you must create Domain Name System (DNS) records that enable the discovery of clients and servers. simplifies the management of a Lync Server deployment. • To allow unified communications (UC) devices that are not logged on to discover the Front End pool or Standard Edition server running Device Update Service. For example. combined with administrator delegation. and support for automatic client sign-in (that is. it is not necessary to add one domain to another to enable an administrator to manage both. Microsoft Lync Server 2010 communications software uses Domain Name System (DNS) in the following ways: • To discover internal servers or pools for server-to-server communications. • To allow external servers and clients to connect to Edge Servers or the HTTP reverse proxy for instant messaging (IM) or conferencing. • To allow clients to discover the Front End pool or Standard Edition server used for various SIP transactions.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 domain in the domain tree or forest. Universal group support. Domain Name System (DNS) Requirements To deploy Microsoft Lync Server 2010 communications software. and send logs. • • • • • Determining DNS Requirements DNS Requirements for Front End Pools DNS Requirements for Standard Edition Servers DNS Requirements for Simple URLs DNS Requirements for Automatic Client Sign-In 13 . obtain updates.

Determining DNS Requirements Flow Chart 14 .Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Determining DNS Requirements Use the following flow chart to determine Domain Name System (DNS) requirements.

com However. 86400 IN SRV 0 0 5061 sip.contoso. then automatic configuration of the Lync 2010 client will work fine as long as the _sipinternaltls.com.com the first SRV record will work for automatic configuration as follows: _sipinternaltls.com for which it is authoritative The internal contoso.com zone contains: • DNS A and SRV records for Lync 2010 client auto configuration (optional) • DNS A and SRV records for the Edge external interface of each Lync Server 2010.com._tcp. select one of the following options: • Put host records on each client machine. This was also the case with earlier versions of Communicator.litwareinc. _sipinternaltls.com. this record will not be used by Lync for automatic configuration even though it is a valid SRV record because the client’s SIP domain is contoso.com as an example): Internal DNS: • • Contains a DNS zone called contoso._tcp SRV record is created in the external DNS contoso.com zone contains: • DNS A and SRV records for all servers running Microsoft Lync Server 2010 communications software in the corporate network • DNS A and SRV records for the Edge internal interface of each Lync Server 2010. Edge Server in the perimeter network • DNS A records for the reverse proxy internal interface of each reverse proxy server in the perimeter network • All Lync Server 2010 servers in the perimeter network point to the internal DNS servers for resolving queries to contoso.contoso.com External DNS: • • Contains a DNS zone called contoso. if a user signs in as cstest01@contoso. Edge Server in the perimeter network • DNS A records for the reverse proxy external interface of each reverse proxy server in the perimeter network Automatic Configuration without Split-Brain DNS If split-brain DNS is used.com. the term split-brain DNS means the following (using contoso.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Split-Brain DNS Like network address translation (NAT).com. If automatic configuration is required for Lync clients.com zone. not litwareinc. This is because Lync 2010 requires that the domain of the target host match the domain of the user’s SIP URI. For example. However. the term split-brain DNS is defined several different ways. 86400 IN SRV 0 0 5061 sip. if split-brain DNS is not in use then client automatic configuration will not work unless one of the workarounds described below is implemented.com for which it is authoritative The external contoso. For this document. 15 ._tcp.contoso.com • All Lync Server 2010 servers and clients running Microsoft Lync 2010 in the corporate network point to the internal DNS servers for resolving queries to contoso.

microsoft. if there are three front end servers in a pool named pool01. The application. • If it gets to the end without a successful connection. the client tries the next IP address in its cache.91 192. the SRV records associated with automatic configuration are not required. /recordadd access.com. but it does automate the process of manual configuration. For example.contoso.contoso. create a DNS A record for pool01.contoso.168. /recordadd _sipinternaltls.com and get back three IP addresses (not necessarily in this order). tries to connect to a server in a pool by connecting to one of the IP addresses resulting from the DNS A query for the pool fully qualified domain name (FQDN). so if this approach is used. /recordadd access. see http://go. the user is notified that no Lync Server 2010 servers are available at the moment. @ A 192. create an internal DNS zone called contoso. • Create a .contoso. /dsprimary dnscmd . if a user is homed on pool01.contoso. the following will happen: • The Lync 2010 client will query DNS for pool01. dnscmd .91 For details.com. @ A 192. Note: This option does not enable automatic configuration.com 192. a Lync 2010 client or SIP server).10.90 192. @ SRV 0 0 5061 access.10. (for example.contoso. DNS Load Balancing DNS load balancing is typically implemented at the application level.168.com/fwlink/?LinkId=200707.168. the client has intelligence built in to try each subsequent IP address in its cache.168.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 • Use Group Policy objects (GPOs) to populate the correct server values.10.10. • If the TCP SYN request succeeds.contoso.exe as follows: dnscmd . If that fails._tcp.com zone in the internal DNS that matches the external DNS zone and create DNS A records corresponding to the Lync Server 2010 pool used for automatic configuration. and populate those zones using dnscmd. For example.contoso. /zoneadd access. the client attempts to connect to the front end server a SIP REGISTER.contoso.168.com. a SIP XXX error is returned).contoso. /dsprimary dnscmd .com. you can create dedicated zones that correspond to the SRV records that are required for automatic configuration.com pool01.com.net but signs into Lync as cstest01@contoso.contoso.com. 16 .com.10.90 dnscmd .com. the client attempts to establish a Transmission Control Protocol (TCP) connection to one of the IP addresses in its cache using a TCP SYN request.com._tcp. and cache them as follows: pool01. • If you are creating an entire zone in the internal DNS is not an option.contoso. • If the SIP REGISTER attempt fails (for example.92 • Then.com and inside it.com pool01. /zoneadd _sipinternaltls.contoso.

but does not enable failover. Therefore. DNS load balancing is used for the following: • Load balancing Lync Server SIP servers (for example. Lync Server Registrar. DNS round robin is less reliable than DNS-based load balancing. DNS Requirements for a Front End Pool Deployment scenario DNS requirement Front End pool with multiple Front End Servers and a hardware load balancer (whether or not DNS load balancing is also deployed on that pool) An internal A record that resolves the fully qualified domain name (FQDN) of the Front End pool to the virtual IP (VIP) address of the load balancer. the Access Edge service will pick the SRV record that came back first from the DNS server. For example. if the connection to the one IP address returned by the DNS A query fails. Typically DNS RR only enables load balancing. Response Group application. the Access Edge service always picks the DNS SRV record with the lowest numerical priority and highest numerical weight. the connection fails. with a different IP being returned every time a DNS A record query is resolved by the DNS Server. Microsoft Lync 2010 Attendant. and Call Park application) • • • Draining of UCAS applications Load balancing server-to-server (as well as client-to-server) connections for SIP traffic Load balancing client to Web Conferencing Edge traffic • Load balancing other HTTP(s) traffic between server running Lync Server (for example. Director and Access Edge) • Load balancing Unified Communications Application Services (UCAS) applications (for example.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Note: DNS-based load balancing is different from DNS round robin (DNS RR) which typically refers to load balancing by relying on DNS to provide one IP address corresponding to one of the servers in a pool. DNS Requirements for Front End Pools This section describes the Domain Name System (DNS) records that are required for deployment of Front End pools. If multiple DNS SRV records with equal priority and weight are returned. 17 . DNS Records for Front End Pools The following table specifies DNS requirements for a Microsoft Lync Server 2010 Front End pool deployment. Focus) DNS load balancing cannot be used for the following: • • DCOM traffic Client-to-server web traffic If multiple DNS records are returned to a DNS SRV query.

There must one A record for each server in the pool.<domain> over port 5061 that maps to the FQDN of the Front End pool that authenticates and redirects client requests for sign-in._tcp. For each supported SIP domain. an SRV record for _sipinternaltls. For details. devices obtain this information though in-band provisioning the first time a user logs in. An internal A record that resolves the FQDN of the Front End pool to the IP address of the single Enterprise Edition Front End server. For details. the A record allows the device to discover the Front End pool hosting Device Update Service and obtain updates. In the situation where an UC device is turned on.<SIP domain> that resolves to the IP address of the Front End pool that hosts the Device Update Service. Front End pool with DNS load balancing deployed Front End pool with a single Front End Server and a dedicated Back-End Database but no load balancer An internal URL for conferencing that is different from the default pool FQDN An internal A record that resolves the host name portion of the URL to the virtual IP of the conferencing load balancer (or single Front End Server if appropriate). An internal A record with the name ucupdatesr2. see DNS Requirements for Automatic Client Sign-In. A set of internal A records that resolve the FQDN of each server in the pool to the IP address of that server. you Automatic client sign-in Device Update Service discovery by unified communications (UC) devices 18 . Otherwise. Important: If you have an existing deployment of Windows Server Update Services (WSUS) in Microsoft Office Communications Server 2007. see DNS Load Balancing in the Planning for Other Features documentation. see Updating Devices in the Planning for Clients and Devices documentation.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Deployment scenario DNS requirement Front End pool with DNS load balancing deployed A set of internal A records that resolve the FQDN of the pool to the IP address of each server in the pool. For details. but a user has never logged into the device.

Example DNS Records for Internal Web Farm FQDN Internal Web farm FQDN Pool FQDN DNS A record(s) ee-pool. For details. Clients and UC devices use this record to connect to the reverse proxy.com that resolves to the VIP address of the load balancer used by the Web Components Servers. For Microsoft Office Communications Server 2007 R2.contoso.com ee-pool.contoso. the load balancer distributes SIP traffic to the Front End Servers and HTTP(S) traffic to the Web Components Servers.contoso. see Determining DNS Requirements.contoso.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Deployment scenario DNS requirement have already created an internal A record with the name ucupdates.<SIP domain>. A reverse proxy to support HTTP traffic An external A record that resolves the external Web farm FQDN to the external IP address of the reverse proxy. webcon.contoso. In this case. 19 .com DNS A record for the eepool.contoso. you must create an additional DNS A record with the name ucupdates-r2.contoso.com DNS A record for eepool.com that resolves to the VIP address of the load balancer used by the Front End Servers. The following table shows an example of the DNS records required for the internal Web farm FQDN.com ee-pool. DNS A record for webcon.com that resolves to the virtual IP (VIP) address of the load balancer used by the Enterprise Edition Front End Servers in the Front End pool.<SIP domain>.

you must create an additional DNS A record with the name ucupdates-r2. DNS Records for Standard Edition Servers The following table specifies DNS requirements for Microsoft Lync Server 2010 Standard Edition server deployment. For each supported SIP domain. an SRV record for _sipinternaltls.<domain> over port 5061 that maps to the FQDN of the Standard Edition server that authenticates and redirects client requests for sign-in.<SIP domain>. the A record allows the device to discover the server hosting Device Update Service and obtain updates. you have already created an internal A record with the name ucupdates. In the situation where an UC device is turned on. For details.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 DNS Requirements for Standard Edition Servers This section describes the Domain Name System (DNS) records that are required for deployment of Standard Edition servers. For Office Communications Server 2007 R2. For details. Automatic client sign-in Device Update Service discovery by unified communications (UC) devices 20 . DNS Requirements for a Standard Edition Server Deployment scenario DNS requirement Standard Edition server An internal A record that resolves the fully qualified domain name (FQDN) of the server to its IP address. see Updating Devices in the Planning for Clients and Devices documentation. An internal A record with the name ucupdatesr2._tcp.<SIP domain>. Otherwise. but a user has never logged into the device. Important: If you have an existing deployment of Windows Server Update Services (WSUS) in Office Communications Server 2007. see DNS Requirements for Automatic Client Sign-In. devices obtain the server information though in-band provisioning the first time a user logs in.<SIP domain> that resolves to the IP address of the Standard Edition server hosting Device Update Service.

you create a new SIP domain name for each simple URL. users are directed to the appropriate server for meeting content no matter which server or pool the simple URL DNS A records resolve to. see Determining DNS Requirements. For details. DNS Requirements for Simple URLs Microsoft Lync Server 2010 communications software supports the following three simple URLs for conferencing: Meet. the server that the DNS A record resolves to determines the correct client software to start. 21 . Dial-In. Simple URL Option 1 In Option 1. and Admin. There are three different ways you can define the URLs. You are required to set up simple URLs for Meet and Dial-In. Note: When a user clicks a simple URL meeting link. Clients and UC devices use this record to connect to the reverse proxy. and the Admin simple URL is optional. After the client software is started. This way. it automatically communicates with the pool where the conference is hosted.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Deployment scenario DNS requirement A reverse proxy to support HTTP traffic An external A record that resolves the external Web farm FQDN to the external IP address of the reverse proxy. The Domain Name System (DNS) records that you need to support simple URLs depend on how you have defined these simple URLs.

com Dial-in Admin If you use Option 1. Simple URL Option 2 With Option 2. it should resolve to the IP address of the load balancer of a Front End pool. all simple URLs are based on the domain name lync. 22 . For example. you must define the following: • For each Meet simple URL. you will create DNS A records for both https://meet. If you have more than one SIP domain in your organization and you use this option. https://meet.fabrikam. If you have not deployed a pool and are using a Standard Edition server deployment. If you have not deployed a pool and are using a Standard Edition server deployment.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Simple URL Option 1 Simple URL Meet Example https://meet.com. • For the Dial-in simple URL.com https://admin. the DNS A record must resolve to the IP address of one Standard Edition server in your organization.contoso. if you have both contoso.com. you must create Meet simple URLs for each SIP domain and you need a DNS A record for each Meet simple URL. • The Admin-in simple URL is internal only. the DNS A record must resolve to the IP address of one Standard Edition server in your organization.com.com to the IP address of the load balancer of a Front End pool. you need only one DNS A record.com. and so on (one for each SIP domain in your organization) https://dialin.contoso.contoso.contoso. the DNS A record must resolve to the IP address of one Standard Edition server in your organization. Alternatively.com and fabrikam. Otherwise. use Option 3 as described later in this topic.fabrikam. which resolves lync.contoso. If you have not deployed a pool and are using a Standard Edition server deployment. if you have one deployed. it should resolve to the IP address of the load balancer of a Front End pool. Otherwise. you need a DNS A record that resolves the URL to the IP address of the Director. if you have multiple SIP domains and you want to minimize the DNS record and certificate requirements for these simple URLs.com and https://meet.contoso. It requires a DNS A record that resolves the URL to the virtual IP (VIP) address of a Front End pool. the DNS A record must resolve to the IP address of one Standard Edition server in your organization. If you have not deployed a pool and are using a Standard Edition server deployment.com. Therefore. you need a DNS A record that resolves the URL to the IP address of the Director. if you have one deployed.

com/fabrikamSIPdomain/Admin DNS Requirements for Automatic Client Sign-In This section explains the Domain Name System (DNS) records that are required for automatic client sign-in.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Simple URL Option 2 Simple URL Meet Example https://lync. you must: • Designate a single server or pool to distribute and authenticate client sign-in requests. • Create an internal DNS SRV record to support automatic client sign-in for this server or pool.contoso.com/fabrikamSIPdomain/Meet Dial-in https://lync.com/Meet. For high availability.contoso. https://lync. To support automatic client sign-in. 23 . and so on (one for each SIP domain in your organization) https://lync. Simple URL Option 3 Simple URL Meet Example https://lync.contoso.contoso.contoso.com/Admin Dial-in Admin Simple URL Option 3 Option 3 is most useful if you have many SIP domains. we recommend that you designate a Front End pool for this function.contoso. When you deploy your Standard Edition servers or Front End pools.contoso. you can configure your clients to use automatic discovery to sign in to the appropriate Standard Edition server or Front End pool.com/Meet. If you plan to require your clients to connect manually to Microsoft Lync Server 2010 communications software. This can be an existing server or pool in your organization that hosts users. or you can designate a dedicated server or pool for this purpose that hosts no users.com/fabrikamSIPdomain/ Dialin Admin https://lync.com/contosoSIPdomain/Meet https://lync. you can skip this topic.com/contosoSIPdomain/Dialin https://lync.contoso.com/Dialin https://lync. and you want them to have separate simple URLs but want to minimize the DNS record and certificate requirements for these simple URLs.contoso.com/contosoSIPdomain/Admin https://lync.fabrikam.

queries for DNS records adhere to strict domain name matching between the domain in the user name and the SRV record.com domain over port 5061 that maps to pool01. 24 .com contoso.com pool01.com domain over port 5061 that maps to pool01. The following table shows some example records required for the fictitious company Contoso. SIP domain refers to the host portion of the SIP URIs assigned to users.com. which supports SIP domains of contoso.contoso. For example._tcp.contoso. Do not create this SRV record for additional internal servers or pools. you must create an internal DNS SRV record that maps one of the following records to the fully qualified domain name (FQDN) of the Front End pool or Standard Edition server that distributes sign-in requests from Lync clients: • _sipinternaltls. If you prefer that client DNS queries use suffix matching instead. An organization can also support multiple SIP domains. To enable automatic configuration for your clients.contoso.com An SRV record for _sipinternaltls. The SIP domain is often different from the internal Active Directory domain.com is the SIP domain. see Operations. Example of DNS Records Required for Automatic Client Sign-in with Multiple SIP Domains FQDN of Front End pool used to distribute sign-in requests SIP domain DNS SRV record pool01.com Note: By default. <domain> . if SIP URIs are of the form *@contoso.<domain> . contoso.retail. For details about configuring SIP domains.contoso.com An SRV record for _sipinternaltls._tcp.contoso._tcp.contoso.for internal TCP connections (performed only if TCP is allowed) You only need to create a single SRV record for the Front End pool or Standard Edition server or that will distribute sign-in requests._tcp. you can configure the DisableStrictDNSNaming Group Policy.contoso.com.com and retail. For details.for internal TLS connections • _sipinternal.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Note: In the following record requirements. Create only one SRV record for the designated server or pool. see the Planning for Clients and Devices documentation. Important: Only a single Front End pool or Standard Edition server can be designated to distribute sign-in requests.com retail.contoso.

_tcp.com domain over port 5061 that maps to pool01.contoso. and all of its users have a SIP URI in one of the following forms: • • <user>@retail.contoso. application sharing.contoso.com domain over port 5061 that maps to pool01.contoso. and conferencing For Lync Server 2010.contoso.retail. retail.contoso.contoso. All server certificates must contain a CRL Distribution Point (CDP)._tcp.com Certificate Infrastructure Requirements Microsoft Lync Server 2010 communications software requires a public key infrastructure (PKI) to support TLS and mutual TLS (MTLS) connections. Lync Server 2010 uses certificates for the following purposes: • • • • TLS connections between client and server MTLS connections between servers Federation using automatic DNS discovery of partners Remote user access for instant messaging (IM) • External user access to audio/video (A/V) sessions. The Contoso organization supports the SIP domains of contoso. Auto-enrollment is supported for internal servers running Lync Server. the following DNS records are required: • SRV record for _sipinternaltls.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Example of the Certificates and DNS Records Required for Automatic Client Sign-In This example uses the same example names in the preceding table.com as the pool that will distribute its sign-in requests.com • SRV record for _sipinternaltls.com Front End pool must include the following in its Subject Alternative Name: • • sip.contoso.contoso.com.com Example of Required Certificates In addition.com and retail. the following common requirements apply: • • • • All server certificates must support server authorization (Server EKU).com sip. Auto-enrollment is not supported for Lync Server Edge Servers. the certificate that is assigned to the Front End Servers in the pool01.contoso.com <user>@contoso. 25 .com Example of Required DNS Records If the administrator at Contoso configures pool01.

All these are standard web server certificates. Certificates for Standard Edition Server Subject name/ Common Certificate name Subject Alternative Name Example Comments Default FQDN of the pool FQDN of the pool and the FQDN of the server If you have multiple SIP domains and have enabled automatic client configuration.com detects any SIP domains you specified during setup and automatically adds them to the Subject Alternative Name.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Certificate Requirements for Internal Servers Internal servers that are running Microsoft Lync Server 2010 communications software and that require certificates include Standard Edition server.microsoft. and Director. Note that server enhanced key usage (EKU) is automatically configured when you use the certificate wizard to request certificates. SAN=se01.com. You can use the Microsoft Lync Server 2010 certificate wizard to request these certificates. policy. private key.contoso.contoso.com On Standard Edition server. If this pool is the auto-logon server for clients and strict DNS SN=se01. The wizard SAN=sip. The following table shows the certificate requirements for these servers. then you also need SAN=sip. see article Microsoft Knowledge Base 929395.fabrikam." at http://go. nonexportable.contoso.com.com/fwlink/?LinkId=140898. The following tables show certificate requirements by server role for Front End pools and Standard Edition servers. Mediation Server. the certificate wizard detects and adds each supported SIP domain FQDNs. Although an internal enterprise certification authority (CA) is recommended for internal servers. 26 . you can also use a public CA. Enterprise Edition Front End Server. A/V Conferencing Server. the server If this pool is the auto-logon server for clients and strict DNS FQDN is the same as the matching is required in group pool FQDN. "Unified Communications Certificate Partners for Exchange 2007 and for Communications Server 2007. For a list of public CAs that provide certificates that comply with specific requirements for unified communications (UC) certificates and have partnered with Microsoft to ensure they work with the Lync Server Certificate Wizard.

com.com. Web external FQDN of the server Each of the following: SN=se01. SAN=webcon01. • External SAN=meet.com.contoso.com. web FQDN SAN=meet.com.com FQDN of the server) • Meet simple URLs • Dial-in simple URL • Admin simple URL Internal web FQDN cannot be overwritten in Topology Builder.contoso.contoso.contoso.contoso. then you also need entries for sip.contoso. SAN=se01.com.fabrikam. you must include all of them as Subject Alternative Names. Web FQDN SAN=meet.contoso.contoso.fabrikam.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Subject name/ Common Certificate name Subject Alternative Name Example Comments matching is required in group policy. you must include all of them as Subject Alternative Names. If you have multiple Meet simple URLs. (which is the SAN=dialin.com.com • Dial-in simple URL • Admin simple URL If you have multiple Meet simple URLs.sipdomain (for each SIP domain you have).com. • Internal SAN=meet.com.contoso. same as the SAN=admin. 27 . Web internal FQDN of the server Each of the following: SN=se01. SAN=dialin.

If you have multiple SIP domains and have enabled automatic client configuration.contoso.sipdomain (for each SIP domain you have).Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Certificates for Front End Server in a Front End Pool Subject name/ Common Certificate name Subject Alternative Name Example Comments Default FQDN of the pool FQDN of the pool and FQDN of the server. same as the SAN=admin. web FQDN SAN=meet.fabrikam.com. you must include all of them as Subject 28 .contoso.contoso.com. the certificate wizard detects and adds each supported SIP domain FQDNs.com. SN=eepool.contoso.com.fabrikam. • Internal SAN=meet. SAN=ee01. SAN=eepool. Web Internal FQDN of the server Each of the following: SN=ee01.contoso.com.contoso.contoso. If you have multiple Meet simple URLs. SAN=ee01.com. then you also need entries for sip.com Name. If this pool is the auto-logon server for clients and strict DNS matching is required in group policy.com The wizard detects any SIP domains you specified during If this pool is the auto-logon server for clients and strict DNS setup and automatically matching is required in group adds them to policy.contoso.com. (which is the SAN=dialin. Alternative SAN=sip.contoso.com. then you also need the Subject SAN=sip.com FQDN of the server) • Meet simple Internal web FQDN cannot be overwritten inTopology Builder.

contoso. FQDN (which is SAN=meet.sipdomain (for each SIP domain you have). Certificates for Director Subject name/ Certificate Common name Subject Alternative Name Example Default FQDN of the Director pool FQDN of the Director.com. Web external FQDN of the server Each of the following: SN=ee01.fabrikam.com. then you also need entries for sip.com.com.com. • Internal web SAN=dir01. the same as the SAN=dialin.contoso. then also SAN=sip.com.com.contoso.com Web Internal FQDN of the server Each of the following: SN=dir01.com • Dial-in simple URL • Admin simple URL If you have multiple Meet simple URLs.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Subject name/ Common Certificate name Subject Alternative Name Example Comments URLs • Dial-in simple URL • Admin simple URL Alternative Names.contoso.fabrikam.contoso.com. SAN=dir-pool.com.fabrikam. • External SAN=meet.contoso.contoso. SAN=dialin.com If this Director pool is the autologon server for clients and strict DNS matching is required in group policy.contoso.contoso. SAN=dir01. FQDN of the Director pool If this pool is the auto-logon server for clients and strict DNS matching is required in group policy.contoso.contoso.com.com.com. SAN=sip. SAN=meet. FQDN of the 29 . SN=dir-pool.contoso. Web FQDN SAN=meet. you must include all of them as Subject Alternative Names. SAN=webcon01.

SAN=webcon01.com simple URL • Admin simple URL If you have a standalone A/V Conferencing Server pool. the certificates listed in the “Certificates for Front End Server in Enterprise Pool” table earlier in this topic are sufficient. Web FQDN SAN=meet.com. Certificates for Standalone A/V Conferencing Server Subject name/ Certificate Common name Subject Alternative Name Example Default FQDN of the pool Not applicable SN=av-pool.contoso.com • External SAN=meet.fabrikam. the certificates listed in the “Certificates for Front End Server in Enterprise Pool” table earlier in this topic are sufficient.com Web external FQDN of the server Each of the following: SN=dir01. (If you collocate Mediation Server with the Front End Servers. • Dial-in SAN=dialin.contoso.contoso. the A/V Conferencing Servers in it each need the following certificates.com.contoso.contoso. the Mediation Servers in it each need the following certificates.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Subject name/ Certificate Common name Subject Alternative Name Example server) • Meet simple URLs • Dial-in simple URL • Admin simple URL SAN=admin. If you collocate A/V Conferencing Server with the Front End Servers.com.com If you have a stand-alone Mediation Server pool. 30 .contoso.

This leaves the Edge internal interface. with the same certificate used on each Edge server in the Edge pool. which can use either a private certificate issued by an internal certification authority (CA) or a public certificate. For details.contoso. the subject alternative name must also contain the access Edge FQDN because Transport Layer Security (TLS) ignores the subject name and uses the subject alternative name entries for validation. Requirements for the public certificate used for access and web conferencing Edge external interfaces.contoso.microsoft.fabrikam.com). • If the certificate will be used on an Edge pool. • The subject name of the certificate is the access Edge external interface fully qualified domain name (FQDN) or hardware load balancer VIP (for example.net." at http://go. are: • The certificate must be issued by an approved public CA that supports subject alternative name. plus the A/V Authentication Edge internal interface. SAN=sip.<sipdomain> (need one entry per SIP domain) SN=sba01. and the A/V authentication Edge internal interface.com/fwlink/?LinkId=140898.net. Note: Even though the certificate subject name is equal to the access Edge FQDN.net Certificates for Survivable Branch Appliance Subject name/ Certificate Common name Subject Alternate Name Example Default FQDN of the appliance SIP. it must be created as exportable.contoso. • The subject alternative name list contains the FQDNs of the following: • The access Edge external interface or hardware load balancer VIP (for example.contoso.com). 31 .contoso. access.contoso. SAN= medsvr-pool. SAN=sip. "Unified Communications Certificate Partners for Exchange Server and for Communications Server.com.com Certificate Requirements for External User Access Microsoft Lync Server 2010 communications software supports the use of a single public certificate for Access and Web Conferencing Edge external interfaces.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Certificates for Standalone Mediation Server Subject name/ Certificate Common Name Subject Alternate Name Example Default FQDN of the pool FQDN of the pool SN=medsvrpool. access. see Knowledge Base article 929395.

• No subject alternative name list is required. sip. if it is to be used on more than one Edge Server. 32 . Requirements for the private (or public) certificate used for the Edge internal interface are as follows: • The certificate can be issued by an internal CA or an approved public certificate CA.com. It must also be exportable if you request the certificate from any computer other than the Edge Server. csedge. • The subject name of the certificate is the Edge internal interface FQDN or hardware load balancer VIP (for example.com). with the same certificate used on each Edge Server in the Edge pool.com). This means that the certificate must be exportable. • If using client auto-configuration. load-balanced Edge Servers at a site. webcon. also include any SIP domain FQDNs used within your company (for example. the A/V authentication certificate that is installed on each Edge Server must be from the same CA and must use the same private key.com). it must be created as exportable.fabrikam. if it is to be used on more than one Edge Server.contoso. If you are deploying multiple. Note: The order of the FQDNs in the subject alternative names list does not matter.contoso. It must also be exportable if you request the certificate from any computer other than the Edge Server. load-balanced Edge Servers at a site. • If the certificate will be used on an Edge pool. If you are deploying multiple. the A/V authentication certificate that is installed on each Edge Server must be from the same CA and must use the same private key.contoso. This means that the certificate must be exportable.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 • The web conferencing Edge external interface or hardware load balancer VIP (for example. sip.

IPsec must be disabled over the range of ports used for the delivery of audio. If you are using Domain Name System (DNS) load balancing for this pool. those with a value of Yes in this column) are open.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Port Requirements Microsoft Lync Server 2010 communications software requires that specific ports on the firewall be open. Note: Windows Firewall must be running before you start the Lync Server 2010 services on a server. Values of Yes (must be open on the hardware load balancer even if you are using DNS load balancing) indicate that load balancing for this port must occur on the pool’s hardware load balancer (that is. The following table lists the ports that need to be open on each server role. Additionally. Additionally. video. even if DNS load balancing is used for SIP traffic on this pool). if this server is part of a pool). the Does this port need to be open on the load balancer? column indicates whether this port must be open on the load balancer too (that is. For details about firewall configuration for edge components.) Required Ports (by Server Role) Does this port need to be open Component (server role or client) Service name Port Protocol on the load balancer? Notes Front End Servers Lync Server Front-End service 5060 TCP Yes Used by Standard Edition servers and Front End pools for listening to client connections from 33 . the DNS load balancing will automatically ensure that the ports (that is. see Firewall Requirements for External User Access in the Planning for External User Access documentation. and panorama video. because that is when Lync Server opens the required ports in the firewall. for each port. if Internet Protocol security (IPsec) is deployed in your organization. This section includes the following topics: • • Ports and Protocols IPsec Exceptions Ports and Protocols This section summarizes the ports and protocols used by servers and clients in a Microsoft Lync Server 2010 communications software deployment. all ports with a value of Yes must be open on the hardware load balancer. (If you are using only a hardware load balancer for a pool.

Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Does this port need to be open Component (server role or client) Service name Port Protocol on the load balancer? Notes Microsoft Lync 2010 (TCP). for SIP communications between Server and Client (TLS) and for SIP communications between Front End Servers and Mediation Servers (MTLS). Used for DCOM based operations such as Moving Users. Used for communication between the Focus (the Lync Server component that manages conference state) and the individual servers. Front End Servers Lync Server Front-End service 5061 TCP (TLS) Yes Used by Standard Edition servers and Front End pools for all internal SIP communications between servers (MTLS). Used to listen for Front End Servers TCP No 34 . User Replicator Synchronization. Front End Servers Lync Server Front-End service 444 HTTPS Yes Front End Servers Lync Server Front-End service 135 DCOM and remote procedur e call (RPC) Yes (must be open on the hardware load balancer even if you are using DNS load balancing) No Front End Servers Lync Server IM 5062 Conferencing service Lync Server 8057 TCP Used for incoming SIP requests for instant messaging (IM) conferencing. and Address Book Synchronization.

Front End Servers Lync Server Web Compatibility service 8080 TCP Used for IIS Web components for external access. No Used for incoming SIP requests for audio/video (A/V) conferencing. Media port range used for video conferencing. Front End Servers Lync Server Web Compatibility service 443 HTTPS Used for communication from Front End Servers to the Web farm FQDNs (the URLs used by IIS Web components).Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Does this port need to be open Component (server role or client) Service name Port Protocol on the load balancer? Notes Web Conferencing service Front End Servers Lync Server Audio/Video Conferencing service Lync Server Audio/Video Conferencing service Web Compatibility service 5063 (TLS) Persistent Shared Object Model (PSOM) connections from client. 35 . TCP Front End Servers 5750165335 TCP/UD P No Front End Servers 80 HTTP Yes (must be open on the hardware load balancer even if you are using DNS load balancing) Yes (must be open on the hardware load balancer even if you are using DNS load balancing) Yes (must be open on the hardware load balancer Used for communication from Front End Servers to the Web farm FQDNs (the URLs used by IIS Web components) when HTTPS is not used.

Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Does this port need to be open Component (server role or client) Service name Port Protocol on the load balancer? Notes even if you are using DNS load balancing) Front End Servers Lync Server Conferencing Attendant service (dial-in conferencing) Lync Server Conferencing Attendant service (dial-in conferencing) Lync Server Mediation service 5064 TCP No Used for incoming SIP requests for dial-in conferencing. Media port range used for application sharing. Used by the Mediation Server for incoming requests from the Front End Server to the Mediation Server. Used for incoming SIP listening requests for application sharing. Used for incoming SIP requests from the PSTN gateway to the Mediation Server. Front End Servers that also run a Collocated Mediation Server Front End Servers that also run a Collocated Mediation Server Front End Servers that also run a Collocated Mediation Server Front End Servers 5070 TCP Yes Lync Server Mediation service Lync Server Mediation service Lync Server Application Sharing service Lync Server Application Sharing service 5067 TCP (TLS) Yes 5068 TCP Yes 5065 TCP No Front End Servers 4915265335 TCP No 36 . Used for incoming SIP requests from the PSTN gateway to the Mediation Server. Front End Servers 5072 TCP Yes Used for incoming SIP requests for Microsoft Lync 2010 Attendant (dial in conferencing).

Used for incoming SIP requests for the Audio Test service. Used for call admission control by the Lync Server Bandwidth Policy Service.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Does this port need to be open Component (server role or client) Service name Port Protocol on the load balancer? Notes Front End Servers Lync Server 5073 Conferencing Announcement service TCP Yes Used for incoming SIP requests for the Lync Server Conferencing Announcement service (that is. Used by Quality of Experience (QoE) agent on the Front End Server. Used for incoming SIP requests for the Response Group application. Used for incoming SIP requests for the Response Group application. Used for outbound Enhanced 9-1-1 (E9-11) gateway. for dial-in conferencing). Used for call admission control by the Bandwidth Policy service for A/V Edge TURN traffic. Front End Servers Lync Server Call Park service Audio Test service 5075 TCP Yes Front End Servers 5076 TCP Yes Front End Servers 5066 TCP No Front End Servers Lync Server QoE Monitoring Service Lync Server Response Group service Lync Server Response Group service Lync Server Bandwidth Policy Service Lync Server Bandwidth Policy Service 5069 TCP Yes Front End Servers 5071 TCP Yes Front End Servers 8404 TCP (MTLS) No Front End Servers 5080 TCP Yes Front End Servers 448 TCP Yes 37 . Used for incoming SIP requests for the Call Park application.

Used by the Mediation Server for incoming requests from the Front End Server. Used by all servers that terminate audio: Front End Servers (for Lync Server Conferencing Attendant service. Lync Server Conferencing Announcement service. All internal servers Various 4915257500 TCP/UD P N/A Directors Lync Server Front-End service 5060 TCP Yes Directors Lync Server Front-End service Lync Server Mediation service Lync Server Mediation service 5061 TCP Yes Mediation Servers 5070 TCP Yes Mediation Servers 5067 TCP (TLS) Yes 38 . Used by Standard Edition servers and Front End pools for listening to client connections from Lync 2010(TCP). Media port range used for audio conferencing on all internal servers. Used for incoming SIP requests from the PSTN gateway. Used for internal communications between servers and for client connections.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Does this port need to be open Component (server role or client) Service name Port Protocol on the load balancer? Notes Front End Servers where the Central Management store resides CMS Replication service 445 TCP No Used to push configuration data from the Central Management store to servers running Lync Server. and Lync Server Audio/Video Conferencing service). and Mediation Server.

Used by the reverse proxy to listen on the external interface for incoming requests from external users. Used by the reverse proxy to listen on the external interface for incoming requests from external users for Web components information and file downloads. Reverse proxy servers 80 Reverse proxy servers 443 TCP N/A Reverse proxy servers 8080 TCP N/A 39 . distribution group expansion as well as Address Book information. Used for message queuing and RPC operations. Used for SIP requests from the Front End Servers.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Does this port need to be open Component (server role or client) Service name Port Protocol on the load balancer? Notes Mediation Servers Lync Server Mediation service Lync Server Mediation service Lync Server Monitoring service 5068 TCP Yes Used for incoming SIP requests from the PSTN gateway. Used for SIP/TLS communication with the internal network to the Web services cluster. Mediation Servers 5070 TCP (MTLS) Yes Monitoring Servers 135 Message N/A Queuing and remote procedur e call (RPC) Message N/A Queuing and RPC TCP N/A Archiving Servers Lync Server Archiving service 135 Used for message queuing and RPC operations.

Reverse proxy servers 4443 TCP N/A Used by the reverse proxy to listen on the internal interface. Traffic from port 443 on the external interface is redirected to this port. Used to listen for PSOM/MTLS communications from the Web Conferencing Server on the internal interface of the Web Conferencing Edge Server.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Does this port need to be open Component (server role or client) Service name Port Protocol on the load balancer? Notes Traffic from port 80 on the external interface is redirected to this port. Communications flow outbound through Edge Servers All edge services (external interface) 443 TCP Yes Edge Servers Lync Server Access Edge service (internal and external interface) Lync Server Web Conferencing Edge service (internal interface) 5061 TCP Yes Edge Servers 8057 TCP No Edge Servers Lync Server Audio/Video Edge Authentication 5062 TCP Yes 40 . Used for SIP/TLS communication for external users accessing internal Web conferences. Used for SIP/MTLS authentication of A/V users. Used for SIP/MTLS communication for remote user access or federation and public Internet connectivity. and STUN/TCP inbound and outbound media communications for accessing internal media and A/V sessions.

Used to push configuration data from the Central Management store to the Edge Server. Used by Lync 2010 to find the Registrar FQDN Edge Servers All Edge services (internal interface) 4443 TCP No Clients 67/68 DHCP N/A 41 . Edge Servers 50. If you federate with an organization running Microsoft Office Communications Server 2007 R2 or Microsoft Office Communications Server 2007. not on the load balancer. Used for STUN/UDP inbound and outbound media exchange.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Does this port need to be open Component (server role or client) Service name Port Protocol on the load balancer? Notes service (internal interface) Edge Servers Lync Server Audio/Video Edge service (internal and external interfaces) Lync Server Audio/Video Edge service port range 3478 UDP Yes the internal firewall. and for both TCP and UDP. This port range always needs to be opened outbound for TCP. RTP/UD P No Used for inbound and outbound media transfer through the external firewall. you must open this range both outbound and inbound.999 RTP/TC P. This port must be opened on every individual Edge Server.00059.

Used by clients for video port range (minimum of 20 ports required). clients use PSOM). Clients 68916901 TCP N/A Used for file transfer between Lync 2010 clients and previous clients (clients of Office Communicator 2007 R2. and Registrar FQDN.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Does this port need to be open Component (server role or client) Service name Port Protocol on the load balancer? Notes (if DNS SRV fails and manual settings are not configured). Used by clients for peerto-peer file transfer (for conferencing file transfer. Used by clients for audio port range (minimum of 20 ports required). and Live Communications Server 2005). Office Communications Server 2007. Used by the devices listed to find the Lync Server 2010 certificate. provisioning FQDN. Used by clients for application sharing. Clients 102465535 102465535 102465535 TCP/UD P TCP/UD P TCP N/A Clients N/A Clients N/A Clients Microsoft Lync 2010 Phone Edition for Aastra 6721ip common area phone Microsoft Lync 2010 Phone Edition for Aastra 6725ip desk phone 102465535 67/68 TCP DHCP N/A N/A 42 .

Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Does this port need to be open Component (server role or client) Service name Port Protocol on the load balancer? Notes Microsoft Lync 2010 Phone Edition for Polycom CX500 common area phone Microsoft Lync 2010 Phone Edition for Polycom CX600 desk phone 43 .

Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 IPsec Exceptions For enterprise networks where Internet Protocol security (IPsec) (see IETF RFC 4301-4309) has been deployed. and panorama video. IPsec must be disabled over the range of ports used for the delivery of audio. Recommended IPsec Exceptions Destination Rule name Source IP IP Protocol Source port Destination port Filter action A/V Edge Server Internal Inbound A/V Edge Server External Inbound A/V Edge Server Internal Outbound A/V Edge Server External Outbound Mediation Server Inbound Mediation Server Outbound Conferencing Attendant Inbound Conferencing Attendant Outbound A/V Conferencing Inbound A/V Conferencing Server Outbound Exchange Inbound Any A/V Edge Server Internal A/V Edge Server External Any UDP and Any TCP UDP and Any TCP UDP & TCP Any Any Permit Any Any Permit A/V Edge Server Internal A/V Edge Server External Any Any Permit Any UDP and Any TCP UDP and Any TCP UDP and Any TCP UDP and Any TCP UDP and Any TCP Any Permit Mediation Server(s) Any Permit Mediation Server(s) Any Any Any Any Any Permit Any Any Any Any Any Permit Permit Permit A/V UDP and Any Conferencing TCP Servers UDP and Any TCP UDP and Any A/V Any Conferencing Servers Any Exchange Unified Any Permit Any Permit 44 . The recommendation is motivated by the need to avoid any delay in the allocation of media ports due to IPsec negotiation. The following table explains the recommended IPsec exception settings. video.

Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Destination Rule name Source IP IP Protocol Source port Destination port Filter action Messaging Application Sharing Servers Inbound Application Sharing Server Outbound Exchange Outbound Any Application Sharing Servers Any TCP TCP Any Any Permit Application Sharing Servers Exchange Unified Messaging Any TCP Any Any Permit Any UDP and Any TCP UDP Any Permit Clients Any Specified Any media port range Permit 45 .

Important: If you are running Windows Server 2008 R2. The topics in this section describe the requirements of specific components for IIS.com/fwlink/?linkid=197394.com/fwlink/?linkid=197392 Security Note If you are using IIS 7.com/fwlink/?linkid=197391. 46 .0 on a Windows Server 2008 operating system. you must install version 1. Lync Server 2010 Setup disables kernel mode authentication in IIS. The table below describes the additional role services that must be installed when the Web Server (IIS) role is enabled on Windows Server 2008. various role services are installed by default.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Internet Information Services (IIS) Requirements Several Microsoft Lync Server 2010 communications software components require Internet Information Services (IIS).microsoft. When the Web Server (IIS) role is enabled on Windows Server 2008. • IIS Application Request Routing module at http://go. Role service Feature Common HTTP Features Application Development Application Development Application Development Application Development Health and Diagnostics Health and Diagnostics Security Security Management Tools Management Tools HTTP Redirection ASP. available at http://go.NET Extensibility ISAPI Extensions ISAPI Filters Logging Tools Tracing Basic Authentication Windows Authentication IIS Management Scripts and Tools IIS 6 Management Compatibility You must install the following additional components to enable features in Lync Server: • IIS URL Rewrite module at http://go.1 of the URL Rewrite module.NET . This topic describes the specific IIS features required to support Lync Server 2010.microsoft.microsoft.

the Microsoft Lync Server 2010 installer creates virtual directories in IIS for the following purposes: • • • • To enable users to download files from the Address Book Service To enable clients to obtain updates (for example..NET Extensibility Internet Server API (ISAPI) Extensions ISAPI Filters HTTP Logging Logging Tools Tracing Windows Authentication Request Filtering Static Content Compression IIS Management Console IIS Management Scripts and Tools Tracing AnonymousAuthenticationModule ClientCertificateMappingAuthenticationModule Lync Server 2010 requires the following IIS modules to be installed: The following table lists the URIs for the virtual directories for internal access and the file system resources to which they refer. and Directors. Microsoft Lync 2010) To enable conferencing To enable users to download meeting content • To enable unified communications (UC) devices to connect to Device Update Service and obtain updates • • • • • • • • • • • • • • • • • • • • • To enable users to expand distribution groups To enable phone conferencing To enable response group features Static Content Default Document HTTP Errors ASP.NET . Virtual Directories for Internal Access Feature Virtual directory URI Refers to Address Book Server https://<Internal FQDN>/ABS/int/Handler Location of Address Book 47 .Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 IIS Requirements for Front End Pools and Standard Edition Servers For Standard Edition servers and Front End Servers.

Location of the Device Update Service Request Handler that enables internal UC devices to upload logs and check for updates. Location of Response Group ConfigurationTool. 48 .asmx Phone Conferencing http://<Internal FQDN>/PhoneConferencing/Int http://<Internal FQDN>/RequestHandler Device updates Response Group application Note: http://<Internal FQDN>/RgsConfig. Conf http://<Internal FQDN>/Conf/Int Device updates http://<Internal FQDN>/DeviceUpdateFiles_Int Meeting Group Expansion and Address Book Web Query service http://<Internal FQDN>/etc/place/null http://<Internal FQDN>/GroupExpansion/int/service. the location of the Address Book Web Query service that provides global address list information to internal Microsoft Lync 2010 Mobile clients. Location of the Web service that enables group expansion for internal users. Location of meeting content for internal users. Location of unified communications (UC) device update files for internal UC devices. Also.Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Feature Virtual directory URI Refers to Server download files for internal users. Location of phone conferencing data for internal users. you must deploy IIS before you can add servers to the pool. Client updates http://<Internal FQDN>/AutoUpdate/Int Location of update files for internal computer-based clients. http://<Internal FQDN>/RgsClients For Front End pools in a consolidated configuration. Location of conferencing resources for internal users.

Determining Your Infrastructure Requirements for Microsoft Lync Server 2010 Security Note: You must use the IIS administrative snap-in to assign the certificate used by the IIS Web component server. 49 .

Sign up to vote on this title
UsefulNot useful