Академический Документы
Профессиональный Документы
Культура Документы
Requirements
Microsoft Lync Server 2010
Published: July 2011
This document is provided as-is. Information and views expressed in this document, including
URL and other Internet Web site references, may change without notice.
Some examples depicted herein are provided for illustration only and are fictitious. No real
association or connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any
Microsoft product. You may copy and use this document for your internal, reference purposes.
Copyright 2011 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, ActiveSync, ActiveX, DirectX, Excel, Forefront, Groove, Hyper-V,
Internet Explorer, Lync, MSDN, MSN, OneNote, Outlook, PowerPoint, RoundTable, SharePoint,
Silverlight, SQL Server, Visio, Visual C++, Visual Studio, Windows, Windows Live, Windows
Media, Windows PowerShell, Windows Server, and Windows Vista, are trademarks of the
Microsoft group of companies. All other trademarks are property of their respective owners.
Contents
Determining Your Infrastructure Requirements............................................................................1
Determining Your System Requirements.................................................................................1
Server Hardware Platforms................................................................................................... 2
Server and Tools Operating System Support........................................................................4
Database Software and Clustering Support..........................................................................6
Additional Software Requirements........................................................................................ 7
Network Infrastructure Requirements.....................................................................................11
Active Directory Domain Services Requirements, Support, and Topologies..........................13
Active Directory Domain Services Support.........................................................................13
Supported Active Directory Topologies...............................................................................14
Active Directory Infrastructure Requirements.....................................................................19
Load Balancing Requirements...............................................................................................20
Domain Name System (DNS) Requirements.........................................................................20
Determining DNS Requirements.........................................................................................21
DNS Requirements for Front End Pools.............................................................................27
DNS Requirements for Standard Edition Servers...............................................................29
DNS Requirements for Simple URLs..................................................................................30
DNS Requirements for Automatic Client Sign-In.................................................................33
DNS Load Balancing.......................................................................................................... 34
Certificate Infrastructure Requirements..................................................................................37
Certificate Requirements for Internal Servers.....................................................................38
Certificate Requirements for External User Access............................................................45
Certificate Requirements for Group Chat Server................................................................46
Port Requirements................................................................................................................. 47
Ports and Protocols for Internal Servers.............................................................................47
IPsec Exceptions................................................................................................................ 56
Internet Information Services (IIS) Requirements..................................................................59
IIS Requirements for Front End Pools and Standard Edition Servers.................................59
IIS Requirements for Group Chat Server............................................................................62
In This Section
Port Requirements
In This Section
See Also
Client and Device Hardware Support
Supportability
Recommended
CPU
16 GB
Disk
Network
Servers running the Director server role have lesser hardware requirements. These
recommendations are based on a maximum of 39,000 external users per Front End pool (which
follows the user model of 80,000 users per Front End pool, with 30% of users connecting
externally and 1.5 multiple points of presence (MPOP)
Hardware Recommendations for Directors
Hardware component
Recommended
CPU
Recommended
4 GB
Disk
Network
Hardware Support for Back End Servers and Other Database Servers
Back End Server requirements and requirements for other database servers are similar to those
of servers running Lync Server 2010, except that Back End Servers require additional memory.
The following table describes the recommended hardware for a Back End Server or other
database servers, based on a 80,000 user pool with eight Front End Servers and one Back End
Server with all databases required for your Lync Server deployment running on a single database
server.
Hardware Recommendations for Back End Servers and Other Database Servers
Hardware component
Recommended
CPU
Memory
Disk
Network
The Windows Server 2008 R2 Standard operating system (required) or latest service pack
(recommended)
The Windows Server 2008 R2 Enterprise operating system (required) or latest service pack
(recommended)
The Windows Server 2008 R2 Datacenter operating system (required) or latest service pack
(recommended)
The Windows Server 2008 Standard operating system with Service Pack 2 (SP2) (required)
or latest service pack (recommended)
The Windows Server 2008 Enterprise operating system with SP2 (required) or latest service
pack (recommended)
The Windows Server 2008 Datacenter operating system with SP2 (required) or latest service
pack (recommended)
Notes:
If you have an existing server running Windows Server 2008 with Service Pack 1 (SP1), you must
upgrade it to either Windows Server 2008 SP2 (or latest service pack), or Windows
Server 2008 R2 (or latest service pack) before deploying Lync Server 2010.
To deploy Lync Server 2010 on a computer that is running either the Windows Server 2008 R2
Datacenter operating system or the Windows Server 2008 Datacenter operating system with
Service Pack 2 (SP2) and that is configured for multiple processor groups (dynamic hardware
partitioning), you must upgrade Microsoft SQL Server 2008 Express database software, which is
installed by default when you install Lync Server 2010, to Microsoft SQL Server 2008 R2 Express.
The SQL instance name is RTC for a Standard Edition server back-end database and RTCLocal
for the local configuration store (on each server role). A server running Lync Server 2010
Standard Edition has both SQL instances, and each needs to be upgraded separately.
The Server Core installation option of Windows Server 2008 R2 or Windows Server 2008
The Windows Web Server2008 R2 operating system or the Windows Web Server2008
operating system
Windows Server 2008 R2 HPC Edition or Windows Server 2008 HPC Edition
The Windows Vista operating system with SP2 (required) or latest service pack
(recommended)
The 32-bit version of Windows 7 operating system (required) or latest service pack
(recommended)
The 64-bit version of Windows 7 operating system (required) or latest service pack
(recommended) using the WOW64 x86 emulator
The 32-bit edition of Windows Vista with SP2 operating system (required) or latest service
pack (recommended)
The 64-bit edition of Windows Vista with SP2 operating system (required) or latest service
pack (recommended) using the WOW64 x86 emulator
The 32-bit edition of Windows XP with SP3 operating system (required) or latest service pack
(recommended)
The 64-bit edition of Windows XP with SP3 operating system (required) or latest service pack
(recommended) using WOW64 x86
The 32-bit edition of Windows Server 2008 operating system (required) or latest service pack
(recommended)
Back-end database of a Front End pool, Archiving database, and Monitoring database
Microsoft SQL Server 2008 Enterprise (64-bit edition) with Service Pack 1 (SP1)
(required) or latest service pack (recommended)
Microsoft SQL Server 2008 Standard (64-bit edition) with SP1 (required) or latest service
pack (recommended)
Microsoft SQL Server 2005 Enterprise (64-bit edition) with Service Pack 3 (SP3)
(required) or latest service pack (recommended)
Microsoft SQL Server 2005 Standard (64-bit edition) with SP3 (required) or latest service
pack (recommended)
Microsoft SQL Server 2008 Express (64-bit edition) is automatically installed by Lync Server 2010
on each Standard Edition server and each Lync Server 2010 server on which the local
configuration store is deployed.
Lync Server 2010 supports manually upgrading each SQL Server 2008 Express database to SQL
Server 2008 R2 Express (64-bit edition), after the initial deployment of each Standard Edition
server and other Lync Server 2010 server on which the local configuration store is located.
Important
Lync Server 2010 does not support SQL Server 2008 32-bit edition, SQL Server 2008 R2 32-bit
edition, or SQL Server 2005 32-bit edition. You must use the 64-bit edition.
SQL Server Web edition and SQL Server Workgroup edition are not supported. You cannot use
them with Lync Server 2010.
Lync Server 2010 does not support native database mirroring.
To use the Monitoring Server role, you should install SQL Server Reporting Services.
In a Front End pool, the back-end database can be a single SQL Server computer. Alternatively,
two or more dedicated SQL Server computers can optionally be clustered in a multiple-node
active/passive configuration. A SQL Server cluster for the back-end database improves availability
by providing failover capabilities. In a multiple-node cluster, the Lync Server 2010 SQL instance
SQL Server 2008 Standard with SP1 (required) or latest service pack (recommended)
or SQL Server 2005 Standard with SP3 (required) or latest service pack (recommended)
SQL Server 2008 Enterprise with SP1 (required) or latest service pack (recommended)
or SQL Server 2005 Enterprise with SP3 (required) or latest service pack (recommended)
Static Content
Default Document
HTTP Errors
ASP.NET
.NET Extensibility
ISAPI Filters
HTTP Logging
Logging Tools
Tracing
Windows Authentication
Request Filtering
Static Content
Default Document
HTTP Errors
ASP.NET
.NET Extensibility
ISAPI Filters
HTTP Logging
Logging Tools
Tracing
Windows Authentication
Request Filtering
10
See Also
Administrative Tools Software Requirements
In Standard Edition topologies, servers should be in a network that supports 1 Gbps Ethernet
or equivalent.
In Front End pool topologies, most servers should be in a network that supports more than 1
Gbps, especially when supporting audio/video (A/V) conferencing and application sharing.
For public switched telephone network (PSTN) integration, you can integrate by using either
T1/E1 lines or SIP trunking.
11
The external firewall can be configured as a NAT (that is, whether the site has only a single
Edge Server deployed or has multiple Edge Servers deployed). The internal firewall cannot
be configured as a NAT. For details about these requirements, see Determining External A/V
Firewall and Port Requirements in the Planning documentation.
If your organization uses a Quality of Service (QoS) infrastructure, the media subsystem is
designed to work within this existing infrastructure.
If you use IPsec, we recommend disabling IPsec over the port ranges used for A/V traffic. For
details, see IPsec Exceptions in the Planning documentation.
Provision your network links to support throughput of 65 kilobits per second (Kbps) per audio
stream and 500 Kbps per video stream, if enabled, during peak usage periods. A bidirectional
audio or video session consists of two streams.
To cope with unexpected spikes in traffic above this level and increased usage over time,
Lync Server media endpoints can adapt to varying network conditions and support loads of
three times the throughput (see previous paragraph) for audio and video while still retaining
acceptable quality. However, do not assume that this adaptability will support an underprovisioned network. In an under-provisioned network, the ability of the Lync Server media
endpoints to dynamically deal with varying network conditions (for example, temporary high
packet loss) is reduced.
For network links where provisioning is extremely costly and difficult, you may need to
consider provisioning for a lower volume of traffic. In this scenario, you let the elasticity of the
Lync Server media endpoints absorb the difference between that traffic volume and the peak
traffic level, at the cost of some reduction in the voice quality. Also, there is a decrease in the
headroom otherwise available to absorb sudden peaks in traffic.
For links that cannot be correctly provisioned in the short term (for example, a site with very
poor WAN links), consider disabling video for certain users.
Provision your network to ensure a maximum end-to-end delay (latency) of 150 milliseconds
(ms) under peak load. Latency is the one network impairment that Lync Server media
components cannot reduce, and it is important to find and eliminate the weak points.
For servers running antivirus software, include all servers running Lync Server 2010 in the
exception list in order to provide optimal performance and audio quality. For details, see
Specifying Antivirus Scanning Exclusions in the Security documentation.
12
In This Section
Schema extensions
Extensions for Office Communications Server 2007 and Office Communications Server
2007 R2 classes to maintain backward compatibility with previous supported versions
Contact objects for applications (for example, the Response Group application and the
Conferencing Attendant application)
This section describes the AD DS support requirements for Lync Server 2010. For details about
topology support, see Supported Active Directory Topologies in the Supportability documentation.
Supported Domain Controller Operating Systems
Lync Server 2010 supports domain controllers running the following operating systems:
The 32-bit or 64-bit versions of the Window Server 2003 R2 operating system
13
The following figure identifies the icons used in the illustrations in this section.
14
User accounts within the same domain as the Lync Server pool
15
User accounts within the same domain as the Lync Server pool
User accounts in a different domain from (but the same tree as) the Lync Server pool
16
Users can search for and communicate with other users in any forest.
The directory synchronization product automates the addition and deletion of contact objects
in the central forest as user accounts are created or removed.
The following figure illustrates a central forest topology. In this figure, there are two-way trust
relationships between the domain that hosts Lync Server, which is in the central forest, and each
user-only domain, which is in a separate forest. The schema in the separate user forests does not
need to be extended.
17
18
All domain controllers (which include all global catalog servers) in the forest where you deploy
Lync Server 2010 run one of the following operating systems:
All domains in which you deploy Lync Server 2010 are raised to a domain functional level of
Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 native mode.
Windows Server 2003 mixed mode is not supported.
The forest in which you deploy Lync Server 2010 is raised to a forest functional level of
Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 native mode.
Windows Server 2003 mixed mode is not supported.
19
A global catalog is deployed in every domain where you deploy Lync Server computers or
users.
Lync Server 2010 supports the universal groups in the Windows Server 2008 R2, Windows
Server 2008, and Windows Server 2003 operating systems. Members of universal groups can
include other groups and accounts from any domain in the domain tree or forest and can be
assigned permissions in any domain in the domain tree or forest. Universal group support,
combined with administrator delegation, simplifies the management of a Lync Server deployment.
For example, it is not necessary to add one domain to another to enable an administrator to
manage both.
To allow clients to discover the Front End pool or Standard Edition server used for various
SIP transactions.
To allow unified communications (UC) devices that are not logged on to discover the Front
End pool or Standard Edition server running Device Update Web Service, obtain updates,
and send logs.
To allow external servers and clients to connect to Edge Servers or the HTTP reverse proxy
for instant messaging (IM) or conferencing.
20
In This Section
21
22
DNS A and SRV records for Microsoft Lync Server 2010 client auto configuration
(optional)
DNS A and SRV records for all internal servers running Microsoft Lync Server 2010 in the
corporate network
DNS A and SRV records for the Edge internal interface of each Lync Server 2010, Edge
Server in the perimeter network
DNS A records for the reverse proxy internal interface of each reverse proxy server in the
perimeter network
All Lync Server 2010 Edge Servers in the perimeter network point to the internal DNS
servers for resolving queries to contoso.com
All servers running Lync Server 2010 and clients running Lync 2010 in the corporate
network point to the internal DNS servers for resolving queries to contoso.com
External DNS:
DNS A and SRV records for Lync 2010 client auto configuration (optional)
23
If a user signs in as lstest01@contoso.com the following SRV record will work for automatic
configuration because the users SIP domain (contoso.com) matches the domain of
automatic configuration Front End pool):
_sipinternaltls._tcp.contoso.com. 86400 IN SRV 0 0 5061 pool01.contoso.com
24
For comparison, if a user signs in as lstest01@litwareinc.com the following DNS SRV record will
not work for automatic configuration, because the clients SIP domain (litwareinc.com) does not
match the domain that the pool is in (fabrikam.com):
_sipinternaltls._tcp.litwareinc.com. 86400 IN SRV 0 0 5061 pool01.fabrikam.com
If automatic configuration is required for Lync clients, select one of the following options:
Group Policy Objects Use Group Policy objects (GPOs) to populate the correct server
values.
Note:
This option does not enable automatic configuration, but it does automate the
process of manual configuration, so if this approach is used, the SRV records
associated with automatic configuration are not required.
Matching internal zone Create a zone in the internal DNS that matches the external DNS
zone (for example, contoso.com) and create DNS A records corresponding to the Lync Server
2010 pool used for automatic configuration. For example, if a user is homed on
pool01.contoso.net but signs into Lync as lstest01@contoso.com, create an internal DNS
zone called contoso.com and inside it, create a DNS A record for pool01.contoso.com.
Pin-point internal zone If creating an entire zone in the internal DNS is not an option, you
can create pin-point (that is, dedicated) zones that correspond to the SRV records that are
required for automatic configuration, and populate those zones using dnscmd.exe.
Dnscmd.exe is required because the DNS user interface does not support creation of pinpoint zones. For example, if the SIP domain is contoso.com and you have a Front End pool
called pool01 that contains two Front End Servers, you need the following pin-point zones
and A records in your internal DNS:
dnscmd . /zoneadd _sipinternaltls._tcp.contoso.com. /dsprimary
dnscmd . /recordadd _sipinternaltls._tcp.contoso.com. @ SRV 0 0 5061
pool01.contoso.com.
dnscmd . /zoneadd pool01.contoso.com. /dsprimary
dnscmd . /recordadd pool01.contoso.com. @ A 192.168.10.90
dnscmd . /recordadd pool01.contoso.com. @ A 192.168.10.91
If your environment contains a second SIP domain (for example, fabrikam.com), you need the
following pin-point zones and A records in your internal DNS:
dnscmd . /zoneadd _sipinternaltls._tcp.fabrikam.com. /dsprimary
dnscmd . /recordadd _sipinternaltls._tcp.fabrikam.com. @ SRV 0 0 5061
pool01.fabrikam.com.
dnscmd . /zoneadd pool01.fabrikam.com. /dsprimary
dnscmd . /recordadd pool01.fabrikam.com. @ A 192.168.10.90
dnscmd . /recordadd pool01.fabrikam.com. @ A 192.168.10.91
25
The Lync 2010 client will query DNS for pool01.contoso.com and get back three IP addresses
and cache them as follows (not necessarily in this order):
pool01.contoso.com
192.168.10.90
pool01.contoso.com
192.168.10.91
pool01.contoso.com
192.168.10.92
Then, the client attempts to establish a Transmission Control Protocol (TCP) connection to
one of the IP addresses. If that fails, the client tries the next IP address in the cache.
If the TCP connection succeeds, the client negotiates TLS to connect to the Front End Server.
If it gets to the end without a successful connection, the user is notified that no servers
running Lync Server 2010 are available at the moment.
Note:
DNS-based load balancing is different from DNS round robin (DNS RR) which typically
refers to load balancing by relying on DNS to provide a different order of IP addresses
corresponding to the servers in a pool. Typically DNS RR only enables load distribution,
but does not enable failover. For example, if the connection to the one IP address
returned by the DNS A query fails, the connection fails. Therefore, DNS round robin by
itself is less reliable than DNS-based load balancing. You can use DNS round robin in
conjunction with DNS load balancing.
26
Load balancing all client-to-server traffic between clients and Edge Servers
If multiple DNS records are returned to a DNS SRV query, the Access Edge service always
picks the DNS SRV record with the lowest numeric priority and highest numeric weight. If
multiple DNS SRV records with equal priority and weight are returned, the Access Edge
service will pick the SRV record that came back first from the DNS server.
DNS requirement
27
DNS requirement
An internal A record with the name ucupdatesr2.<SIP domain> that resolves to the IP address
of the Front End pool that hosts the Device
Update Web service. In the situation where a
UC device is turned on, but a user has never
logged into the device, the A record allows the
device to discover the Front End pool hosting
Device Update Web service and obtain
updates. Otherwise, devices obtain this
information though in-band provisioning the first
time a user logs in. For details, see Updating
Devices in the Planning documentation.
Important:
If you have an existing deployment of
Device Update Web service in Lync
Server 2010, you have already created
an internal A record with the name
ucupdates.<SIP domain>. For Microsoft
Office Communications Server 2007
R2, you must create an additional DNS
A record with the name ucupdatesr2.<SIP domain>.
The following table shows an example of the DNS records required for the internal web farm
FQDN.
28
Pool FQDN
DNS A record(s)
webcon.contoso.com
ee-pool.contoso.com
ee-pool.contoso.com
ee-pool.contoso.com
DNS requirement
29
DNS requirement
An internal A record with the name ucupdatesr2.<SIP domain> that resolves to the IP address
of the Standard Edition server hosting Device
Update Web service. In the situation where a
UC device is turned on, but a user has never
logged into the device, the A record allows the
device to discover the server hosting Device
Update Web service and obtain updates.
Otherwise, devices obtain the server
information though in-band provisioning the first
time a user logs in. For details, see Updating
Devices in the Planning documentation.
Important:
If you have an existing deployment of
Device Update Web service in Office
Communications Server 2007, you
have already created an internal A
record with the name ucupdates.<SIP
domain>. For Office Communications
Server 2007 R2, you must create an
additional DNS A record with the name
ucupdates-r2.<SIP domain>.
30
Example
Meet
https://meet.contoso.com,
https://meet.fabrikam.com, and so on (one for
each SIP domain in your organization)
Dial-in
https://dialin.contoso.com
Admin
https://admin.contoso.com
For each Meet simple URL, you need a DNS A record that resolves the URL to the IP address
of the Director, if you have one deployed. Otherwise, it should resolve to the IP address of the
load balancer of a Front End pool. If you have not deployed a pool and are using a Standard
Edition server deployment, the DNS A record must resolve to the IP address of one Standard
Edition server in your organization.
If you have more than one SIP domain in your organization and you use this option, you must
create Meet simple URLs for each SIP domain and you need a DNS A record for each Meet
simple URL. For example, if you have both contoso.com and fabrikam.com, you will create
DNS A records for both https://meet.contoso.com and https://meet.fabrikam.com.
Alternatively, if you have multiple SIP domains and you want to minimize the DNS record and
certificate requirements for these simple URLs, use Option 3 as described later in this topic.
For the Dial-in simple URL, you need a DNS A record that resolves the URL to the IP address
of the Director, if you have one deployed. Otherwise, it should resolve to the IP address of the
load balancer of a Front End pool. If you have not deployed a pool and are using a Standard
Edition server deployment, the DNS A record must resolve to the IP address of one Standard
Edition server in your organization.
The Admin simple URL is internal only. It requires a DNS A record that resolves the URL to
the IP address of the Director, if you have one deployed. Otherwise, it should resolve to the
IP address of the load balancer of a Front End pool. If you have not deployed a pool and are
using a Standard Edition server deployment, the DNS A record must resolve to the IP
address of one Standard Edition server in your organization.
31
Example
Meet
Dial-in
https://lync.contoso.com/Dialin
Admin
https://lync.contoso.com/Admin
Example
Meet
https://lync.contoso.com/contosoSIPdomain/Meet
https://lync.contoso.com/fabrikamSIPdomain/Meet
Dial-in
https://lync.contoso.com/contosoSIPdomain/Dialin
https://lync.contoso.com/fabrikamSIPdomain/Dialin
Admin
https://lync.contoso.com/contosoSIPdomain/Admin
https://lync.contoso.com/fabrikamSIPdomain/Admin
32
Designate a single server or pool to distribute and authenticate client sign-in requests. This
can be an existing server or pool in your organization that hosts users, or you can designate
a dedicated server or pool for this purpose that hosts no users. For high availability, we
recommend that you designate a Front End pool for this function.
Create an internal DNS SRV record to support automatic client sign-in for this server or pool.
Note:
In the following record requirements, SIP domain refers to the host portion of the SIP
URIs assigned to users. For example, if SIP URIs are of the form *@contoso.com,
contoso.com is the SIP domain. The SIP domain is often different from the internal
Active Directory domain. An organization can also support multiple SIP domains.
To enable automatic configuration for your clients, you must create an internal DNS SRV record
that maps one of the following records to the fully qualified domain name (FQDN) of the Front
End pool or Standard Edition server that distributes sign-in requests from Lync clients:
You only need to create a single SRV record for the Front End pool or Standard Edition server or
that will distribute sign-in requests.
The following table shows some example records required for the fictitious company Contoso,
which supports SIP domains of contoso.com and retail.contoso.com.
Example of DNS Records Required for Automatic Client Sign-in with Multiple SIP Domains
FQDN of Front End pool
SIP domain
pool01.contoso.com
contoso.com
pool01.contoso.com
retail.contoso.com
33
<user>@retail.contoso.com
<user>@contoso.com
34
DNS load
DNS load
Hardware load
balancing
balancing
balancer (only)
supported?
recommended?
recommended?
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
35
A pool that uses DNS load balancing must have two FQDNs: the regular pool FQDN that is
used by DNS load balancing (such as pool01.contoso.com), and resolves to the physical IPs
of the servers in the pool, and another FQDN for the pools Web services (such as
web01.contoso.com), which resolves to virtual IP address of the pool.
In Topology Builder, if you want to deploy DNS load balancing for a pool, to create this extra
FQDN for the pools Web services you must select the Override internal Web Services pool
FQDN check box and type the FQDN, in the Specify the Web Services URLs for this Pool
page.
To support the FQDN used by DNS load balancing, you must provision DNS to resolve the
pool FQDN (such as pool01.contoso.com) to the IP addresses of all the servers in the pool
(for example, 192.168.1.1, 192.168.1.2, and so on). You should include only the IP addresses
of servers that are currently deployed.
Federation with organizations that are running previous versions of Office Communications
Server.
Instant message exchange with users of public instant messaging (IM) services, such as
Windows Live, AOL, and Yahoo!, in addition to XMPP-based providers and servers, such as
Google Talk and Jabber.
Note:
To use XMPP, you must install the XMPP Gateway. You can download the XMPP
Gateway from the Microsoft Download Center at http://go.microsoft.com/fwlink/?
LinkId=204552. After you install the XMPP Gateway, you must install the hotfix, which
you can download from http://go.microsoft.com/fwlink/?LinkId=204561.
These scenarios will work as long as all Edge Servers in the pool are up and running, but if one
Edge Server is unavailable, any requests for these scenarios that are sent to it will fail, instead of
routing to another Edge Server.
Using DNS load balancing also causes a loss of failover ability for these Exchange UM scenarios
for remote Exchange UM users:
36
For the Lync Server Access Edge service, you need one entry for each server in the pool.
Each entry must resolve the FQDN of the Lync Server Access Edge service (for example,
sip.contoso.com) to the IP address of the Lync Server Access Edge service on one of the
Edge Servers in the pool.
For the Lync Server Web Conferencing Edge service, you need one entry for each server in
the pool. Each entry must resolve the FQDN of the Lync Server Web Conferencing Edge
service (for example, webconf.contoso.com) to the IP address of the Lync Server Web
Conferencing Edge service on one of the Edge Servers in the pool.
For the Lync Server Audio/Video Edge service, you need one entry for each server in the
pool. Each entry must resolve the FQDN of the Lync Server Audio/Video Edge service (for
example, av.contoso.com) to the IP address of the Lync Server A/V Edge service on one of
the Edge Servers in the pool.
To deploy DNS load balancing on the internal interface of your Edge Server pool, you must add
one DNS A record, which resolves the internal FQDN of the Edge Server pool to the IP address of
each server in the pool.
Using DNS Load Balancing on Mediation Server Pools
You can use DNS load balancing on stand-alone Mediation Server pools without need for a
hardware load balancer. All SIP and media traffic is balanced by DNS load balancing.
To deploy DNS load balancing on a Mediation Server pool, you must provision DNS to resolve the
pool FQDN (for example, mediationpool1.contoso.com) to the IP addresses of all the servers in
the pool (for example, 192.168.1.1, 192.168.1.2, and so on).
External user access to audio/video (A/V) sessions, application sharing, and conferencing
37
The default hash algorithm is RSA. The ECDH_P256, ECDH_P384, and ECDH_P521 hash
algorithms are also supported.
In This Section
38
Subject name/
Example
SN=se01.contoso.com;
SAN=se01.contoso.com
Comments
Common name
Default
Fully qualified
domain name
(FQDN) of the pool
Web internal
On Standard Edition
server, the server FQDN is
the same as the pool
If this pool is the auto-logon server
for clients and strict DNS matching is FQDN.
required in group policy, you also
The wizard detects any
need SAN=sip.contoso.com;
SIP domains you specified
SAN=sip.fabrikam.com
during setup and
automatically adds them
to the subject alternative
name.
SN=se01.contoso.com;
SAN=se01.contoso.com;
SAN=meet.contoso.com;
SAN=meet.fabrikam.com;
SAN=dialin.contoso.com;
SAN=admin.contoso.com
SN=se01.contoso.com;
SAN=se01.contoso.com;
SAN=*.contoso.com
39
Subject name/
Example
Comments
SN=se01.contoso.com;
SAN=webcon01.contoso.com;
SAN=meet.contoso.com;
SAN=meet.fabrikam.com;
SAN=dialin.contoso.com
Common name
Web external
Subject name/
Example
SN=eepool.contoso.com;
SAN=eepool.contoso.com;
SAN=ee01.contoso.com
Comments
Common name
Default
40
Subject name/
Example
Comments
Common name
Web external
FQDN of the
server
FQDN of the
server
SN=ee01.contoso.com;
SAN=ee01.contoso.com;
SAN=meet.contoso.com;
SAN=meet.fabrikam.com;
SAN=dialin.contoso.com;
SAN=admin.contoso.com
SN=ee01.contoso.com;
SAN=ee01.contoso.com;
SAN=*.contoso.com
SN=ee01.contoso.com;
SAN=webcon01.contoso.com;
SAN=meet.contoso.com;
SAN=meet.fabrikam.com;
SAN=dialin.contoso.com
41
Subject name/
Example
Common name
Default
Web Internal
Web external
42
Subject name/
Example
Common name
SN=dir01.contoso.com;
SAN=directorwebcon01.contoso.com
SAN=*.contoso.com
If you have a stand-alone A/V Conferencing Server pool, the A/V Conferencing Servers in it each need the certificates listed in the following table.
If you collocate an A/V Conferencing Server with the Front End Servers, the certificates listed in the Certificates for Front End Server in Front End
Pool table earlier in this topic are sufficient.
Certificates for Stand-alone A/V Conferencing Server
Certificate
Subject name/
Example
Not applicable
SN=av-pool.contoso.com
Common name
Default
If you have a stand-alone Mediation Server pool, the Mediation Servers in it each need the certificates listed in the following table. If you collocate
Mediation Server with the Front End Servers, the certificates listed in the Certificates for Front End Server in Front End Pool table earlier in this
topic are sufficient.
Certificates for Stand-alone Mediation Server
Certificate
Subject name/
Example
SN=medsvr-pool.contoso.net;
SAN=medsvr-pool.contoso.net;
SAN=medsvr01.contoso.net
Common name
Default
43
Subject name/
Example
SN=sba01.contoso.net;
SAN=sip.contoso.com;
SAN=sip.fabrikam.com
Common name
Default
44
The certificate must be issued by an approved public CA that supports subject alternative
name. For details, see Microsoft Knowledge Base article 929395, "Unified Communications
Certificate Partners for Exchange Server and for Communications Server," at
http://go.microsoft.com/fwlink/?LinkId=202834.
If the certificate will be used on an Edge pool, it must be created as exportable, with the same
certificate used on each Edge Server in the Edge pool. The exportable private key
requirement is for the purposes of the A/V Authentication service, which must use the same
private key across all Edge Servers in the pool.
The subject name of the certificate is the access Edge external interface fully qualified
domain name (FQDN) or hardware load balancer VIP (for example, access.contoso.com).
Note:
For Lync Server 2010, this is no longer a requirement, but it is still recommended for
compatibility with Office Communications Server.
The subject alternative name list contains the FQDNs of the following:
The access Edge external interface or hardware load balancer VIP (for example,
access.contoso.com).
Note:
Even though the certificate subject name is equal to the access Edge FQDN, the
subject alternative name must also contain the access Edge FQDN because
Transport Layer Security (TLS) ignores the subject name and uses the subject
alternative name entries for validation.
The web conferencing Edge external interface or hardware load balancer VIP (for
example, webcon.contoso.com).
If you are using client auto-configuration or federation, also include any SIP domain
FQDNs used within your company (for example, sip.contoso.com, sip.fabrikam.com).
The A/V authentication service does not use the subject name or the subject alternative
names entries.
Note:
The order of the FQDNs in the subject alternative names list does not matter.
45
The subject name of the certificate is typically the Edge internal interface FQDN or hardware
load balancer VIP (for example, lsedge.contoso.com). However, you can use a wildcard
certificate on the Edge internal.
External user access to downloadable files from the Address Book Service
External device access to the Device Update Service and obtain updates
The reverse proxy publishes the internal server Web Components URLs. The Web Components
URLs are defined on the Director, Front End Server or Front End pool as the External web
services in Topology Builder.
Wildcard entries are supported in the subject alternative name field of the certificate assigned to
the reverse proxy. For details about how to configure the certificate request for the reverse proxy,
see Request and Configure a Certificate for Your Reverse HTTP Proxy.
46
Port Requirements
Microsoft Lync Server 2010 requires that specific ports on the firewall be open. Additionally, if
Internet Protocol security (IPsec) is deployed in your organization, IPsec must be disabled over
the range of ports used for the delivery of audio, video, and panorama video.
For details about ports for Edge Servers and external firewalls, see Topologies for External User
Access in the Planning documentation.
In This Section
This section includes the following topics:
IPsec Exceptions
Note:
Windows Firewall must be running before you start the Lync Server 2010 services on a
server, because that is when Lync Server opens the required ports in the firewall.
For details about firewall configuration for edge components, see Determining External A/V
Firewall and Port Requirements.
The following table lists the ports that need to be open on each internal server role.
47
Service name
Port
Protocol
Notes
5060
TCP
5061
TCP (TLS)
444
HTTPS
TCP
135
DCOM and
remote
procedure call
(RPC)
TCP
TCP (TLS)
8057
48
Service name
Port
Protocol
Notes
8058
TCP (TLS)
5063
TCP
5750165335
TCP/UDP
80
HTTP
443
HTTPS
5064
TCP
5072
TCP
5070
TCP
49
Service name
Port
Protocol
Notes
5067
TCP (TLS)
5068
TCP
5081
TCP
5082
TCP (TLS)
5065
TCP
4915265335
TCP
5073
TCP
5075
TCP
5076
TCP
50
Service name
Port
Protocol
service
Notes
service.
Not applicable
5066
TCP
5071
TCP
8404
TCP (MTLS)
5080
TCP
448
TCP
445
TCP
All Servers
SQL Browser
1434
UDP
Various
4915257500
TCP/UDP
51
Service name
Port
Protocol
Notes
Directors
5060
TCP
Directors
444
HTTPS
Directors
80
TCP
Directors
443
HTTPS
Directors
5061
TCP
Mediation Servers
5070
TCP
Mediation Servers
5067
TCP (TLS)
Mediation Servers
5068
TCP
Mediation Servers
5070
TCP (MTLS)
TCP
52
Port
Protocol
5061
TCP (TLS)
444
HTTPS
135
80
HTTP
8080
443
HTTPS
4443
5072
TCP
5073
TCP
5075
TCP
5076
TCP
5071
TCP
5080
TCP
448
TCP
53
Port
Protocol
5067
TCP (TLS)
5068
TCP
5070
TCP
443
HTTPS
444
HTTPS
5061
TCP
4443
5067
TCP (TLS)
5068
TCP
5070
TCP
Your Front End pools and Director pools that use DNS load balancing also must have a hardware
load balancer deployed. The following table shows the ports that need to be open on these
hardware load balancers.
Hardware Load Balancer Ports if Using DNS Load Balancing
Load Balancer
Port
Protocol
80
HTTP
443
HTTPS
8080
4443
443
HTTPS
54
Port
Protocol
444
HTTPS
4443
Port
Protocol
Notes
Clients
67/68
DHCP
Clients
443
TCP (TLS)
Clients
443
TCP (PSOM/TLS)
Clients
443
TCP
(STUN/MSTURN)
Clients
3478
UDP
(STUN/MSTURN)
Clients
5061
TCP (MTLS)
Clients
6891-6901
TCP
Clients
1024-65535 TCP/UDP
*
Clients
1024-65535 TCP/UDP
*
Clients
1024-65535 TCP
*
Clients
1024-65535 TCP
*
Application sharing.
Microsoft Lync
2010 Phone
Edition for Aastra
67/68
DHCP
55
Port
Protocol
Notes
6721ip common
area
phoneMicrosoft
Lync 2010 Phone
Edition for
Aastra 6725ip
desk phone
Microsoft Lync
2010 Phone
Edition for
Polycom CX500
common area
phone
Microsoft Lync
2010 Phone
Edition for
Polycom CX600
desk phone
* To configure specific ports for these media types, use the CsConferencingConfiguration cmdlet
(ClientMediaPortRangeEnabled, ClientMediaPort, and ClientMediaPortRange parameters).
Note:
The set programs for Lync Server clients automatically create the required operatingsystem firewall exceptions on the client computer.
Note:
The ports that are used for external user access are required for any scenario in which
the client must traverse the organizations firewall (for example, any external
communications or meetings hosted by other organizations).
IPsec Exceptions
For enterprise networks where Internet Protocol security (IPsec) (see IETF RFC 4301-4309) has
been deployed, IPsec must be disabled over the range of ports used for the delivery of audio,
video, and panorama video. The recommendation is motivated by the need to avoid any delay in
the allocation of media ports due to IPsec negotiation.
The following table explains the recommended IPsec exception settings.
56
Source IP
Destination IP
Protocol
Source port
Destination port
Filter action
Any
Any
Any
Permit
Any
Any
Any
Permit
Any
Any
Any
Permit
Any
Any
Any
Permit
Mediation Server
Inbound
Any
Mediation
Any
Any
Permit
Mediation Server
Outbound
Mediation
Any
Any
Any
Permit
Conferencing Attendant
Inbound
Any
Any
Any
Any
Permit
Conferencing Attendant
Outbound
Any
Any
Any
Any
Permit
A/V Conferencing
Inbound
Any
A/V Conferencing
Servers
Any
Any
Permit
A/V Conferencing
Servers
Any
Any
Any
Permit
Exchange Inbound
Any
Exchange Unified
Any
Any
Permit
Server(s)
Server(s)
57
Source IP
Destination IP
Protocol
Source port
Destination port
Filter action
Messaging
Application Sharing
Servers Inbound
Any
Application Sharing
Servers
TCP
Any
Any
Permit
Application Sharing
Server Outbound
Application Sharing
Servers
Any
TCP
Any
Any
Permit
Exchange Outbound
Exchange Unified
Messaging
Any
Any
Any
Permit
Clients
Any
Any
UDP
Specified
media port
range
Any
Permit
58
Feature
HTTP Redirection
Application Development
ASP.NET
Application Development
.NET Extensibility
Application Development
ISAPI Extensions
Application Development
ISAPI Filters
Logging Tools
Tracing
Security
Basic Authentication
Security
Windows Authentication
Management Tools
Management Tools
Security Note
If you are using IIS 7.0 on a Windows Server 2008 operating system, Lync Server 2010
Setup disables kernel mode authentication in IIS.
In This Section
IIS Requirements for Front End Pools and Standard Edition Servers
IIS Requirements for Front End Pools and Standard Edition Servers
For Standard Edition servers and Front End Servers, and Directors, the Microsoft Lync Server
2010 installer creates virtual directories in Internet Information Services (IIS) for the following
purposes:
59
To enable conferencing
To enable unified communications (UC) devices to connect to Device Update Web service
and obtain updates (for details, see Updating Devices in the Planning documentation)
Static Content
Default Document
HTTP Errors
ASP.NET
.NET Extensibility
ISAPI Filters
HTTP Logging
Logging Tools
Tracing
Windows Authentication
Request Filtering
The following table lists the URIs for the virtual directories for internal access and the file system
resources to which they refer.
Virtual Directories for Internal Access
Feature
Refers to
https://<Internal FQDN>/ABS/int/Handler
60
Refers to
http://<Internal FQDN>/AutoUpdate/Int
Conf
http://<Internal FQDN>/Conf/Int
Location of conferencing
resources for internal
users.
Device updates
http://<Internal
FQDN>/DeviceUpdateFiles_Int
Location of unified
communications (UC)
device update files for
internal UC devices.
Meeting
http://<Internal FQDN>/etc/place/null
Location of meeting
content for internal users.
http://<Internal
FQDN>/GroupExpansion/int/service.asmx
Phone Conferencing
http://<Internal
FQDN>/PhoneConferencing/Int
Location of phone
conferencing data for
internal users.
Device updates
http://<Internal FQDN>/RequestHandler
Response Group
application
http://<Internal FQDN>/RgsConfig
Location of Response
Group Configuration Tool.
http://<Internal FQDN>/RgsClients
61
ASP.NET 2.0
62