Workload Architecture

CERTIFICATE REQUIREMENTS
Director 1, Director 2 IM and Presence Workload Internal user sign-in process:
Front End Server 1, Front End Server 2
FQDN:
Certificate SN:
Certificate SAN:
pool.<ad-domain>
pool.<ad-domain>
pool.<ad-domain>,
FQDN:
Certificate SN:
Certificate SAN:
dir.<ad-domain>
dir.<ad-domain>
dir.<ad-domain>,
1. Client resolves DNS SRV record _sipinternaltls._tcp.<sip-domain> to Director.
2. Client connects to Director.
3. Director redirects client to user’s home pool.
Application Sharing Workload Peer-to-peer application
sharing session

sipinternal.<sip-domain> SIP traffic: signaling and IM

EKU: server
EKU: server
Root certificate: private CA Directors Root certificate: private CA RDP/SRTP/TCP:1024-65535
Pool XMPP traffic HTTPS:443 HTTPS:443 SIP traffic Direction of arrow indicates which
server initiates the connection.
HTTPS traffic Kerberos used for user authentication RDP/SRTP traffic Subsequent traffic is bi-directional.

SRV query
FQDN: chatsrv.<ad-domain> FQDN: umsrv.<ad-domain> LDAP used to access Active Directory HTTPS:443
HTTPS:443
Certificate SN: chatsrv.<ad-domain> Certificate SN: umsrv.<ad-domain> MSMQ traffic HTTPS traffic
Certificate SAN: N/A Certificate SAN: N/A
EKU: server, client EKU: server Communicator HTTPS:443
(2) (3)
Root certificate: private CA Root certificate: private CA (1) Web Access
Group Chat Server Exchange UM Server Kerberos:88, LDAP:389 Server

RDP/SRTP/TCP:49152-65535
Communicator

SIP/TLS:5061
FQDN: monsrv.<ad-domain> FQDN: medsrv.<ad-domain> Web Access
Certificate SN: monsrv.<ad-domain> Certificate SN: medsrv.<ad-domain> SIP/MTLS:5061
Server
Certificate SAN: N/A

SIP/TLS:5061
Certificate SAN: N/A External user sign-in process:

HTTPS:443

RDP/SRTP:49152-65535
EKU: server EKU: server 1. Client resolves DNS SRV record _sip._tls.<sip-domain> to Edge Server.
Root certificate: private CA Root certificate: private CA 2. Client connects to Edge Server. HTTPS:443 is used to download HTTPS:443 HTTPS:443
Monitoring Server Mediation Server 3. Edge Server proxies connection to Director. address book and updates
4. Director authenticates user and proxies connection to user’s home pool.
HTTPS:443
Address book file share Reverse proxy
FQDN: cwasrv.<ad-domain> HTTPS:443
Certificate SN: cwasrv.<ad-domain>

SIP/TLS:5061
SIP/TLS:5061
Group Chat file share Pools
Certificate SAN: cwasrv.<ad-domain>, cwa.<sip-domain>, as.cwa.<sip-domain>,
download.cwa.<sip-domain>
EKU: server Reverse proxy Directors Directors
Pools
Root certificate: private CA
Communicator Web Access Server

Edge
FQDN: xmppsrv.<sip-domain> (1) FQDN: xmpp.<sip-domain> (2) Edge
Servers
Certificate SN: xmppsrv.<sip-domain> Certificate SN: xmpp.<sip-domain>
Certificate SAN: N/A Certificate SAN: N/A Yahoo! Servers SIP/MTLS:5061 SIP/MTLS:5061 SIP/MTLS:5061 SIP/MTLS:5061
EKU: server EKU: server AOL SIP/MTLS
Root certificate: private CA Root certificate: public CA MSN SIP/TLS:443
Access Edge - SIP/TLS:443 SIP/MTLS:5062

SIP/MTLS:5061
(1) (2)
XMPP Gateway This FQDN is for connectivity This FQDN is for connectivity Access Edge - SIP/TLS:443
to internal Edge Servers to external XMPP gateways C3P/HTTPS:444 SIP/MTLS STUN/TCP:443, STUN/UDP:3478
Federated Access Edge - SIP/MTLS:5061
A/V Edge – SRTP:443,3478,50,000-59,999

SIP/MTLS:5061
Edge Server 1, Edge Server 2 Company MSMQ
Monitoring MRAS traffic
Internal FQDN: intsrv.<ad-domain> Conference FQDN: N/A

MSMQ
Certificate SN: intsrv.<ad-domain> Certificate SN: conf.<sip-domain> Server
Monitoring
Certificate SAN: Certificate SAN: N/A 2 inbound and 2 outbound This media traffic goes
Range of ports Server
EKU: server EKU: server Group Chat unidirectional streams directly to the A/V Edge. The Port number to service traffic assignment:
is configurable
Root certificate: private CA Root certificate: public CA Server A/V Edge must have publicly 5062 - Media Relay Authentication Service
routable IP addresses 5065 - Application Sharing Conferencing Service
Access FQDN: accesssrv.<sip-domain> A/V FQDN: av.<sip-domain> Gmail 5069 - Monitoring (QoE) Agent
Edge Servers

MSMQ
Certificate SN: accesssrv.<sip-domain> Certificate SN: av.<sip-domain> Archiving If using a single Edge
Certificate SAN: accesssrv.<sip-domain>, Certificate SAN: N/A XMPP/TCP:5269 Server Server, the public Edge IP
sip.<sip-domain> EKU: server Jabber addresses can be NAT-ed
*Required only for public EKU: server, client* Root certificate: private CA External by your external firewall. Internal
IM connectivity with AIM Root certificate: public CA firewall firewall
XMPP
Gateway Port number to service traffic assignment:
5062 - IM Conferencing Service
Group Chat
5069 - Monitoring (QoE) Agent
Compliance
Server
DNS Configuration
· Publish SRV record for _sipfederationtls._tcp.<sip-domain>, which resolves to the Access Edge FQDN, accesssrv.<sip-
domain>.
· Publish SRV record for _sip._tls.<sip-domain>, which resolves to the Access Edge FQDN. This is required for federated and
anonymous connections to Live Meetings.
· Publish SRV record for _xmpp-server._tcp.<sip-domain>, which resolves to the gateway NIC of the XMPP gateway. External Internal
· Firewall Firewall Reference: http://technet.microsoft.com/en-us/library/dd425238(office.13).aspx
· Publish A record for Access Edge FQDN, accesssrv.<sip-domain>, which resolves to the Access Edge public IP address. Reference: http://technet.microsoft.com/en-us/library/dd425238(office.13).aspx
http://technet.microsoft.com/en-us/library/dd425257(office.13).aspx
· Publish A record for A/V Edge FQDN, av.<sip-domain>, which resolves to the A/V Edge public IP address.
· Publish A record for Conferencing Edge FQDN, conf.<sip-domain>, which resolves to the Conferencing Edge public IP address.
· Publish A record for Communicator Web Access to the reverse proxy FQDN, which resolves to public IP address of reverse
proxy

Firewall Configuration
Ports to open on internal firewall:
Ports to open on external firewall: A/V and Web Conferencing Workload
Codec varies on workload:
- SIREN for audio
- RTVideo for video
Enterprise Voice Workload
accesssrv.<sip-domain>: TCP 443, TCP 5061
accesssrv.<sip-domain>: TCP 5061, TCP 5062, TCP 5063, TCP Traffic goes directly to A/V
5064, TCP 5071, TCP 5072, TCP 5073, TCP 5074 SIP traffic
conf.<sip-domain>: TCP 443 Conferencing Service
SIP traffic: signaling WITHOUT going through the
conf.<sip-domain>: TCP 8057 RTP/SRTP traffic
pool’s hardware load balancer

STUN/TCP:443, STUN/UDP:3478
av.<sip-domain>: TCP 443, UDP 3478, TCP 50,000-59,999 Media codec varies
HTTPS traffic HTTPS:443 on workload:
av.<sip-domain>: TCP 443, UDP 3478, TCP 50,000-59,999 HTTPS:443 is used

SRTP/RTCP:60,000-64,000
xmpp.<sip-domain>: TCP 5269 - RTAudio
RTP/SRTP traffic: A/V Conferencing to download - G.711
conferencing

SIP/TLS:5061
PSOM traffic: Web Conferencing content + metadata

SRTP/UDP:49152-65535
Traffic goes directly to Web
LEGEND

PSOM/TLS:8057
SIP/TLS:5061
Conferencing Service
Directors

HTTPS:443
WITHOUT going through the
pool’s hardware load balancer
Pools
HTTPS:443 HTTPS:443 Meeting content
MRAS traffic
+ metadata +
compliance file Edge
share Servers
Reverse proxy SIP/MTLS:5061
SIP/MTLS:5061
Hardware Edge Servers Directors Enterprise pool Pools
load balancer Access Edge - SIP/TLS:443 SIP/MTLS:5062
Directors
A/V Edge - STUN/TCP:443, STUN/UDP:3478 STUN/TCP:443, STUN/UDP:3478

A/V Edge – SRTP:443,3478,50,000-59,999 SIP/MTLS:5062 SIP/MTLS

Edge MRAS traffic

Multi-NIC support Front End Servers Communicator Web Archiving Server Servers
Access Edge - SIP/TLS:443 SIP/MTLS:5061
Access Server SIP/MTLS:5061 This media traffic goes SIP/TLS:5061
SRTP consists of two Range of ports Exchange MSMQ
SIP/MTLS directly to the A/V Edge. The
Web Conf Edge - PSOM/TLS:443 SIP/MTLS:5062 unidirectional streams. RTCP is configurable UM Server
A/V Edge must have publicly
traffic piggy backs on the SRTP
routable IP addresses
A/V Edge - STUN/TCP:443, STUN/UDP:3478 PSOM/MTLS:8057 stream. Monitoring
Media codec varies on workload: SIP/TLS:5061 Server
If using a single Edge
- RTAudio
Monitoring Server Group Chat Server SQL back-end server Exchange UM Server A/V Edge – SRTP:443,3478,50,000-59,999 STUN/TCP:443, STUN/UDP:3478 Server, the public Edge IP
MSMQ - G.711
addresses can be NAT-ed Port number to service traffic assignment:
by your external firewall. 5062 - Media Relay Authentication Service
Monitoring Connectivity to: 5064 - Telephony Conferencing Service
This media traffic goes directly to
Server • IP-PSTN SRTP/RTCP:60,000-64,000 5069 - Monitoring (QoE) Agent
the A/V Edge. The A/V Edge 5071 - Response Group Service
2 inbound and 2 outbound Range of ports External Internal gateway
must have publicly routable IP
unidirectional streams. is configurable Port number to service traffic assignment: firewall firewall • IP/PBX 5072 - Conferencing Attendant Service
addresses SIP/TCP:5060,5061
Mediation Server Update Server Reverse proxy XMPP gateway Media codec varies on workload: 5063 - A/V Conferencing Service • Direct SIP 5073 - Conferencing Announcement Service
- RTAudio for audio • SIP trunk 5074 - Outside Voice Control Service
If using a single Edge Server, the 5069 - Monitoring (QoE) Agent Mediation Server
- RTVideo for video
public Edge IP addresses can be
NAT-ed by your external firewall.
CLIENTS External Internal
firewall firewall Reference: http://technet.microsoft.com/en-us/library/dd425238(office.13).aspx Reference: http://technet.microsoft.com/en-us/library/dd425238(office.13).aspx
Communicator Communicator Communicator Communicator
Phone Edition Mobile Web Access For Mac

Author: Rui Maximo — Designer: Ken Circeo

Office Communicator Office Live Meeting Attendant Console Group Chat http://TechNet.microsoft.com/office/OCS http://twitter.com/DrRez http://go.microsoft.com/fwlink/?LinkId=181907 Reviewers: Rick Kingslan, Benoit Boudeville, Paul Brombley, Nick Smith, Brandon Taylor, Stefan Plizga, Greg Anthony

© 2009 Microsoft Corporation. Active Directory, Office, MSN, and any associated logos are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All rights reserved. Other trademarks or trade names mentioned herein are the property of their respective owners.