Configuring Lync 2010 on a Single Public IP for External Access (Port Summary)

This article documents the deviations that should be made to the guidelines described at Microsoft Lync Technet and the Microsoft Lync planning tool in regard to port numbers and DNS names when using a single public IP address to configure your Lync environment.

At my current employer we have several small to medium sized customers who want to enjoy the benefits of a Microsoft Lync environment, but don’t have the ability to obtain 3 public IP addresses for it. Microsoft supports the use of one single public IP address with your Lync system, however I found that this process is rarely documented on Technet.

Overview

In this article I will use 1 standard Lync Server on the LAN and 1 standard Edge Server that is placed in a DMZ. There is a firewall between the DMZ and the internal LAN, and ofcourse there is a firewall between the public internet and the DMZ. The firewall uses NAT to translate public IP addresses to private ones. The configuration is shown in the picture below:

Initial Setup

During the setup phase of the Enterprise Edge server in the Lync Topology Wizard, make sure you configure the environment to use only 1 public IP address (disable the tick):

Note that only one FQDN / DMZ IP can be entered, I advise to call the FQDN sip.yourdomain.com. The IP Address that you’ll have to enter is the outside NIC of your Lync Edge Server. Note that all services receive a different portnumber instead of using port 443 on all services, which enables us to use only 1 public IP address. I recommend using the default ports 5061 (SIP Access), 443 (Audio / Video) and 444 (Web Conferencing Edge).

Firewall Configuration

Take a look at the picture below stating the various ports that need to be opened on your firewall. This is where the technet documentation and the Lync Planning tool aren’t really up to par, as the ports that are added because we are using only 1 public IP address with seperate ports aren’t added to to port summary of the planning tool. The picture and tables below summarize all ports that should be opened.

Source	Destination	Port	Protocol
0.0.0.0	Outside NIC Forefront	80, 443	TCP
Outside NIC Forefront	0.0.0.0	80, 443	TCP

0.0.0.0	Outside NIC Lync Edge	443, 444, 5061	TCP
0.0.0.0	Outside NIC Lync Edge	3478	UDP
Outside NIC Lync Edge	0.0.0.0	53, 80, 443, 5061	TCP
Outside NIC Lync Edge	0.0.0.0	53, 3478	UDP

Source	Destination	Port	Protocol
Inside NIC Forefront	Lync Server	8080, 4443	TCP
Inside NIC Forefront	Lync Server	443, 5061	TCP
Lync Server	Inside NIC Lync Edge	5061, 8057, 5062, 443, 4443	TCP
Lync Server	Inside NIC Lync Edge	3478	UDP

Note that when you do not allow all traffic from your internal LAN to your DMZ, you should also open ports 5061, 8057, 5062, 443, 4443 (TCP) and 3478 (UDP) from your internal Lync server towards your edge server.

DNS Configuration

Configure your external DNS configuration as follows:

Record name	Contents	Type

lync.company.nl	3.3.3.3 (Public IP of the published website on the forefront server)	A
dialin.company.nl	3.3.3.3 (Public IP of the published website on the forefront server)	A
meet.company.nl	3.3.3.3 (Public IP of the published website on the forefront server)	A

sip.company.nl	2.2.2.2 (Public IP of the Lync Edge Server)	A

_sip._tls.company.nl	sip.company.nl, port 5061	SRV

A records speak for themselves and will correspond to the configured name of the websites and services within your Lync environment. But the catch is in the SRV record. Where you would normally configure the SRV record to point to sip.company.nl at port 443, you should now configure it to use port 5061. And yes, it’s true that this port is normally used to enable federation, but when configuring all services on 1 IP, both sip and federation access will be handled over port 5061.

Federation*

If you need to support federation / desktop sharing with federated partners that are still on Office Communication Server (OCS) 2007 or application sharing and file transfer with federated users on Windows Live Messenger, you need to open the following ports as well on your firewalls. Port 5061 should still be used for sip access and federation, as described in the previous chapter.

Source	Destination	Port	Protocol
0.0.0.0	Outside NIC Lync Edge	50.000 - 59.999	TCP & UDP
Outside NIC Lync Edge	0.0.0.0	50.000 - 59.999	TCP & UDP

Dominique Hermans

Dominique is an IT enthousiast who currently works as a consultant in the south of the Netherlands. He has a strong focus on Microsoft collaboration products (Microsoft Exchange, Lync) and Cisco Wireless Networking. He blogs about these technologies at www.techdom.nl

Diegoriera82

Hi Dominique, I have an IP and a reverse proxy, must publish Lync Server and Edge Server using the reverse proxy, this is possible?
- http://www.techdom.nl Dominique Hermans
  
  Hi,
  
  I assume you mean you’ll want to use only a single public IP address for both forefront and Lync? I think it’s possible when you are able to NAT stuff, but you’ll have to configure the Lync services on other ports than 443, as you’ll need this port to configure your forefront address on.
  
  Also, I don’t think this is a supported configuration.
Noor Khaldi

Thanks for the information, I’m setting my network with a single edge server, single IP address, you mentioned that I need to change the port for the federation service to function, if I change the port using the srv record, don’t I need to change it on the edge server too?

For example, I made the setup as you mentioned and created an srv record for the _sipfederationtls with port 5063 tlc, I don’t see an option anywhere on the edge server to change the port from 5061 to 5063.

What do you think?
- http://www.techdom.nl Dominique Hermans
  
  Hi Noor,
  
  It is also possible to change the SIP port to a value other than 5061, and leave the federations port to it’s default. I think this is a better solution.
Lynctech

Nice article, I am wondering what the record name lync.company.nl is?
Pingback: Configuring Lync 2010 on a Single Public IP for External Access (Port Summary) | Techdom.nl « JC’s Blog-O-Gibberish
Pingback: Error 141: Cannot connect to the sharing server | Marius Ene
Ravi

Hi Dominique,

Very nice article , but I have one question “Is it possible to configure Edge server with Single Network adapter card ?” if it is possible please share the steps.

Thanks
Ravi
- http://www.techdom.nl Dominique Hermans
  
  Hi Ravi,
  
  Unfortunately it’s not possible to use only one NIC since the Lync interface is built to use 1 external and 1 internal NIC.
Pingback: Lync Edge and TMG server firewall requirements – Rune's blog about things I see and UC
Richard Hart

Hi Dominique,

In the first diagram it seems to suggest two DMZ vlans as a lot of Microsoft documentation seems to advocate but in the third diagram you are clearly only using one DMZ-Vlan.

Is it your experience that the Microsoft two DMZ-Vlan “requirement” is seldom implemented in favour of the configuration you have described above? Realise this is slightly off topic but hoping you have some real world experience of this as your article suggests.

Kind Regards

Richard
- http://www.techdom.nl Dominique Hermans
  
  Hi Richard,
  
  I use 1 DMZ vlan and 1 internal vlan. While the forefront server only works when having 1 internal NIC and 1 DMZ NIC (Because it needs to auth against AD and having it sit in the DMZ would require to open quite a bunch of ports).
  
  This same approach is recommended for the Lync Edge server by Microsoft, however here only the above mentioned ports are used. This is why I keep both NICs in the DMZ and configure the firewall to only allow the above ports in the case of the Lync edge to add an additional layer of security.
  
  Kind regards,
  Dominique