This article documents the deviations that should be made to the guidelines described at Microsoft Lync Technet and the Microsoft Lync planning tool in regard to port numbers and DNS names when using a single public IP address to configure your Lync environment.
At my current employer we have several small to medium sized customers who want to enjoy the benefits of a Microsoft Lync environment, but don’t have the ability to obtain 3 public IP addresses for it. Microsoft supports the use of one single public IP address with your Lync system, however I found that this process is rarely documented on Technet.
In this article I will use 1 standard Lync Server on the LAN and 1 standard Edge Server that is placed in a DMZ. There is a firewall between the DMZ and the internal LAN, and ofcourse there is a firewall between the public internet and the DMZ. The firewall uses NAT to translate public IP addresses to private ones. The configuration is shown in the picture below:
During the setup phase of the Enterprise Edge server in the Lync Topology Wizard, make sure you configure the environment to use only 1 public IP address (disable the tick):
Note that only one FQDN / DMZ IP can be entered, I advise to call the FQDN sip.yourdomain.com. The IP Address that you’ll have to enter is the outside NIC of your Lync Edge Server. Note that all services receive a different portnumber instead of using port 443 on all services, which enables us to use only 1 public IP address. I recommend using the default ports 5061 (SIP Access), 443 (Audio / Video) and 444 (Web Conferencing Edge).
Take a look at the picture below stating the various ports that need to be opened on your firewall. This is where the technet documentation and the Lync Planning tool aren’t really up to par, as the ports that are added because we are using only 1 public IP address with seperate ports aren’t added to to port summary of the planning tool. The picture and tables below summarize all ports that should be opened.
|0.0.0.0||Outside NIC Forefront||80, 443||TCP|
|Outside NIC Forefront||0.0.0.0||80, 443||TCP|
|0.0.0.0||Outside NIC Lync Edge||443, 444, 5061||TCP|
|0.0.0.0||Outside NIC Lync Edge||3478||UDP|
|Outside NIC Lync Edge||0.0.0.0||53, 80, 443, 5061||TCP|
|Outside NIC Lync Edge||0.0.0.0||53, 3478||UDP|
|Inside NIC Forefront||Lync Server||8080, 4443||TCP|
|Inside NIC Forefront||Lync Server||443, 5061||TCP|
|Lync Server||Inside NIC Lync Edge||5061, 8057, 5062, 443, 4443||TCP|
|Lync Server||Inside NIC Lync Edge||3478||UDP|
Note that when you do not allow all traffic from your internal LAN to your DMZ, you should also open ports 5061, 8057, 5062, 443, 4443 (TCP) and 3478 (UDP) from your internal Lync server towards your edge server.
Configure your external DNS configuration as follows:
|lync.company.nl||220.127.116.11 (Public IP of the published website on the forefront server)||A|
|dialin.company.nl||18.104.22.168 (Public IP of the published website on the forefront server)||A|
|meet.company.nl||22.214.171.124 (Public IP of the published website on the forefront server)||A|
|sip.company.nl||126.96.36.199 (Public IP of the Lync Edge Server)||A|
|_sip._tls.company.nl||sip.company.nl, port 5061||SRV|
A records speak for themselves and will correspond to the configured name of the websites and services within your Lync environment. But the catch is in the SRV record. Where you would normally configure the SRV record to point to sip.company.nl at port 443, you should now configure it to use port 5061. And yes, it’s true that this port is normally used to enable federation, but when configuring all services on 1 IP, both sip and federation access will be handled over port 5061.
If you need to support federation / desktop sharing with federated partners that are still on Office Communication Server (OCS) 2007 or application sharing and file transfer with federated users on Windows Live Messenger, you need to open the following ports as well on your firewalls. Port 5061 should still be used for sip access and federation, as described in the previous chapter.
|0.0.0.0||Outside NIC Lync Edge||50.000 - 59.999||TCP & UDP|
|Outside NIC Lync Edge||0.0.0.0||50.000 - 59.999||TCP & UDP|