This article describes systems requirement of Lync 2010 Server and the steps necessary to create a Lync 2010 topology in a production environment in a single forest, single domain topology.
Lync 2010 Server Roles: Lync 2010 is delivered through the following server roles.
- Front End Server and Back End SQL Server
- A/V Conferencing Server
- Edge Server
- Mediation Server
- Monitoring Server
- Archiving Server
- Director
Lync 2010 Features:
- Instant messaging (IM) and presence are always enabled
- Audio Video Conferencing
- Enterprise Voice is the voice over IP (VoIP) solution
- Exchange UM features include enabling users to receive voice mail notices and listen to voice mail from Outlook or OWA, to access their Microsoft Exchange mailboxes using a telephone and to receive faxes in their Microsoft Exchange mailboxes.
- Federated partner/supplier users can easily send and receive IM messages, invite each other to meetings and see each other’s presence.
- IM and Enterprise voice support for branch office over the WAN link
Reference Topology with High Availability
How Lync 2010 Communication works?
Hardware Requirements:
Hardware |
Lync Front End |
Director |
DB, Archive, Monitor server |
CPU |
64-bit processor |
64-bit processor |
64-bit processor |
RAM |
16 GB |
4 GB |
Min 16GB for Archiving or Monitoring |
System Partition |
72 GB free disk space |
72 GB free disk space |
72 GB free disk space |
Additional Partition |
Separate Page File partition |
Separate Page File partition |
Separate Page File partition+ Other Partition for DB & Data |
No of NIC |
2 |
2 |
2 |
Operating Systems for Standard Front End, Director, Edge Server and Proxy Server:
- Windows Server 2008 R2 Standard/Enterprise/datacenter With SP
- Windows Server 2008 Standard/Enterprise/datacenter with SP
Clients OS:
- Windows 7 Pro, Enterprise with all patches installed via WSUS
- Windows Mobile
- IP Phone such as Astra/Cisco desk phone set
Database Server:
- Microsoft SQL Server 2008 R2 Standard/Enterprise with SP x64
- Microsoft SQL Server 2005 Standard/Enterprise with SP3 x64
Additional Software:
- Microsoft .NET Framework 3.5 with SP1
- Silverlight 4.0
- Windows PowerShell 2.0
- Active Directory Administrative tools feature installed on Front End Server and Director
- Microsoft Forefront Threat Management Gateway (TMG) 2010 software.
Internet Information Services (IIS): Front End Servers and Standard Edition servers must run Internet Information Services (IIS), with the following modules:
- Static Content
- Default Document
- HTTP Errors
- ASP.NET
- .NET Extensibility
- Internet Server API (ISAPI) Extensions
- ISAPI Filters
- HTTP Logging
- Logging Tools
- Tracing
- Windows Authentication
- Request Filtering
- Static Content Compression
- IIS Management Console
- IIS Management Scripts and Tools
- Anonymous Authentication (This is installed by default when IIS is installed.)
- Client Certificate Mapping Authentication
Software Auto installed:
- Microsoft Visual C++ 2008 Redistributable
- Microsoft Visual J# version 2.0 Redistributable
- URL Rewrite Module version 2.0 Redistributable
- SQL Server 2008 Native Client
Network Requirements:
- For public switched telephone network (PSTN) integration, you can integrate by using either T1/E1 lines or SIP trunking
- Provision your network links to support throughput of 65 kilobits per second (Kbps) per audio stream and 500 Kbps per video stream, if enabled, during peak usage periods. A bidirectional audio or video session consists of two streams.
- WAN links for Branch servers
- Reverse Proxy server in Edge
Supported configuration:
- Windows Server 2008 R2, Windows Server 2008, or at least Windows Server 2003 native mode Forrest Functional level
- Single/Multiple Forests
- Single/Multiple Domains
- Federated Lync Server
- DNS Load balancing
Un-supported Configuration:
- x86 Windows Server 2008
- x86 SQL server database
- RODC Domain Controllers
Virtualizing Lync 2010 Server: Microsoft Lync Server 2010 supports all workloads and server roles in both physical and virtualized topologies. User capacity in a virtualized topology is roughly 50 percent of the capacity in a physical topology. For details, see Running in a Virtualized Environment in the Planning for Other Features documentation.
Examples of SIP and Domain Name System (DNS) Requirements
SIP Domain |
Microsoftguru.com.au |
Front End Pool |
mypool.Microsoftguru.com.au |
Director Pool |
dir-pool.microsoftguru.com.au |
Edge Pool |
myedge.microsoftguru.com.au |
Examples of DNS Records and IPs
FQDN |
Internal IP Address |
Routable Public IP |
FrontEnd.Microsoftguru.com.au |
192.168.1.6 |
x |
Mediation.Microsoftguru.com.au |
192.168.1.7 |
x |
Director.Microsoftguru.com.au |
192.168.1.8 |
x |
Archiving.Microsoftguru.com.au |
192.168.1.9 |
x |
Monitor.Microsoftguru.com.au |
192.168.1.10 |
x |
Edge.microsoftguru.com.au |
192.168.1.11 |
203.9.x.1 , 203.9.x.5, 203.9.x.3 |
Proxy.microsoftguru.com.au |
192.168.1.12 |
203.9.x.4 |
Important! Note that Edge and reverse proxy server are in a workgroup environment using microsoftguru.com.au DNS suffix.
Requirements of DNS SRV record for client auto login
DNS SRV Service record for automatic login |
SRV Service: _sipinternaltls Protocol: _TCP FQDN: Lync.Microsoftguru.com.au |
5061 |
Necessary URLs and Ports
Name |
URL |
Port |
Administrative Access |
443 |
|
Meeting |
443 |
|
Phone Dialin |
443 |
|
Edge Access |
https://internal.microsoftguru.com.au (internal) |
4443 4061 |
Director |
443 5060 5061 |
Certificate Requirements for Internal Servers
Certificate |
Subject name/ Common name |
Example |
Default |
FQDN of the pool |
SN=FrontEnd.microsoftguru.com.au; SAN= mypool.microsoftguru.com.au; SAN=sip.microsoftguru.com.au; If this pool is the auto-logon server for clients and strict DNS matching is required in SAN |
Web Internal |
FQDN of the server |
SN=FrontEnd.microsoftguru.com.au; SAN=internal.microsoftguru.com.au; SAN=meet.microsoftguru.com.au; SAN=dialin.microsoftguru.com.au; SAN=admin.microsoftguru.com.au Using a wildcard certificate: SN= FrontEnd.microsoftguru.com.au; SAN=internal.microsoftguru.com.au; SAN=*.microsoftguru.com.au |
Web external |
FQDN of the server |
SN=FrontEnd.microsoftguru.com.au; SAN=external.microsoftguru.com.au; SAN=meet.microsoftguru.com.au; SAN=meet.fabrikam.com; SAN=dialin.microsoftguru.com.au Using a wildcard certificate: SN= FrontEnd.microsoftguru.com.au; SAN=external.microsoftguru.com.au; SAN=*.microsoftguru.com.au |
Certificates for Director
Certificate |
Subject name/ Common name |
Example |
Default |
FQDN of the Director pool |
SN=dir-pool.microsoftguru.com.au; SAN=dir-pool.microsoftguru.com.au; If this Director pool is the auto-logon server for clients and strict DNS matching is required in SAN |
Web Internal |
FQDN of the server |
SN=Director.microsoftguru.com.au; SAN= Director.microsoftguru.com.au; SAN=meet.microsoftguru.com.au; SAN=dialin.microsoftguru.com.au; SAN=admin.microsoftguru.com.au To use Wild Card Certificate SN= Director.microsoftguru.com.au; SAN= Director.microsoftguru.com.au SAN=*.microsoftguru.com.au |
Web external |
FQDN of the server |
The Director external web FQDN must be different from the Front End pool or Front End Server. SN= Director.microsoftguru.com.au; SAN=external1.microsoftguru.com.au SAN=meet.microsoftguru.com.au; SAN=dialin.microsoftguru.com.au SN= Director.microsoftguru.com.au; SAN=external1.microsoftguru.com.au; SAN=*.microsoftguru.com.au |
Ports Requirements:
Server role |
Service name |
Port |
Protocol |
Front End Servers |
Lync Server Front-End service |
5060 |
TCP |
Front End Servers |
Front-End service |
5061 |
TCP (TLS) |
Front End Servers |
Front-End service |
444 |
HTTPS TCP |
Front End Servers |
Lync Server Front-End service |
135 |
DCOM and remote procedure call (RPC) |
Front End Servers |
Lync Server IM Conferencing service |
5062 |
TCP |
Front End Servers |
Lync Server Web Conferencing service |
8057 |
TCP (TLS) |
Front End Servers |
Web Conferencing Compatibility Service |
8058 |
TCP (TLS) |
Front End Servers |
Lync Server Audio/Video Conferencing service |
5063 |
TCP |
Front End Servers |
Lync Server Audio/Video Conferencing service |
57501-65335 |
TCP/UDP |
Front End Servers |
Web Compatibility service |
80 |
HTTP |
Front End Servers |
Lync Server Web Compatibility service |
443 |
HTTPS |
Front End Servers |
Lync Server Conferencing Attendant service (dial-in conferencing) |
5064 |
TCP |
Front End Servers |
Lync Server Conferencing Attendant service (dial-in conferencing) |
5072 |
TCP |
Front End Servers that also run a Collocated Mediation Server |
Lync Server Mediation service |
5070 |
TCP |
Front End Servers that also run a Collocated Mediation Server |
Lync Server Mediation service |
5067 |
TCP (TLS) |
Front End Servers that also run a Collocated Mediation Server |
Lync Server Mediation service |
5068 |
TCP |
Front End Servers that also run a Collocated Mediation Server |
Lync Server Mediation service |
5081 |
TCP |
Front End Servers that also run a Collocated Mediation Server |
Lync Server Mediation service |
5082 |
TCP (TLS) |
Front End Servers |
Lync Server Application Sharing service |
5065 |
TCP |
Front End Servers |
Lync Server Application Sharing service |
49152-65335 |
TCP |
Front End Servers |
Lync Server Conferencing Announcement service |
5073 |
TCP |
Front End Servers |
Lync Server Call Park service |
5075 |
TCP |
Front End Servers |
Audio Test service |
5076 |
TCP |
Front End Servers |
Not applicable |
5066 |
TCP |
Front End Servers |
Lync Server Response Group service |
5071 |
TCP |
Front End Servers |
Lync Server Response Group service |
8404 |
TCP (MTLS) |
Front End Servers |
Lync Server Bandwidth Policy Service |
5080 |
TCP |
Front End Servers |
Lync Server Bandwidth Policy Service |
448 |
TCP |
Front End Servers where the Central Management store resides |
CMS Replication service |
445 |
TCP |
All internal servers |
Various |
49152-57500 |
TCP/UDP |
Directors |
Lync Server Front-End service |
5060 |
TCP |
Directors |
Lync Server Front-End service |
5061 |
TCP |
Mediation Servers |
Lync Server Mediation service |
5070 |
TCP |
Mediation Servers |
Lync Server Mediation service |
5067 |
TCP (TLS) |
Mediation Servers |
Lync Server Mediation service |
5068 |
TCP |
Mediation Servers |
Lync Server Mediation service |
5070 |
TCP (MTLS) |
Required Client Ports
Component |
Port |
Protocol |
Clients |
67/68 |
DHCP |
Clients |
443 |
TCP (TLS) |
Clients |
443 |
TCP (PSOM/TLS) |
Clients |
443 |
TCP (STUN/MSTURN) |
Clients |
3478 |
UDP (STUN/MSTURN) |
Clients |
5061 |
TCP (MTLS) |
Clients |
6891-6901 |
TCP |
Clients |
1024-65535 * |
TCP/UDP |
Clients |
1024-65535 * |
TCP/UDP |
Clients |
1024-65535 * |
TCP |
Clients |
1024-65535 * |
TCP |
Aastra 6721ip common area phone Aastra 6725ip desk phone Polycom CX500 common area phone Polycom CX600 desk phone |
67/68 |
DHCP |
FF TMG 2010 Reverse Proxy Firewall Rule Configuration:
Edge External Interface |
|||
Protocol |
Port |
Firewall Direction |
Description |
HTTP |
80 |
Out |
Checking certificate revocation lists |
DNS |
53 |
Out |
External DNS queries |
SIP / TLS |
443 |
In |
Client to server SIP traffic for remote user access |
SIP / MTLS |
5061 |
In / Out |
Federation and connectivity with a hosted service |
PSOM / TLS |
443 |
In |
Remote user access to conferences for anonymous and federated users |
RTP / TCP |
50,000 – 59,999 |
Out |
Media exchange |
RTP / TCP |
50,000 – 59,999 |
In |
Media exchange required for Office Communications Server 2007 R2 interoperability |
RTP / UDP |
50,000 – 59,999 |
In / Out |
Media exchange required for Office Communications Server 2007 interoperability |
STUN / MSTURN / UDP |
3478 |
In / Out |
External user access to A/V sessions (UDP) |
Edge Internal Interface |
|||
Protocol |
Port |
Firewall Direction |
Description |
SIP / MTLS |
5061 |
In / Out |
SIP traffic |
PSOM / MTLS |
8057 |
Out |
Web conferencing traffic from pool to Edge Server |
SIP / MTLS / 5062 |
5062 |
Out |
Authentication of A/V users (A/V authentication service) |
STUN / MSTURN / UDP |
3478 |
Out |
Preferred path for media transfer between internal and external users (UDP) |
STUN / MSTURN / TCP |
443 |
Out |
Alternate path for media transfer between internal and external users (TCP) |
HTTPS 4443 (out) |
4443 |
Out |
Pushing Central Management store updates to Edge Servers |
HTTP |
80 |
Out |
Checking certificate revocation lists the YVW Certificate Authority |
Reverse Proxy External Interface |
|||
Protocol |
Port |
Firewall Direction |
Description |
HTTP |
80 |
In |
(Optional) Redirection to HTTPS if user accidentally enters http://<publishedSiteFQDN> |
HTTPS |
443 |
In |
Address book downloads, Address Book Web Query service, client updates, meeting content, device updates, group expansion, dial-in conferencing, and meetings. |
Reverse Proxy Internal Interface |
|||
Protocol |
Port |
Firewall Direction |
Description |
HTTPS 4443 (out) |
4443 |
In |
Traffic sent to 443 on the reverse proxy external interface is redirected to a pool on port 4443 from the reverse proxy internal interface so that the pool web services can distinguish it from internal web traffic. |
Install Lync Planning Tool: Microsoft Lync Server 2010 Planning Tool is a wizard that interactively asks you a series of questions about your organization, the Lync Server features you want to enable, and your capacity planning needs. It then creates a recommended deployment topology based on your answers, and produces several forms of output to aid your planning and installation.
Create a Topology: Topology Builder is an installation component of Lync Server 2010. You use Topology Builder to create, adjust and publish your planned topology. It also validates your topology before you begin server installations. When you install Lync Server on individual servers, the servers read the published topology as part of the installation process, and the installation program deploys the server as directed in the topology.
Enter a descriptive name for Site Name. Type as MyCompany or your company name Enter the number of users in your organization. for example 1000 Under Online Collaboration, ensure that Dial-in Conferencing is unchecked. Under Server Applications, uncheck Call Admission Control. Click Next to continue.
|
If you would like to create a design document then you can export the topology to Microsoft Visio or Microsoft Excel
From the File menu, select Export>Select Export to Visio or Export to Excel. |
View Site Topology you just created by using topology builder
1. From the Planning Tool Actions pane, view the hardware resources required in this global topology. 2. Double-click on the MyCompany site. 3. Notice the three tabbed pages: Site Topology, Edge Network Diagram, Edge Admin Report at the bottom of the page. 4. On the Site Topology page, move the mouse pointer over icons for a description of each role. 5. Click an icon to see server and port requirements. |
Modify Edge Network Diagram: Click on the Edge Network diagram, update the FQDN and IP addresses of each server role in the network diagram by double-clicking the sample data in red.
Role |
FQDN |
IP Address |
FrontEnd Lync Server |
FrontEnd.microsoftguru.com.au |
192.168.1.6 |
Director |
director.microsoftguru.com.au |
192.168.1.8 |
Reverse Proxy Server |
proxy.microsoftguru.com.au |
192.168.1.12 203.9.x.4 |
Edge Server |
edge.microsoftguru.com.au |
192.168.1.11 203.9.x.1 (access) 203.9.x.5 (web) 203.9.x.3 (av) |
Reverse Proxy External FQDN |
proxy.microsoftguru.com.au |
203.9.x.4 |
External Access Edge service URL |
external.microsoftguru.com.au |
203.9.x.1 |
External Web Conferencing Edge service URL |
external.microsoftguru.com.au |
203.9.x.5 |
External A/V Edge service URL |
External1.microsoftguru.com.au |
203.9.x.3 |
|
Export Topology to Topology Builder
|
Modify the Topology Using Topology Builder: Now import the topology from the Planning Tool and modify it in Topology Builder, in preparation for publishing the topology. Install Topology Builder and Import the Topology from the Planning Tool
|
Edit Topology: After importing the topology file from the Planning Tool into Topology Builder, you must make some edits to the topology before you can publish the topology. In the left hand pane of Topology Builder, you will see a few small red-X, indicating errors in the topology. To begin resolving these topology issues, follow the guidance below.
Modify Topology in Topology Builder
|
|
Configure Administration URL
|
Review and Save Topology: The topology file should now be ready to be published. Let’s validate the topology settings are valid prior to publishing.
· Default SIP domain: microsoftguru.com.au · Phone access URLS: https://dialin.microsoftguru.com.au · Meeting URLs: https://meet.microsoftguru.com.au · Administrative access URL: https://admin.contos.net · Central Management Server: FrontEnd.microsoftguru.com.au
|
Prepare first Standard Edition Server
|
|
The following URL would be handy for you once you build your topology:
Install and Configure Lync Front End Server
Download Microsoft Lync Server 2010
180-Day Trial
Microsoft Lync Server 2010 Mobility Service and Microsoft Lync Server 2010 Autodiscover Service
Hi,
I have seen, you’ve some knowledge about MS products ;-).
I have one thing to solve. Set up QoS in network, where on clients I can’t use GPO to mark packets. So, I have to do marking on switches. How is the best way to recognize voice and video packets from Lync. As I can see from sniffing, it uses wide range of port. And this port seems to be undefined (from >1024 to 65535). Do you have any suggestion?
Thank you
Pavel
LikeLike
Hello Pavel,
Thanks for visiting my site. You have to clarify few things. What you are trying achieve by sniffing packets? Can you please tell me to and from where you will be sniffing?
Regards,
Raihan
LikeLike
Hi,
I have been sniffing NIC of client during the conversation.
Thanks
Pavel
LikeLike
Hi Raihan,
I’ve some issues about Lync2010 Standard Edition:
I installed Lync2010 Std Ed. for 600 users (single Server), it was working fine (IM/Voice/Video) on my default Site, but my other sites can’t start Video/Voice conference, those sites are connected by VPN Site-To-Site over PPTP and we’re using FF TMG2010 on both sides.
Do you have any idea about this ?, Now I’m uninstalling and I’d like to make a new environment setup.
I can send the design infrastructure for you.
Tnks.
Edu – Reayit/Br
LikeLike
More informations:
I don’t have any restrictions over rules about VPN site to Site, All protocols are permitted.
LikeLike
Lync Deployment Guide http://microsoftguru.com.au/category/windows-2008-server/
If your sites are in similar VLANs and use your head office proxy than single standard edition lync should work. however for proper lync deployment and external access you must configure Lync Edge in DMZ. VOIP gateway and reverse proxy. You can find all the guides in my site. just browse categories
LikeLike
Thanks Raihan, I’ll Try with this instructions and i’ll comment my results.
LikeLike
This site is really helpful. wondering if i can get some comments about the issue we are having.
we have Lync deployed on Virtual enviroment. we noticed Video calls are choppy when we add more than two people on video conference.
we also have a phyiscal deployment of Lync server in a different pool. if we move the Meeting Host user to physical box. Video conference works fine.
its the same network so dont think its a bandwidth, QoS or network connectivity issue.
any ideas ? recomendations will be appreciated.
LikeLike
Thanks for visiting my site. I am not certain how your virtual environment is configured with vSwitch/vDS and Cisco infrastructure. Have you check the vSwitch Property if you have any security or firewall configured. Upgrade VM tools with latest. use VMXNET3 NIC. Check ESXi Host>Configuration>Network Adapter. Is it Full duplex Gigabit? Do you manage bandwidth? Do you manage bandwitdh on Cisco side?
LikeLike