{"id":818,"date":"2014-02-05T14:20:59","date_gmt":"2014-02-05T12:20:59","guid":{"rendered":"http:\/\/blog.lync2013.org\/?p=818"},"modified":"2014-05-07T13:10:23","modified_gmt":"2014-05-07T13:10:23","slug":"part-2-draft-chapter-6-dns-certificate-firewall-requirements-lync-server-2013","status":"publish","type":"post","link":"https:\/\/modern-workplace.uk\/?p=818","title":{"rendered":"Part 2 of the draft: Chapter 6 DNS, Certificate and Firewall Requirements for Lync Server 2013"},"content":{"rendered":"<h4><span style=\"font-family: Georgia, Palatino;\">Infrastructure requirements<\/span><\/h4>\n<p>&nbsp;<\/p>\n<p><span style=\"font-family: Georgia, Palatino; font-size: 12pt;\">Now that I have outlined the building blocks of a Lync infrastructure, there are three more topics to understand if we want to have a working infrastructure:<\/span><\/p>\n<ul>\n<li><span style=\"font-family: Georgia, Palatino; font-size: 12pt;\">Firewall rules required to allow communications for Lync clients, Lync servers and for the aforementioned non-Lync servers with additional services we need<\/span><\/li>\n<li><span style=\"font-family: Georgia, Palatino; font-size: 12pt;\">DNS settings to make Lync services available both on the internal network and from the Internet<\/span><\/li>\n<li><span style=\"font-family: Georgia, Palatino; font-size: 12pt;\"><span style=\"font-family: Georgia, Palatino; font-size: 12pt;\">Structure of the certificates. Lync is secure by design and digital certificates are mandatory for every Lync 2013 infrastructure<\/span><\/span><\/li>\n<\/ul>\n<h4><\/h4>\n<hr \/>\n<h4><span style=\"font-family: Georgia, Palatino;\">Firewall Rules Required for Lync Server 2013<\/span><\/h4>\n<p>&nbsp;<\/p>\n<p><span style=\"font-family: Georgia, Palatino;\">A deep dive about firewall rules for Lync Server 2013 should include TechNet article <i>Port Requirements<\/i> <a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/gg398798.aspx\">http:\/\/technet.microsoft.com\/en-us\/library\/gg398798.aspx<\/a> and the \u00a0<i>Lync 2013 Protocol Workloads poster<\/i> <a href=\"http:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=39968\">http:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=39968<\/a> (i.e. to check the requirements for the different scenarios). However to make the topic easier to understand, I have tried to create an explanation based on some assumption.<\/span><\/p>\n<ul>\n<li><span style=\"font-family: Georgia, Palatino;\">The first assumption I will make here is that your network has a segregated DMZ to make services available to the Internet in a secure manner. A couple of the possible solutions for such a deployment are<\/span><\/li>\n<li>Using two firewalls. <strong style=\"font-family: sans-serif; font-size: medium; font-style: normal; font-variant: normal; line-height: normal;\">Note<\/strong>: usually the technology used for the firewalls is not important. However if a SIP trunk is required in our scenario, it is important to have a\u00a0<strong style=\"font-family: sans-serif; font-size: medium; font-style: normal; font-variant: normal; line-height: normal;\">SIP\u00a0Application-<wbr \/>level gateway<\/strong> (<strong style=\"font-family: sans-serif; font-size: medium; font-style: normal; font-variant: normal; line-height: normal;\">ALG<\/strong>).<\/li>\n<li>A three-legged firewall that will create a logical demilitarized zone<\/li>\n<\/ul>\n<p><span style=\"font-family: Georgia, Palatino;\">There is no difference in the result, from the functionality point of view, going for the first option or the second one. A single firewall would imply a single point of failure and higher security risk, because a single Internet-connected device will be exposed both on the DMZ and on the internal network. Having two different firewalls, a front (<b>FW2<\/b>) and a back firewall (<b>FW1<\/b>), as shown in figure 6.7, is more secure, especially if we are going to use two different platforms or solutions for security. In the aforementioned scenario, an exploitable security vulnerability on a single technology will not affect the second firewall<\/span><\/p>\n<figure id=\"attachment_1009\" aria-describedby=\"caption-attachment-1009\" style=\"width: 808px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/05\/6_7.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1009\" src=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/05\/6_7.png\" alt=\"A layout including only firewalls and networks that will have an impact on our Lync deployment\" width=\"808\" height=\"180\" srcset=\"https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/05\/6_7.png 808w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/05\/6_7-300x66.png 300w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/05\/6_7-200x44.png 200w, https:\/\/modern-workplace.uk\/wp-content\/uploads\/2014\/05\/6_7-580x129.png 580w\" sizes=\"auto, (max-width: 808px) 100vw, 808px\" \/><\/a><figcaption id=\"caption-attachment-1009\" class=\"wp-caption-text\">A layout including only firewalls and networks that will have an impact on our Lync deployment<\/figcaption><\/figure>\n<p style=\"text-align: left;\" align=\"center\"><span style=\"font-family: Georgia, Palatino;\"><em>Figure 6.7 layout including only firewalls and networks that will have an impact on our Lync deployment<\/em><\/span><\/p>\n<ul>\n<li><span style=\"font-family: Georgia, Palatino;\">The second assumption will be that we will not deploy High Availability or load balancing systems (including Enterprise Edition pools of Lync Front Ends). Although you may require them in a real-world design, they add a configuration overhead that will not help understanding the fundamentals of Lync Server 2013 network traffic requirements<\/span><\/li>\n<li><span style=\"font-family: Georgia, Palatino;\">The third assumption is that we will use NAT every time that a public IP is required. Exposing directly a server to the Internet usually is not the best security solution available<\/span><\/li>\n<li><span style=\"font-family: Georgia, Palatino;\">Fourth assumption is that the Edge Server will use three addresses on the &#8220;external&#8221; network interface card to expose services to the Internet. The addresses are the ones we have already seen:<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_1010\" aria-describedby=\"caption-attachment-1010\" style=\"width: 196px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/05\/6_8.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1010\" src=\"https:\/\/modern-workplace.uk\/\/wp-content\/uploads\/2014\/05\/6_8.png\" alt=\"Edge_IPs\" width=\"196\" height=\"106\" \/><\/a><figcaption id=\"caption-attachment-1010\" class=\"wp-caption-text\">Edge_IPs<\/figcaption><\/figure>\n<ul>\n<li><span style=\"font-family: Georgia, Palatino;\">Last assumption: no integration or connection with Office Communications Server 2007 deployments or clients is required<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: Georgia, Palatino;\">We will have to grant the following types of network traffic:<\/span><\/p>\n<p><span style=\"font-family: Georgia, Palatino;\">6.1 \u00a0 \u00a0 \u00a0 \u00a0 From servers in the DMZ to servers in the internal network<\/span><\/p>\n<p><span style=\"font-family: Georgia, Palatino;\">6.2 \u00a0 \u00a0 \u00a0 \u00a0 From servers in the DMZ to the external network<\/span><\/p>\n<p><span style=\"font-family: Georgia, Palatino;\">6.3 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0From the external network to servers in the DMZ<\/span><\/p>\n<p><span style=\"font-family: Georgia, Palatino;\">6.4 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0From servers in internal network to servers in DMZ<\/span><\/p>\n<p><span style=\"font-family: Georgia, Palatino;\">6.5 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Network traffic related to Lync clients in the internal network<\/span><\/p>\n<p><span style=\"font-family: Georgia, Palatino;\"><b>Note<\/b>: the point 6.5 of the list is interesting only if you have firewalls (or end-point firewalls) separating the networks containing the Lync clients and the Lync servers.<\/span><\/p>\n<hr \/>\n<h4>\u00a06.1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Network Traffic from servers in The DMZ to Servers in the Internal Network<\/h4>\n<p>&nbsp;<\/p>\n<p><span style=\"font-family: Georgia, Palatino;\">On the Back-End firewall, FW1,for traffic starting from the \u00a0<b>reverse proxy<\/b>, the following ports will be required<\/span><\/p>\n<table border=\"0\" width=\"690\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td colspan=\"6\" valign=\"top\" width=\"690\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\"><b>Reverse proxy Rules on Back-End firewall (FW1)<\/b><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Source Interface<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Protocol<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Source Port<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Destination Port<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Destination<\/b><\/span><\/td>\n<td valign=\"top\" width=\"129\"><span style=\"font-family: Georgia, Palatino;\"><b>Service<\/b><\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Internal NIC of the reverse proxy<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">TCP (HTTPS)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">4443<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Lync Front End<\/span><\/td>\n<td valign=\"top\" width=\"129\"><span style=\"font-family: Georgia, Palatino;\">Web Services on the Lync Front End<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Internal NIC of the reverse proxy<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">TCP(HTTPS)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">443<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Office Web Apps Server<\/span><\/td>\n<td valign=\"top\" width=\"129\"><span style=\"font-family: Georgia, Palatino;\">PowerPoint presentation sharing<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/p>\n<p><span style=\"font-family: Georgia, Palatino;\">On the Back-End firewall, FW1, for traffic starting from the\u00a0<b>Edge Server,<\/b> the following ports will be required<\/span><\/p>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td colspan=\"6\" valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\"><b>Lync Edge Server Rules on Back-End firewall (FW1)<\/b><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\"><b>Source Interface<\/b><\/span><\/p>\n<\/td>\n<td valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\"><b>Protocol<\/b><\/span><\/p>\n<\/td>\n<td valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\"><b>Source Port<\/b><\/span><\/p>\n<\/td>\n<td valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\"><b>Destination Port<\/b><\/span><\/p>\n<\/td>\n<td valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\"><b>Destination<\/b><\/span><\/p>\n<\/td>\n<td valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\"><b>Service<\/b><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Internal NIC of the Edge<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">TCP (SIP\/MTLS)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">5061<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Lync Front End<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Inbound SIP traffic<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4><\/h4>\n<hr \/>\n<h4><span style=\"font-family: Georgia, Palatino;\"><strong>6.2\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Network Traffic from Servers in the DMZ to the External Network<\/strong><\/span><\/h4>\n<p>&nbsp;<\/p>\n<p><span style=\"font-family: Georgia, Palatino;\">On the Front firewall, FW2, from the <b>Edge Server<\/b>, the following ports will be required. It is helpful to remind you the fourth assumption: we have three different IPs on the external network interface of the Lync Edge Server: Access, Webconf and AV. The firewall rules for network traffic from the external network to the Edge will have to point to one of the three IPs, as explained in the following table.<\/span><\/p>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td colspan=\"6\" valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\"><b>Lync Edge Server Rules on Front-End firewall (FW2)<\/b><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Source Interface<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Protocol<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Source Port<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Destination Port<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Destination<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Service<\/b><\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">External NIC of the Edge (Access IP)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">TCP (XMPP)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">5269<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">To federated XMPP partners<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Standard server-to-server communication port for XMPP<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">External NIC of the Edge (Access IP)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">TCP (SIP\/MTLS)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">5061<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Federation Services and Partners<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Lync and Skype Federation using SIP<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">External NIC of the Edge (AV IP)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">UDP (Stun\/Turn)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">3478<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Stun\/Turn negotiation for candidates<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">External NIC of the Edge (AV IP)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">TCP (Stun\/Turn)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">443<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Stun\/Turn negotiation for candidates<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/p>\n<h4><\/h4>\n<hr \/>\n<h4><span style=\"font-family: Georgia, Palatino;\">6.3\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Network Traffic from the External Network to Servers in the DMZ<\/span><\/h4>\n<p>&nbsp;<\/p>\n<p><span style=\"font-family: Georgia, Palatino;\">On the Front firewall, FW2, traffic from the external network to the <b>reverse proxy<\/b>, the following ports will be required<\/span><\/p>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td colspan=\"6\" valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\"><b>To the reverse proxy from the external network on Front-End firewall (FW2)<\/b><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Source Interface<\/b><b><\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Protocol<\/b><b><\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Source Port<\/b><b><\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Destination Port<\/b><b><\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Destination<\/b><b><\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Service<\/b><b><\/b><\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">TCP (HTTPS)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">443<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Reverse proxy external network interface<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Access to the web services on the Lync Front End<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/p>\n<p><span style=\"font-family: Georgia, Palatino;\">On the Front-End firewall, FW2, traffic from the external network to the <b>Edge Server<\/b>, the following ports will be required<\/span><\/p>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td colspan=\"6\" valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\"><b>To the Lync Edge from the external network on Front-End firewall (FW2)<\/b><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Source Interface<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Protocol<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Source Port<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Destination Port<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Destination<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Service<\/b><\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">TCP (SIP\/TLS)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">443<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">External NIC of the Edge (Webconf IP)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Web Conferencing Media<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">TCP (SIP\/TLS)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">443<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">External NIC of the Edge (Access IP)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Client-to-server SIP traffic for external user access<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Federated XMPP partners<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">TCP (XMPP)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">5269<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">External NIC of the Edge (Access IP)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Standard server-to-server communication port for XMPP<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Federation Services and Partners<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">TCP (SIP\/MTLS)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">5061<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">External NIC of the Edge (Access IP)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Lync and Skype Federation using SIP<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">UDP (Stun\/Turn)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">3478<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">External NIC of the Edge (AV IP)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Stun\/Turn negotiation for candidates<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">TCP (Stun\/Turn)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">443<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">External NIC of the Edge (AV IP)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Stun\/Turn negotiation for candidates<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/p>\n<h4><\/h4>\n<hr \/>\n<h4><span style=\"font-family: Georgia, Palatino;\"><strong>6.4\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Network Traffic from Servers in the Internal Network to Servers in the DMZ<\/strong><\/span><\/h4>\n<p>&nbsp;<\/p>\n<p><span style=\"font-family: Georgia, Palatino;\">On the Back-End firewall, FW1, for traffic starting from the<b> internal network<\/b>, the following ports will be required<\/span><\/p>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td colspan=\"6\" valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\"><b>To the Lync Edge from the internal network on Back-End firewall (FW1)<\/b><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Source Interface<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Protocol<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Source Port<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Destination Port<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Destination<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Service<\/b><\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Lync Front End<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">TCP (XMPP\/MTLS)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">23456<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Internal NIC of the Edge<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Outbound XMPP traffic<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Lync Front End<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">TCP (SIP\/MTLS)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">5061<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Internal NIC of the Edge<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Outbound SIP traffic<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Lync Front End<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">TCP (PSOM\/MTLS)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">8057<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Internal NIC of the Edge<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Web conferencing traffic<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Lync Front End<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">TCP (SIP\/MTLS)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">5062<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Internal NIC of the Edge<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Authentication of A\/V users<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Lync Front End<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">TCP (HTTPS)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">4443<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Internal NIC of the Edge<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Replication of CMS on the Lync Edge<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Lync Front End<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">TCP (Stun\/Turn)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">443<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Internal NIC of the Edge<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Stun\/Turn negotiation for candidates<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/p>\n<h4><\/h4>\n<hr \/>\n<h4><span style=\"font-family: Georgia, Palatino;\"><strong>6.5\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Network Traffic Related to Lync Clients in the Internal Network<\/strong><\/span><\/h4>\n<p>&nbsp;<\/p>\n<p><span style=\"font-family: Georgia, Palatino;\">The following rules are required on any end-point firewall and on any internal firewall that controls traffic coming from the Lync clients on the internal network.<\/span><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>From<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>To<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Feature<\/b><\/span><\/td>\n<td valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\"><b>Protocol<\/b><\/span><\/p>\n<\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Port<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Bidirectional<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Note<\/b><\/span><\/td>\n<\/tr>\n<tr>\n<td rowspan=\"7\" valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Internal Client<\/span><\/td>\n<td rowspan=\"7\" valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Lync Front End<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Presence and IMAV and Web ConferencingApplication SharingEnterprise Voice<\/span><\/td>\n<td valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\">SIP\/TLS<\/span><\/p>\n<\/td>\n<td valign=\"top\">\n<p align=\"right\"><span style=\"font-family: Georgia, Palatino;\">5061<\/span><\/p>\n<\/td>\n<td rowspan=\"3\" valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/td>\n<td rowspan=\"3\" valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Presence and IMAV and Web Conferencing<\/span><\/td>\n<td valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\">HTTPS<\/span><\/p>\n<\/td>\n<td rowspan=\"2\" valign=\"top\">\n<p align=\"right\"><span style=\"font-family: Georgia, Palatino;\">443<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Enterprise Voice<\/span><\/td>\n<td valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\">STUN\/TCP<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">AV and Web ConferencingApplication Sharing<\/span><\/td>\n<td valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\">SRTP\/UDP<\/span><\/p>\n<\/td>\n<td valign=\"top\">\n<p align=\"right\"><span style=\"font-family: Georgia, Palatino;\">49152-65535<\/span><\/p>\n<\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">AV and Web Conferencing<\/span><\/td>\n<td valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\">PSOM\/TLS<\/span><\/p>\n<\/td>\n<td valign=\"top\">\n<p align=\"right\"><span style=\"font-family: Georgia, Palatino;\">8057<\/span><\/p>\n<\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Enterprise Voice<\/span><\/td>\n<td valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\">TURN\/TCP<\/span><\/p>\n<\/td>\n<td valign=\"top\">\n<p align=\"right\"><span style=\"font-family: Georgia, Palatino;\">448<\/span><\/p>\n<\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Enterprise Voice<\/span><\/td>\n<td valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\">UDP<\/span><\/p>\n<\/td>\n<td valign=\"top\">\n<p align=\"right\"><span style=\"font-family: Georgia, Palatino;\">3478<\/span><\/p>\n<\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Internal Client A<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Internal Client B<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">AV and Web ConferencingApplication Sharing<\/span><\/td>\n<td valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\">SRTP\/UDP<\/span><\/p>\n<\/td>\n<td valign=\"top\">\n<p align=\"right\"><span style=\"font-family: Georgia, Palatino;\">1024-65535<\/span><\/p>\n<\/td>\n<td valign=\"top\">\n<p align=\"right\"><span style=\"font-family: Georgia, Palatino;\">Yes<\/span><\/p>\n<\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Peer to Peer Sessions<\/span><\/td>\n<\/tr>\n<tr>\n<td rowspan=\"3\" valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Internal Client<\/span><\/td>\n<td rowspan=\"3\" valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Lync Edge<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">AV and Web ConferencingApplication Sharing<\/span><\/td>\n<td valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\">STUN\/TCP<\/span><\/p>\n<\/td>\n<td rowspan=\"2\" valign=\"top\">\n<p align=\"right\"><span style=\"font-family: Georgia, Palatino;\">443<\/span><\/p>\n<\/td>\n<td colspan=\"2\" rowspan=\"2\" valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Enterprise Voice<\/span><\/td>\n<td valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\">TURN\/TCP<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">AV and Web Conferencing<\/span><\/td>\n<td valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\">UDP<\/span><\/p>\n<\/td>\n<td valign=\"top\">\n<p align=\"right\"><span style=\"font-family: Georgia, Palatino;\">3478<\/span><\/p>\n<\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Internal Client<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Exchange UM<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Enterprise Voice<\/span><\/td>\n<td valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\">SRTP\/RTCP<\/span><\/p>\n<\/td>\n<td valign=\"top\">\n<p align=\"right\"><span style=\"font-family: Georgia, Palatino;\">60000-64000<\/span><\/p>\n<\/td>\n<td valign=\"top\">\n<p align=\"right\"><span style=\"font-family: Georgia, Palatino;\">Yes<\/span><\/p>\n<\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Internal Client<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Voice Gateway<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Enterprise Voice<\/span><\/td>\n<td valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\">SRTP\/RTCP<\/span><\/p>\n<\/td>\n<td valign=\"top\">\n<p align=\"right\"><span style=\"font-family: Georgia, Palatino;\">30000-39999<\/span><\/p>\n<\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">With Media Bypass<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Internal Client<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Director<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Presence and IM<\/span><\/td>\n<td valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\">SIP\/TLS<\/span><\/p>\n<\/td>\n<td valign=\"top\">\n<p align=\"right\"><span style=\"font-family: Georgia, Palatino;\">5061<\/span><\/p>\n<\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/p>\n<h4><\/h4>\n<hr \/>\n<h4><span style=\"font-family: Georgia, Palatino;\">Notes Related to the Firewall Rules Required for Lync Server 2013<\/span><\/h4>\n<p>&nbsp;<\/p>\n<p><span style=\"font-family: Georgia, Palatino;\">Lync Server 2013 Edge Server requires DNS resolution and http access to revocation lists of certificates. Depending from your network design, the aforementioned services could be on the Internet or could be available using services on the internal network (like a proxy). The following rule is to be adapted to your network layout<\/span><\/p>\n<p><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/p>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td colspan=\"6\" valign=\"top\">\n<p style=\"text-align: left;\" align=\"center\"><span style=\"font-family: Georgia, Palatino;\"><strong>Additional Lync Edge Server Rules on Front-End firewall (FW2) or on Back-End firewall (FW1)<\/strong><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Source Interface<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Protocol<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Source Port<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Destination Port<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Destination<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Service<\/b><\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">External NIC of the Edge (Access IP)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">TCP<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">53<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">DNS servers for DMZ<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">DNS resolution<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">External NIC of the Edge (Access IP)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">UDP<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">53<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">DNS servers for DMZ<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">DNS resolution<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">External NIC of the Edge (Access IP)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">TCP (HTTP)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">80<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Depends on the HTTP navigation service available<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">CRL verifications<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-family: Georgia, Palatino;\">\u00a0<\/span><\/p>\n<p><span style=\"font-family: Georgia, Palatino;\"><b>Centralized Logging Service<\/b> (a new feature in Lync Server 2013) requires additional ports on the back-end firewall (for more details see the TechNet article <i>Using the Centralized Logging Service <\/i><a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/jj688101.aspx\">http:\/\/technet.microsoft.com\/en-us\/library\/jj688101.aspx<\/a><\/span><\/p>\n<table border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td colspan=\"6\" valign=\"top\">\n<p align=\"center\"><span style=\"font-family: Georgia, Palatino;\"><b>Lync Edge Server Rules on Back-End firewall (FW1) for centralized logging<\/b><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Source Interface<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Protocol<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Source Port<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Destination Port<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Destination<\/b><\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\"><b>Service<\/b><\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Centralized Logging Service<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">TCP (MTLS)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">50001<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Internal NIC of the Edge<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Centralized Logging Service<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Centralized Logging Service<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">TCP (MTLS)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">50002<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Internal NIC of the Edge<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Centralized Logging Service<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Centralized Logging Service<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">TCP (MTLS)<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Any<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">50003<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Internal NIC of the Edge<\/span><\/td>\n<td valign=\"top\"><span style=\"font-family: Georgia, Palatino;\">Centralized Logging Service<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-family: Georgia, Palatino;\"><a title=\"Part 1 of the draft: Chapter 6 DNS, Certificate and Firewall Requirements for Lync Server 2013\" href=\"https:\/\/modern-workplace.uk\/\/english\/part-1-draft-chapter-6-dns-certificate-firewall-requirements-lync-server-2013\/\">\u00a0Part 1 of the draft is available here<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Part 2 of the draft: Chapter 6 DNS, Certificate and Firewall Requirements for Lync Server 2013<\/p>\n","protected":false},"author":1,"featured_media":1216,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","twitterCardType":"","cardImageID":0,"cardImage":"","cardTitle":"","cardDesc":"","cardImageAlt":"","cardPlayer":"","cardPlayerWidth":0,"cardPlayerHeight":0,"cardPlayerStream":"","cardPlayerCodec":"","footnotes":""},"categories":[18,19],"tags":[309,310,311,312,313,314,32,315,316,317,33,35,318,319,320,121,122,36,321,322,323,324,26,44,131],"class_list":["post-818","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-english","category-lync","tag-allow-lync-2013-traffic","tag-configure-firewall-for-lync","tag-firewall-rules-cms","tag-firewall-rules-lync-2013","tag-firewall-rules-lync-edge","tag-firewall-rules-lync-reverse-proxy","tag-lync-2013-client","tag-lync-2013-edge-ports","tag-lync-2013-firewall-rules","tag-lync-2013-required-ports","tag-lync-2013-server","tag-lync-client","tag-lync-edge-ports","tag-lync-firew","tag-lync-firewall","tag-lync-firewall-ports","tag-lync-firewall-requirements","tag-lync-microsoft","tag-lync-network-traffic","tag-lync-reverse-proxy-firewall","tag-lync-reverse-proxy-firewall-rules","tag-lync-reverse-proxy-ports","tag-lync-server","tag-microsoft-lync-2013","tag-microsoft-lync-firewall-rules"],"_links":{"self":[{"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/posts\/818","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=818"}],"version-history":[{"count":8,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/posts\/818\/revisions"}],"predecessor-version":[{"id":1201,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/posts\/818\/revisions\/1201"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=\/wp\/v2\/media\/1216"}],"wp:attachment":[{"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=818"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=818"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/modern-workplace.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=818"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}