際際滷

際際滷Share a Scribd company logo

Microsoft lync server 2010 protocol workloads poster

B
bigwalker

This document provides a summary of the Microsoft Lync network architecture and protocols. It includes diagrams showing the typical placement of internal and external firewalls, edge servers, directors, pools, and additional workload-specific servers. The document also lists common ports, protocols, and DNS records used across the Lync infrastructure.

1 of 1
Downloaded 28 times
息 2010 Microsoft Corporation. All rights reserved. Active Directory, Lync, MSN, and any associated logos are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks or trade names mentioned herein are the property of their respective owners. External Firewall Internal Firewall IM and Presence Workload C3P/HTTPS:444 SIP/MTLS:5061 XMPP/TCP:5269 Reverse proxy Access Edge - SIP/MTLS:5061 Federated Company Yahoo! MSN AOL Jabber Gmail HTTPS:443 SIP/MTLS:5061 Access Edge - SIP/TLS:443 SIP/MTLS:5061 Group Chat Compliance Server HTTPS:443 SIP/TLS:5061 SRVquery External user sign-in process: 1. Client resolves DNS SRV record _sip._tls.<sip-domain> to Edge Server. 2. Client connects to Edge Server. 3. Edge Server proxies connection to Director. 4. Director authenticates user and proxies connection to users home pool. HTTPS:443 SIP/TLS:5061 MSMQ SIP/MTLS SIP/MTLS:5041 MSMQ Monitoring Server Group Chat Server Edge Pool XMPP Gateway Directors Archiving Server Enterprise Pool Address book & Group Chat file share. Central Management Service A/V and Web Conferencing Workload Edge Pool External firewall Internal firewall HTTPS:443 SIP/MTLS:5061 SIP/TLS:5061 Two inbound and two outbound unidirectional streams. TCP:443 must be open inbound. UDP:3478 must be open both inbound and outbound. A/V Edge - STUN/TCP:443, UDP:3478 A/V Edge SRTP:443,3478,[TCP:50,000-59,999] SRTP/UDP:49152-65535 PSOM/TLS:8057 HTTPS:443 HTTPS:443 is used to download conferencing content. Traffic goes directly to Web Conferencing Service WITHOUT going through the pools hardware load balancer Traffic goes directly to Audio/ Video Conferencing Service WITHOUT going through the pools hardware load balancer. Web Conf Edge - PSOM/TLS:443 Access Edge - SIP/TLS:443 Directors Monitoring Server SIP/MTLS:5061 MSMQ Protocol Workloads LEGEND 揃 Publish SRV for _sipfederationtls._tcp.<sip-domain>, that resolves to Access Edge FQDN, accesssrv.<sip-domain>. 揃 Publish SRV for _sip._tls.<sip-domain>, that resolves to Access Edge FQDN. This is required for federated and anonymous connections to Web conferences. 揃 Publish SRV for _xmpp-server._tcp.<sip-domain>, that resolves to gateway NIC of the XMPP gateway. 揃 Publish CNAME or A record for lyncdiscoverinternal.<sip-domain> that resolves to IP address of Director, if one is deployed, or pool. 揃 Publish CNAME for lyncdiscover.<sip-domain> that resolves to IP address of reverse proxy. HTTPS connection is proxied to internal pools Web Service. 揃 Publish A record for Meet Simple URL that resolves the URL to IP address of Director, if one is deployed, or pool. 揃 Publish A record for Dial-In Simple URL that resolves the URL to IP address of Director, if one is deployed, or pool. 揃 Publish A record for Access Edge FQDN, accesssrv.<sip-domain> | sip.<sip-domain>, that resolves to Access Edge public IP address. 揃 Publish A record for A/V Edge FQDN, av.<sip-domain>, that resolves to A/V Edge public IP address. 揃 Publish A record for Conferencing Edge FQDN, conf.<sip-domain>, that resolves to Conferencing Edge public IP address. 揃 Publish A record for internal pool to the reverse proxy FQDN, that resolves to public IP address of reverse proxy DNS Configuration External firewall Internal firewall SMB traffic Direction of arrow indicates which server initiates the connection. Subsequent traffic is bi-directional. Directors (CMS replica) Standard Edition Server (CMS replica) Enterprise Pool (CMS master) Enterprise Pool (CMS replica) Mediation Pool (CMS replica) HTTPS traffic SMB:445 HTTPS:4443 Edge Pool (CMS replica) Diagram v5.15 Author: Rui Maximo Editor: Kelly Fuller Blue Designer: Ken Circeo Reviewers: Jens Trier Rasmussen, Paul Brombley, Doug Lawty, Stefan Plizga, Jeff Colvin, Kaushal Mehta, Richard Pasztor, Thomas Binder, Subbu Chandrasekaran, Randy Wintle, Rob L., Stefan Heidl, Fabian Kunz, Jeff Schertz Central Management Service http://twitter.com/DrRez LEARN MORE External firewall Internal firewall Enterprise Voice Workload Connectivity to: IP-PSTN gateway IP/PBX Direct SIP SIP trunk A/V Edge ICE: STUN/TCP:443, STUN/UDP:3478 Access Edge - SIP/TLS:443 A/V Edge SRTP:443,3478,[TCP:50,000-59,999] SIP/TLS:5061 SRTP consists of two unidirectional streams. RTCP traffic piggy backs on the SRTP stream. Media codec varies per workload: - RTAudio - G.711 - Siren - G.722 TCP:443 must be open inbound. UDP:3478 must be open both inbound and outbound. Mediation Pool (optional) STUN/TCP:443,STUN/UDP:3478 SIP/TCP:5060,5061 Monitoring Server Exchange UM Server Edge Pool Directors SIP/MTLS:5062 MRAS traffic. SIP/MTLS:5061 SRTP/RTCP:30,000-39,999 Enterprise Pool Branch Appliance SIP/MTLS:5062 http://nexthop.info CERTIFICATE REQUIREMENTS *Required only for public IM connectivity with AOL IM Edge Server 1, Edge Server 2 Internal FQDN: intsrv.<ad-domain> Certificate SN: intsrv.<ad-domain> Certificate SAN: EKU: server Root certificate: private CA External FQDN: edge.<sip-domain> Certificate SN: edge.<sip-domain> Certificate SAN: sip.<sip-domain>, conf.<sip-domain> EKU: server, client* Root certificate: public CA Edge Servers Mediation Server FQDN: medsrv.<ad-domain> Certificate SN: medsrv.<ad-domain> Certificate SAN: N/A EKU: server Root certificate: private CA Directors Director 1, Director 2 FQDN: dir.<ad-domain> Certificate SN: dir.<ad-domain> Certificate SAN: dir.<ad-domain>, sipinternal.<sip-domain> sip.<sip-domain> meet.<sip-domain> dialin.<sip-domain> EKU: server Root certificate: private CA Front End Server 1, Front End Server 2 FQDN: pool.<ad-domain> Certificate SN: pool.<ad-domain> Certificate SAN: pool.<ad-domain>, fe.<sip-domain> sip.<sip-domain> meet.<sip-domain> dialin.<sip-domain> EKU: server Root certificate: private CA Enterprise pool Application Sharing Workload HTTPS:443 HTTPS:443 External firewall Access Edge - SIP/TLS:443 HTTPS:443 Peer-to-peer application sharing session. RDP/SRTP traffic HTTPS traffic SIP traffic Direction of arrow indicates which server initiates the connection. Subsequent traffic is bi-directional. Internal firewall A/V Edge SRTP:443,3478,50,000-59,999 Range of ports is configurable. Two inbound and two outbound unidirectional streams. Monitoring Server RDP/SRTP/TCP:1024-65535 SIP/TLS:5061 HTTPS:4443 Port number to service traffic assignment: 5065 - Application Sharing Conferencing Service SIP/MTLS:5061 SIP/MTLS:5061 RDP/SRTP/TCP:49152-65535 Internal user sign-in process: 1. Client resolves DNS SRV record _sipinternaltls._tcp.<sip-domain> to Director. 2. Client connects to Director. 3. Director redirects client to users home pool. http://technet.microsoft.com/lync http://go.microsoft.com/fwlink/?LinkId=204593 Active Directory Domain Services HTTPS traffic SIP traffic: signaling RTP/SRTP traffic: A/V Conferencing PSOM traffic: Web Conferencing SIP traffic: signaling and IM XMPP traffic HTTPS traffic MSMQ traffic SIP/TLS:5061 RTP/SRTP traffic SIP traffic Call Admission Control (CAC) traffic WAN Connection Attendant Console Lync Phone Edition Lync Group Chat Lync Web App Branch Appliance FQDN: sba.<ad-domain> Certificate SN: sba.<ad-domain> Certificate SAN: sba.<ad-domain> EKU: server Root certificate: private CA FQDN: xmppsrv.<sip-domain> (1) Certificate SN: xmppsrv.<sip-domain> Certificate SAN: N/A EKU: server Root certificate: private CA XMPP Gateway FQDN: xmpp.<sip-domain> (2) Certificate SN: xmpp.<sip-domain> Certificate SAN: N/A EKU: server Root certificate: public CA (1) This FQDN is for connectivity to internal Edge Servers (2) This FQDN is for connectivity to external XMPP gateways If client connects on port 80, it gets redirected to port 443 This port is used to: - download the Address Book - connect to the Mobility Service - connect to the AutoDiscovery Service Ports to load balanced by HLB: - 443 - 4443 - 5061 - 135 only if SIP traffic is load balanced by HLB MRAS traffic. Group Chat Server FQDN: chatsrv.<ad-domain> Certificate SN: chatsrv.<ad-domain> Certificate SAN: N/A EKU: server, client Root certificate: private CA Exchange UM Server FQDN: umsrv.<ad-domain> Certificate SN: umsrv.<ad-domain> Certificate SAN: N/A EKU: server Root certificate: private CA MRAS traffic. Edge Pool Enterprise Pool SIP/MTLS MSMQ Directors If client connects on port 80, it gets redirected to port 443 TCP port range, 50,000-59,999, only needs to be open outbound. TCP/UDP port range, 50,000-59,999, needs to be open inbound and outbound to the Internet for federation with partners running Office Communications Server 2007. AD DS Sync LDAP/TCP:389 AD DS Domain Controller (DC) LDAP traffic Enterprise Pool LDAP/TCP:3268 C.contoso.com SRTP/UDP:49152-65535 ICE: STUN/TCP:443, UDP:3478 Peer-to-peer A/V session. ICE traffic ICE traffic ICE traffic TURN/TCP:448 Media codec varies per workload: - RTAudio - G.711 SRTP/RTCP:60,000-64,000 Media bypass: audio routed directly to gateway bypassing Mediation Server. TURN/TCP:443, UDP:3478 Codec varies per workload: - G.722 or Siren for audio - RTVideo for video Port number to service traffic assignment: 5062 IM Conferencing Service 5086 Internal Mobility Service 5087 External Mobility Service TURN/TCP:448 Port number to service traffic assignment: 5064 - Telephony Conferencing Service 5067 Mediation Server Service 5071 - Response Group Service 5072 - Conferencing Attendant Service 5073 - Conferencing Announcement Service 5075 - Call Pak Service SRTP/RTCP:49,152-57,500 AD DS Global Catalog (GC)A.contoso.com B.contoso.com LDAP/TCP:3268 LDAP/TCP:3268 Enterprise Voice applications Active Directory Domain Services (AD DS) TCP port range, 50,000-59,999, only needs to be open outbound. TCP/UDP port range, 50,000-59,999, needs to be open inbound and outbound to the Internet for federation with partners running Office Communications Server 2007. SIP/TLS:5061 Lync client automatically registers with the pool if the Branch Appliance becomes unavailable SRTP/RTCP:30,000-39,999 SRTP, ICE: STUN/TCP:443, UDP:3478 SRTP, ICE: STUN/TCP:443, UDP:3478 SRTP,ICE: STUN/TCP:443 SRTP,ICE: STUN/TCP:443 This port is used to connect to Lync Web Services: - download the Address Book - provide distribution list expansion - download meeting content - connect to the Mobility Service - connect to the AutoDiscovery Service Meeting content + metadata + compliance file share. SIP/MTLS:5063 SRTP/UDP:57501-65335 A/V Conferencing Server If no Edge Server is defined in the topology, callee checks the Front End Servers Bandwidth Policy Service. If no Edge Server is defined in the topology, callee checks the Front End Servers Bandwidth Policy Service. SIP/MTLS SIP/TLS:5067 If gateway does not support TLS, connect to gateway on SIP/TCP:5068 MSMQ SIP/TLS:5061 MRAS traffic. For federation, SBA connects directly with Director. If no Director is available, federation traffic goes directly to Edge Server HTTPS:4443 HTTPS:4443 Publish rule for port 4443 to set forward host header to true. This ensures the original URL is forwarded. Director redirects Web traffic to destination pools Web Service. Reverse proxy Director redirects Web traffic to destination pools Web Service. SIP/MTLS:5062 Director redirects Web traffic to destination pools Web Service. PSOM/MTLS:8057 SIP/MTLS:5062 TCP:1433 Back-end SQL Server Install on Enterprise Edition to provide high availability. Enterprise Pool Reverse proxy HTTPS:4443 SRTP, ICE: STUN/TCP:443, UDP:3478 HTTPS:444 SIP/MTLS:5061 SIP/MTLS:5061 SRTP,ICE:STUN/TCP:443,UDP:3478

More Related Content

Microsoft lync server 2010 protocol workloads poster

  • 1. 息 2010 Microsoft Corporation. All rights reserved. Active Directory, Lync, MSN, and any associated logos are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks or trade names mentioned herein are the property of their respective owners. External Firewall Internal Firewall IM and Presence Workload C3P/HTTPS:444 SIP/MTLS:5061 XMPP/TCP:5269 Reverse proxy Access Edge - SIP/MTLS:5061 Federated Company Yahoo! MSN AOL Jabber Gmail HTTPS:443 SIP/MTLS:5061 Access Edge - SIP/TLS:443 SIP/MTLS:5061 Group Chat Compliance Server HTTPS:443 SIP/TLS:5061 SRVquery External user sign-in process: 1. Client resolves DNS SRV record _sip._tls.<sip-domain> to Edge Server. 2. Client connects to Edge Server. 3. Edge Server proxies connection to Director. 4. Director authenticates user and proxies connection to users home pool. HTTPS:443 SIP/TLS:5061 MSMQ SIP/MTLS SIP/MTLS:5041 MSMQ Monitoring Server Group Chat Server Edge Pool XMPP Gateway Directors Archiving Server Enterprise Pool Address book & Group Chat file share. Central Management Service A/V and Web Conferencing Workload Edge Pool External firewall Internal firewall HTTPS:443 SIP/MTLS:5061 SIP/TLS:5061 Two inbound and two outbound unidirectional streams. TCP:443 must be open inbound. UDP:3478 must be open both inbound and outbound. A/V Edge - STUN/TCP:443, UDP:3478 A/V Edge SRTP:443,3478,[TCP:50,000-59,999] SRTP/UDP:49152-65535 PSOM/TLS:8057 HTTPS:443 HTTPS:443 is used to download conferencing content. Traffic goes directly to Web Conferencing Service WITHOUT going through the pools hardware load balancer Traffic goes directly to Audio/ Video Conferencing Service WITHOUT going through the pools hardware load balancer. Web Conf Edge - PSOM/TLS:443 Access Edge - SIP/TLS:443 Directors Monitoring Server SIP/MTLS:5061 MSMQ Protocol Workloads LEGEND 揃 Publish SRV for _sipfederationtls._tcp.<sip-domain>, that resolves to Access Edge FQDN, accesssrv.<sip-domain>. 揃 Publish SRV for _sip._tls.<sip-domain>, that resolves to Access Edge FQDN. This is required for federated and anonymous connections to Web conferences. 揃 Publish SRV for _xmpp-server._tcp.<sip-domain>, that resolves to gateway NIC of the XMPP gateway. 揃 Publish CNAME or A record for lyncdiscoverinternal.<sip-domain> that resolves to IP address of Director, if one is deployed, or pool. 揃 Publish CNAME for lyncdiscover.<sip-domain> that resolves to IP address of reverse proxy. HTTPS connection is proxied to internal pools Web Service. 揃 Publish A record for Meet Simple URL that resolves the URL to IP address of Director, if one is deployed, or pool. 揃 Publish A record for Dial-In Simple URL that resolves the URL to IP address of Director, if one is deployed, or pool. 揃 Publish A record for Access Edge FQDN, accesssrv.<sip-domain> | sip.<sip-domain>, that resolves to Access Edge public IP address. 揃 Publish A record for A/V Edge FQDN, av.<sip-domain>, that resolves to A/V Edge public IP address. 揃 Publish A record for Conferencing Edge FQDN, conf.<sip-domain>, that resolves to Conferencing Edge public IP address. 揃 Publish A record for internal pool to the reverse proxy FQDN, that resolves to public IP address of reverse proxy DNS Configuration External firewall Internal firewall SMB traffic Direction of arrow indicates which server initiates the connection. Subsequent traffic is bi-directional. Directors (CMS replica) Standard Edition Server (CMS replica) Enterprise Pool (CMS master) Enterprise Pool (CMS replica) Mediation Pool (CMS replica) HTTPS traffic SMB:445 HTTPS:4443 Edge Pool (CMS replica) Diagram v5.15 Author: Rui Maximo Editor: Kelly Fuller Blue Designer: Ken Circeo Reviewers: Jens Trier Rasmussen, Paul Brombley, Doug Lawty, Stefan Plizga, Jeff Colvin, Kaushal Mehta, Richard Pasztor, Thomas Binder, Subbu Chandrasekaran, Randy Wintle, Rob L., Stefan Heidl, Fabian Kunz, Jeff Schertz Central Management Service http://twitter.com/DrRez LEARN MORE External firewall Internal firewall Enterprise Voice Workload Connectivity to: IP-PSTN gateway IP/PBX Direct SIP SIP trunk A/V Edge ICE: STUN/TCP:443, STUN/UDP:3478 Access Edge - SIP/TLS:443 A/V Edge SRTP:443,3478,[TCP:50,000-59,999] SIP/TLS:5061 SRTP consists of two unidirectional streams. RTCP traffic piggy backs on the SRTP stream. Media codec varies per workload: - RTAudio - G.711 - Siren - G.722 TCP:443 must be open inbound. UDP:3478 must be open both inbound and outbound. Mediation Pool (optional) STUN/TCP:443,STUN/UDP:3478 SIP/TCP:5060,5061 Monitoring Server Exchange UM Server Edge Pool Directors SIP/MTLS:5062 MRAS traffic. SIP/MTLS:5061 SRTP/RTCP:30,000-39,999 Enterprise Pool Branch Appliance SIP/MTLS:5062 http://nexthop.info CERTIFICATE REQUIREMENTS *Required only for public IM connectivity with AOL IM Edge Server 1, Edge Server 2 Internal FQDN: intsrv.<ad-domain> Certificate SN: intsrv.<ad-domain> Certificate SAN: EKU: server Root certificate: private CA External FQDN: edge.<sip-domain> Certificate SN: edge.<sip-domain> Certificate SAN: sip.<sip-domain>, conf.<sip-domain> EKU: server, client* Root certificate: public CA Edge Servers Mediation Server FQDN: medsrv.<ad-domain> Certificate SN: medsrv.<ad-domain> Certificate SAN: N/A EKU: server Root certificate: private CA Directors Director 1, Director 2 FQDN: dir.<ad-domain> Certificate SN: dir.<ad-domain> Certificate SAN: dir.<ad-domain>, sipinternal.<sip-domain> sip.<sip-domain> meet.<sip-domain> dialin.<sip-domain> EKU: server Root certificate: private CA Front End Server 1, Front End Server 2 FQDN: pool.<ad-domain> Certificate SN: pool.<ad-domain> Certificate SAN: pool.<ad-domain>, fe.<sip-domain> sip.<sip-domain> meet.<sip-domain> dialin.<sip-domain> EKU: server Root certificate: private CA Enterprise pool Application Sharing Workload HTTPS:443 HTTPS:443 External firewall Access Edge - SIP/TLS:443 HTTPS:443 Peer-to-peer application sharing session. RDP/SRTP traffic HTTPS traffic SIP traffic Direction of arrow indicates which server initiates the connection. Subsequent traffic is bi-directional. Internal firewall A/V Edge SRTP:443,3478,50,000-59,999 Range of ports is configurable. Two inbound and two outbound unidirectional streams. Monitoring Server RDP/SRTP/TCP:1024-65535 SIP/TLS:5061 HTTPS:4443 Port number to service traffic assignment: 5065 - Application Sharing Conferencing Service SIP/MTLS:5061 SIP/MTLS:5061 RDP/SRTP/TCP:49152-65535 Internal user sign-in process: 1. Client resolves DNS SRV record _sipinternaltls._tcp.<sip-domain> to Director. 2. Client connects to Director. 3. Director redirects client to users home pool. http://technet.microsoft.com/lync http://go.microsoft.com/fwlink/?LinkId=204593 Active Directory Domain Services HTTPS traffic SIP traffic: signaling RTP/SRTP traffic: A/V Conferencing PSOM traffic: Web Conferencing SIP traffic: signaling and IM XMPP traffic HTTPS traffic MSMQ traffic SIP/TLS:5061 RTP/SRTP traffic SIP traffic Call Admission Control (CAC) traffic WAN Connection Attendant Console Lync Phone Edition Lync Group Chat Lync Web App Branch Appliance FQDN: sba.<ad-domain> Certificate SN: sba.<ad-domain> Certificate SAN: sba.<ad-domain> EKU: server Root certificate: private CA FQDN: xmppsrv.<sip-domain> (1) Certificate SN: xmppsrv.<sip-domain> Certificate SAN: N/A EKU: server Root certificate: private CA XMPP Gateway FQDN: xmpp.<sip-domain> (2) Certificate SN: xmpp.<sip-domain> Certificate SAN: N/A EKU: server Root certificate: public CA (1) This FQDN is for connectivity to internal Edge Servers (2) This FQDN is for connectivity to external XMPP gateways If client connects on port 80, it gets redirected to port 443 This port is used to: - download the Address Book - connect to the Mobility Service - connect to the AutoDiscovery Service Ports to load balanced by HLB: - 443 - 4443 - 5061 - 135 only if SIP traffic is load balanced by HLB MRAS traffic. Group Chat Server FQDN: chatsrv.<ad-domain> Certificate SN: chatsrv.<ad-domain> Certificate SAN: N/A EKU: server, client Root certificate: private CA Exchange UM Server FQDN: umsrv.<ad-domain> Certificate SN: umsrv.<ad-domain> Certificate SAN: N/A EKU: server Root certificate: private CA MRAS traffic. Edge Pool Enterprise Pool SIP/MTLS MSMQ Directors If client connects on port 80, it gets redirected to port 443 TCP port range, 50,000-59,999, only needs to be open outbound. TCP/UDP port range, 50,000-59,999, needs to be open inbound and outbound to the Internet for federation with partners running Office Communications Server 2007. AD DS Sync LDAP/TCP:389 AD DS Domain Controller (DC) LDAP traffic Enterprise Pool LDAP/TCP:3268 C.contoso.com SRTP/UDP:49152-65535 ICE: STUN/TCP:443, UDP:3478 Peer-to-peer A/V session. ICE traffic ICE traffic ICE traffic TURN/TCP:448 Media codec varies per workload: - RTAudio - G.711 SRTP/RTCP:60,000-64,000 Media bypass: audio routed directly to gateway bypassing Mediation Server. TURN/TCP:443, UDP:3478 Codec varies per workload: - G.722 or Siren for audio - RTVideo for video Port number to service traffic assignment: 5062 IM Conferencing Service 5086 Internal Mobility Service 5087 External Mobility Service TURN/TCP:448 Port number to service traffic assignment: 5064 - Telephony Conferencing Service 5067 Mediation Server Service 5071 - Response Group Service 5072 - Conferencing Attendant Service 5073 - Conferencing Announcement Service 5075 - Call Pak Service SRTP/RTCP:49,152-57,500 AD DS Global Catalog (GC)A.contoso.com B.contoso.com LDAP/TCP:3268 LDAP/TCP:3268 Enterprise Voice applications Active Directory Domain Services (AD DS) TCP port range, 50,000-59,999, only needs to be open outbound. TCP/UDP port range, 50,000-59,999, needs to be open inbound and outbound to the Internet for federation with partners running Office Communications Server 2007. SIP/TLS:5061 Lync client automatically registers with the pool if the Branch Appliance becomes unavailable SRTP/RTCP:30,000-39,999 SRTP, ICE: STUN/TCP:443, UDP:3478 SRTP, ICE: STUN/TCP:443, UDP:3478 SRTP,ICE: STUN/TCP:443 SRTP,ICE: STUN/TCP:443 This port is used to connect to Lync Web Services: - download the Address Book - provide distribution list expansion - download meeting content - connect to the Mobility Service - connect to the AutoDiscovery Service Meeting content + metadata + compliance file share. SIP/MTLS:5063 SRTP/UDP:57501-65335 A/V Conferencing Server If no Edge Server is defined in the topology, callee checks the Front End Servers Bandwidth Policy Service. If no Edge Server is defined in the topology, callee checks the Front End Servers Bandwidth Policy Service. SIP/MTLS SIP/TLS:5067 If gateway does not support TLS, connect to gateway on SIP/TCP:5068 MSMQ SIP/TLS:5061 MRAS traffic. For federation, SBA connects directly with Director. If no Director is available, federation traffic goes directly to Edge Server HTTPS:4443 HTTPS:4443 Publish rule for port 4443 to set forward host header to true. This ensures the original URL is forwarded. Director redirects Web traffic to destination pools Web Service. Reverse proxy Director redirects Web traffic to destination pools Web Service. SIP/MTLS:5062 Director redirects Web traffic to destination pools Web Service. PSOM/MTLS:8057 SIP/MTLS:5062 TCP:1433 Back-end SQL Server Install on Enterprise Edition to provide high availability. Enterprise Pool Reverse proxy HTTPS:4443 SRTP, ICE: STUN/TCP:443, UDP:3478 HTTPS:444 SIP/MTLS:5061 SIP/MTLS:5061 SRTP,ICE:STUN/TCP:443,UDP:3478