Share via

Lync Edge

  • Article

The Lync Edge Server role is deployed in a [[DMZ]] and provides access to the Lync system from the Internet.

  • Remote user
  • Webconference Guests
  • Federated Partners
  • Public Internet Connection

Remote Users

Remote Users are internal users of Lync users, authenticated against the corporate's AD. Remote users can use the full functionality of the Lync internal deployment while on a public Internet connection.

Webconference Guests

Webconference Guests are unauthenticated users invited to a web conference by an authenticated user. These users access limited Lync functionality from the Internet.

Federated Partners

Federated partners are users on another sip-enabled communications platform capable of interacting with Lync through chat, audio or video. These federated partners could be running (but not limited by) Cisco Presence, OCS 2007, OCS 2007 R2 or Lync.

Federation could be done through automatic discovery, or added manually.

Public Internet Connection

PIC allows certain interoperability to public IM services such as MSN, Yahoo, AOL and Google.

Access Edge

 The Access Edge provides federation, public IM connectivity, and remote user access. The Access Edge handles SIP and SIP for Instant Messaging and Presence Leveraging Extensions (SIMPLE) traffic only. The SIMPLE protocol piggybacks on the SIP protocol to provide IM communications. The Access Edge does not directly authenticate users. Only internal Standard Edition servers and Front End pools authenticate users.

The network security administrator must open port 443 on the external NIC assigned to the Access Edge to allow users to sign-in to their Lync home server and participate in IM conversations. Port 5061 should be opened on the external Access Edge for federation and public IM connectivity with AOL, MSN, and Yahoo! On the internal facing network adapter of the Edge Server, SIP over SIMPLE traffic is transported over port 5061, so port 5061 must be opened to every internal Lync Standard Edition server and Front End pool.

Web Conferencing Edge

 The Web Conferencing Edge proxies Web conferencing traffic (PSOM protocol) across the firewall between the Internet and the internal Lync Server deployment. The network security administrator must open port 443 on the external network adapter to allow users to connect from the Internet to the Web Conferencing Edge and port 8057 on the internal network adapter so that PSOM traffic between the Web Conferencing Edge and internal Lync Servers can flow. Connections between the Web Conferencing Edge and the Web Conferencing service hosted on the Front End Server are always initiated by the internal Web Conferencing service. This design reduces the number of connection vectors into the corporate network and helps reduce the surface area of security attacks.

Audio/Video Edge 

The A/V Edge enables audio and video traffic to traverse the corporate perimeter network. The A/V Edge serves as a meeting point for bridging users that connect from the Internet to an A/V conference that is hosted on the organizer’s Front End Server or Standard Edition server. Participants and the Front End Server that is hosting the A/V Conferencing service connect to the A/V Edge to establish a media path. The A/V Edge relays the SRTP traffic between the participants and A/V Conferencing service. Because the Front End Server that is hosting the A/V conference initiates the connection to the A/V Edge, the firewall rules on the internal Edge Servers of the network perimeter do not need to allow SRTP traffic to be initiated from the Edge Server.

The A/V Edge uses the Interactive Connectivity Establishment (ICE)/Simple Traversal Underneath NAT (STUN) (ICE/STUN) protocol to enable media traffic to traverse firewalls and network address translations (NATs) that might lie between the end user’s client and the A/V Edge.