Lync 2010 Federation/Edge Server

I am looking to get a good explanation of all the communication that takes place between federated partners, a diagram would be nice. I would like to focus on all communication that would need to pass the firewall, where it originates and where it is going to. I need a complete listing of what needs to be allowed on the firewall. The minimum firewall configuration required to use Lync with a federated partner. One reason I am trying to understand this communication is we are having an issue. I am able to see my federated partner and send a chat message but they cannot respond. I think we need to configure the firewall. I need to know what servers on their side need access through our firewall and do they just need access to our edge servers? Thanks!
LVL 1
jbyrd1981Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Microsoft has a poster for that with Lync 2010. There is also a port summary on TechNet.

http://blogs.technet.com/b/nexthop/archive/2012/06/06/microsoft-lync-server-2010-protocol-workloads-poster.aspx
Jakob DigranesSenior ConsultantCommented:
that link is dead; here's a live one: http://www.microsoft.com/en-us/download/details.aspx?id=6797 
for Chat/IM you need TPC5061 opened inbound and outbound
jbyrd1981Author Commented:
Thanks Cliff, I am already aware of this poster. It does not go into enough detail on all the necessary communications channels that need to be established between federated partners. If you are doing edge to edge federation do you just open up certain IPs between the organizations between the edge servers or do you have to allow their FE, A/V servers, etc? What about access to our F5 Reverse proxy. It would be nice to have details of this and that is what I am lacking.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Cliff GaliherCommented:
The poster shows all of that. Federated partners is one of the listed items in the cloud icon for the various communications channels. I'm not sure it could be any more clear.
Jakob DigranesSenior ConsultantCommented:
as Cliff says, it's all in that poster, but to sum up:

To keep it easy, you should go with these firewall rules:

to SIP EDGE:
Inbound: TCP5061 and TCP443. Source any (as this is used by remote clients and federated partners)
Outbound: TCP5061

to WEBCONF EDGE:
Inbound: HTTPS443

to AV EDGE
Inbound: TCP443, UDP3478,
Outbound: UDP3478, TCP50000 - TCP59999

(if you federate with OCS 2007R2 you need UDP50000 - UDP59999 both in- and outbound aswell)

For Reverse Proxy, only TCP443

if you decide to allow only certain IPS from partners, you have to get their IP-addresses for Lync services and match AV Edge, SIP and Webconf to ports mentioned above. But don't do - as remote clients in your organization would not be able to log in, unless their IP would be registerede

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jbyrd1981Author Commented:
Jakob, in addition to the ports we also need to limit to the servers particularly on inbound traffic. If we get more specific than just the ports inbound we could also add the IPs of their Lync system. So for what you provide above we can include these inbound ports and further restrict to their edge server IPs? Do we need to include any other IPs of their Lync system? In a federated scenario all traffic goes through the edge server, right? I am also wondering more particularly firewall rules for our load balancer/reverse proxy situation. I don't think outbound is the issue with our configuration.

The biggest unresolved issue we are currently having is Live Meetings with the federated partner. We both have Lync 2010 and OCS in our environments. OCS never had edge deployed but in both organization but we are leveraging the Lync Edge for OCS. I can join their Live Meeting but the only see my name show up for a few seconds. I just get an error message on my end and never join. I am not sure if it is just not supported in this configuration or could be our firewall. Maybe your statement below has something to do with this? Thoughts? We do not use that wide of a port range for OCS as we have restricted the ports via Group Policy.

(if you federate with OCS 2007R2 you need UDP50000 - UDP59999 both in- and outbound aswell)

The last issue is our meet link not working on the reverse proxy, we are using an F5. Internal and external parties cannot access it when pointed to the reverse proxy IP. Currently I am pointing it to the internal FE VIP server until I can figure that one out.

All in all I can look at the standard diagrams all day, I am missing something... The result are these issues I list here that I cannot figure out. Any help you all could provide would be greatly appreciated! Thanks!
Cliff GaliherCommented:
To be honest, it sounds like you need some more implementation-specific information and perhaps some more product knowledge. You'll find most server product experts here are also high level I.T. personnel or consultants and as such, get paid for detailed planning and rollout. It is one thing to enjoy contributing to a community and helping each other out. It is another to give away a valuable service that should usually be paid for. I believe you'll find most experts won't get into the level of detail you are asking for. You'll probably want to bring in a Lync specialist for this project to get trustworthy and reliable results.
jbyrd1981Author Commented:
Totally understand Cliff. I am not asking for a detailed rollout here. I have been rolling out Lync on my own with limited contractor support so I have product knowledge. We have received Lync Specific support from MS and have most things deployed and things are working well other than the few things I state above. During the consultations I suspect that two things happened the consultant was not clear/complete on these issues and we did not press for a solution at the time, mainly because of trying to get the environment stood up was priority. We are supposedly going to be getting some load balancing support soon so that may help with some of this. I am trying to get some additional knowledge and experience from some other experts on these specific issues. Other than the specialists we have used and EE that is all I got to help me. I really want to understand the posters posted earlier but I am not a network guy so things like that can be a little bit of a challenge at times. The Live Meeting issue was confirmed by our consultant as being unsupported configuration, but I am seeking a second opinion. I know we have strict inbound rules and I was showing in the meetings very briefly but then dropped, maybe because we are blocking traffic(but what)?. Something does not make sense. Posting some specific questions amongst other experts for resolution is what I though EE was all about. Thanks!
Jakob DigranesSenior ConsultantCommented:
We do not use that wide of a port range for OCS as we have restricted the ports via Group Policy.
When joining the federated partners meeting, your ports don't come in action - only in your hoisted meetings.
you cannot join and even IM with the federated partner? then 50 000 - 59 999 isn't the issue, they're used for audio/video
what firewall do you have ? application filtering?
can they access your meetings?
some tips here maybe; http://blogs.technet.com/b/nexthop/archive/2011/12/07/useful-tips-for-testing-your-lync-edge-server.aspx 

Jakob, in addition to the ports we also need to limit to the servers particularly on inbound traffic. If we get more specific than just the ports inbound we could also add the IPs of their Lync system. So for what you provide above we can include these inbound ports and further restrict to their edge server IPs? Do we need to include any other IPs of their Lync system?
Tou need IPs for sip.otherdomain.com, webconf.otherdomain.com, av.otherdomain.com, meet.otherdomain.com
Those 4 are definitely differnet public IPs
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Chat / IM

From novice to tech pro — start learning today.