Lync 2010 deep dive edge


Published on

Lync Server 2010 Deep Dive - Edge Services (delivered by Byron Spurlock)

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Slide Objective:Notes:
  • Slides Objective:Give an overview over the sessionNotes:This session will include the most important topics around changes for Edge Server in Lync Server 2010:Edge Scenarios – what Edge enables your users to doInterop Federation – Federations with non OCS/Lync Server 2010 environments: PIC, XMPP, Sametime, CiscoPlan for Edge –FQDNs/Simple URLs, Certificates, Firewall, Load BalancingManage Edge – Install, BigFin, FederationsEdge Architecture with Multiple sites
  • Slides Objective:Give an overview of ArchitectureNotes:Edge Server enables a Lync Server 2010 deployment to communicate with external participants – Remote users, Federated users (including PIC) and anonymous users. On the left side we have the public network/internet, then we have a perimeter network between an internal and external firewall. On the right side we have the internal network.In the perimeter the Edge Server runs three services: Access Edge, Web Conferencing Edge und AV Edge. Additionally there is a Reverse Proxy, publishing meeting content, address book, and group expansion.The director in the internal network is an optional role, that acts as a next hop server. It adds additional security and – in a deployment with multiple internal pools – offloads the distribution of users to their home pools.The internal deployment here is simplified, of course there can be additional components such as AV conferencing pool, Exchange UM, Monitoring Server,…Also the symbols for Edge and Front End show a pool, also single servers can be used.
  • Slide Objective: Discuss the planning for Edge Server locationsNotes: This is the same as in OCS 2007 R2. The only way to install Edge is as a consolidated Edge with all three server roles (Access Edge, Web Conferencing Edge, AV Edge). While multiple Edge Server (pools) can be used as SIP ingress points for remote user, only a single Edge Server (pool) can be used for Federation traffic (including PIC). However, the SRV record will point only to one Edge Server (pool) that is used for client sign in. To use localized Edge Servers (pools) for SIP traffic, GPOs can be used to specify connection settings.However, it is important to know, which Edge Server and also which Edge Server role is used when by a user. Remote users for SIP traffic always use the Access Edge Server they used for sign in (located either through automatic login or via “manual” configuration/GPO). Independently they will always use the AV Edge Server that is assigned to their home pool.For Federation/PIC traffic, the Access Edge server used for outgoing route is configured for the whole deployment. However, the AV Edge Server used for media sessions will always be the one, assigned to the home pool of a user.Because media traffic is very dependent on network quality such as latency, it makes complete sense to use localized Edge servers in all locations where you have also a pool.For conferences, the Web Conferencing Edge server and the AV Edge Server used for the conference will be the one assigned to the home pool of the user organizing the conference.
  • Slides Objective:Explain Edge Server ScenariosNotes:Edge Server is useful in a number of scenarios. Depending of the type of communication partner, different features are available. This is a description of the features:PresenceIM 1:1 – two party instant messagesIM conferencing – IM sessions with more than two usersCollaboration– Share the desktop, one or more applications, whiteboard and filesA/V 1:1 – two party Audio-/VideoA/V conferencing: Audio-/Video sessions with more than two peopleFile Transfer: Sending files over Lync 2010, two party only; in Lync Server 2010 File Transfer uses the ICE protocol to establish a media path between two endpoints. That means that in contrast to earlier versions of Lync 2010, we can now transfer files trough NATs and firewalls. In conferences, files are not sent directly to other users, they are uploaded to the meeting on Lync Server 2010 and participants can download it from there.In general there are four different kind of users that interact with an Edge environment:Remote Users: These are users of the same company, with an Active Directory account, however these users are not connected to the internal enterprise network and are also not using any VPN connection.Remote users will have the full feature set and the same user experience as internal users.Federated Users: Federated users are users from a different company with an Active directory account at that different company. They are configured for OCS at the other company and between your company and the other company, a Federation is established: a trust relationship to allow users from both companies to communicate with each others.Federated users will have the full features set except for address book. There is no address book sharing over the Edge Server, but contacts can be added to Active Directory Domain Services (AD DS) so that Federated users can be found. In Lync 2010, Federated users are marked with a planet icon to distinguish them from internal users. If the federation partner has an older version of Lync Server 2010, the user experience will be the same as in Migration/co-existence scenarios and the feature set will be limited. However, same as for co-existence, Federated users can use the Lync Attendee to join meetings with the full feature set.Anonymous users are users without an AD account in your OCS environment nor in a Federated one. These users can use the AOC to join meetings. However, the AOC does not offer presence or 1:1 capabilities – from a technical perspective this is a conference and hence hosted on a conference server, without peer-to-peer traffic in the client. Of course, you can have a conference with only two participants.Non Lync Server 2010 Federation partners such as PIC (MSN, Yahoo!, AOL) or XMPP partners support only basic presence (a reduced set of presence status) and 1:1 IM. The only exception is MSN, that will offer AV capabilities with the Windows Live Messenger client from Windows Live Essentials 2011.
  • Slides Objective:Discuss Federations with non-OCS/Lync Server 2010 environmentsNotes:Lync Server 2010 offers a number of interoperability scenarios with non OCS/Lync Server 2010 environments. Goal of this and the following slides is to give an overview over the solutions and create awareness of the possibilities, not to give deep dive configuration information. Detailed information is provided in the links sections.PIC (Public Internet Connectivity) is the integration of public Instant Messaging providers into Lync Server 2010. PIC can be activated also only for a subset of PIC partners.IBM Lotus Sametime and Cisco Presence allow integration for IM and Presence, on the Lync Server 2010 side this is configured as Federation.For XMPP an additional server in the perimeter network is required with the XMPP gateway installed on it. The XMPP gateway is provided by Microsoft and does not require an additional license.
  • Slides Objective:Provide a brief overview on how to set up interop FederationsNotes:Federation with Windows Live and AOL do not need additional licenses, Federation with Yahoo! requires the LyncServer 2010 Public IM Connectivity (PIC) per user subscription license. The LyncServer 2010 PIC license is sold separately on a per-user, per-month basis as a Microsoft service. PIC service licenses are available for Microsoft Volume License customers only. with Google Talk and Jabber can be enabled through the Microsoft Office Communications Server 2007 R2 XMPP Gateway, available at no additional licensing cost. This Gateway provides presence sharing and instant messaging (IM) with XMPP networks like Google Talk.IBM Lotus Sametime requires version 8.0.2 with Hot-Fix One (HF1) or above of Sametime – Sametime is SIP/SIMPLE based – required Sametime Gateway. Unified Presence requires at least Unified Presence Server 7.0 and Adaptive Security Appliance 8.0.4.X. A guide for Federating Cisco Unified Presence with OCS can be found here:
  • Slide Objective: Discuss Certificate requirementsNotes: Lync Server 2010 requires less public certificates (certificates that are signed by a public certification authority). A single public certificate can be used for Access Edge, Web Conferencing Edge, AV Edge and even Reverse Proxy if the SANs are manually added in the request. Consider the various SANs that might be required (Simple URLs, multiple domains)The wizard can automatically add all required Subject Names/Subject Alternate NameFor the internal interface, an internal certificate can be used.
  • Slide Objective: Explain port changes for Reverse Proxy from OCS 2007 R2.Notes:First explain the setup: this first diagram is about reverse proxy. On the left side is the external network, the internet. On the right side is the internal network, the corp net. In between, there is the perimeter network with an internal and external firewall. For the external interface, port 80 was added on Reverse Proxy. This port was not required in previous version.On the internal interface port 8080 was added to forward all requests send to port 80. Another change is, that request to port 443 are now mapped to port 4443 for web components. This enables us to use on the internal server port 443 for all internal queries and port 4443 for all external queries.
  • Slide Objective: Explain port changes for Edge Server from OCS 2007 R2.Notes:Again we have from left to right the external network, perimeter network and internal network. There is one Edge Server with all roles installed (Access Edge, Web Conferencing Edge and AV Edge). On the left side, the blue arrows at the top connect to the Access Edge IP. The single arrow in the middle connects to the Web Conferencing Edge and the green arrows at the bottom connect to the AV Edge.On the internal firewall, all connections point to the internal Edge IP address.For replicating the configuration, the central management store (CMS), running on one of the Front End Servers, uses port 4443 to push the configuration file to the internal interface of the Edge Server. The configuration data is stored on a SQL Express database on the Edge Server.
  • Slide Objective: Explain requirements for the 50,000-59,999 port rangeNotes: This has not changed from OCS 2007 R2.The port range is required for federated media traffic. If Federating with OCS 2007, the port range has to be opened for UDP and TCP in/ and outbound. For Federation with OCS 2007 R2 or Lync Server 2010 only TCP outbound is required.If you don’t open the port range, media to Federated contacts will not work at all (OCS 2007) respectively Desktop Sharing and File Transfer (OCS 2007 R2 and Lync Server 2010) – please note that File Transfer over firewalls will work only Lync Server 2010 to Lync Server 2010.
  • Slides Objective:Give an overview over the sessionNotes:This session will include the most important topics around changes for Edge Server in Lync Server 2010:Edge Scenarios – what Edge enables your users to doInterop Federation – Federations with non OCS/Lync Server 2010 environments: PIC, XMPP, Sametime, CiscoPlan for Edge –FQDNs/Simple URLs, Certificates, Firewall, Load BalancingManage Edge – Install, BigFin, FederationsEdge Architecture with Multiple sites
  • Lync 2010 deep dive edge

    1. 1. Microsoft® Lync ™ Server 2010Edge Deep Dive<br />Byron SpurlockFounder Architect - Quadrantechnologies<br /><br /><br />
    2. 2. Agenda<br /><ul><li>Architecture
    3. 3. Edge Scenarios – Users point of view
    4. 4. Interoperability Federation
    5. 5. Certificates
    6. 6. Edge Scenario – DNS Load Balancing
    7. 7. Authentication
    8. 8. Discovery
    9. 9. Federation</li></ul>2<br />
    10. 10. Architecture Overview<br />3<br />
    11. 11. Architecture Considerations<br /><ul><li>(Scaled) consolidated Edge only
    12. 12. Multiple Access Edge (pools) for remote users
    13. 13. SRV record points to only one Edge Server (pool)
    14. 14. Single Access Edge Server (pool) for Federation
    15. 15. Used Edge Server
    16. 16. SIP traffic
    17. 17. Federation traffic: Federation Route
    18. 18. Remote users: Edge server used for sign in
    19. 19. AV traffic
    20. 20. AV Edge assigned to pool
    21. 21. Use localized Edge Servers to optimize media path</li></ul>4<br />
    22. 22. Edge Scenarios<br />5<br />
    23. 23. Interoperability Federation Partners<br /><ul><li>PIC
    24. 24. MSN
    25. 25. AOL
    26. 26. Yahoo!
    27. 27. IBM Lotus Sametime
    28. 28. Cisco Presence
    29. 29. Extensible Messaging and Presence Protocol (XMPP)
    30. 30. Jabber
    31. 31. Google Talk</li></ul>6<br />
    32. 32. Interoperability: How to<br /><ul><li>All scenarios require Edge Server
    33. 33. PIC
    34. 34. Licenses
    35. 35. AOL certificate
    36. 36. XMPP
    37. 37. XMPP Gateway
    38. 38. Cisco Unified Presence
    39. 39. Unified Presence Server 7.0 and Adaptive Security Appliance 8.0.4.X
    40. 40. IBM Lotus Sametime
    41. 41. Sametime 8.0.2 with Hot-Fix One (HF1)
    42. 42. Sametime Gateway</li></ul>7<br />
    43. 43. Certificates Simplified<br /><ul><li>Single public certificate
    44. 44. Access Edge Server
    45. 45. Web Conferencing Edge Server
    46. 46. AV Edge Server
    47. 47. Private certificates
    48. 48. Internal Edge Interface</li></ul>8<br />
    49. 49. 9<br />9<br />
    50. 50. 10<br />10<br />
    51. 51. Ports 50,000-59,999<br /><ul><li>Required for federated media traffic
    52. 52. Federation with OCS 2007
    53. 53. Open UDP and TCP in- and out-bound
    54. 54. Federation with OCS 2007 R2/Lync Server 2010
    55. 55. Open TCP outbound</li></ul>11<br />
    56. 56. Lync Server Edge scenarios<br />External User Access<br />Lync clients can transparently connect to the Lync Server deployment over the public Internet<br />PIC<br />Connecting with public IM providers<br />Federation<br />Federation with other Enterprises<br />IM&P only, or<br />All modalities A/V and Application Sharing<br />
    57. 57. NAT Traversal <br />
    58. 58. Terms & Acronyms<br />Candidate<br />Possiblecombinationof IP addressandportformediachannel<br />NAT<br />Network Address Translation<br />TURN<br />TraversalUsing Relay NAT<br />STUN<br />Simple Traversal of UDP through NAT<br />Session Traversal Utilities for NAT<br />
    59. 59. Home NATs<br />General NAT/Firewall behavior<br />Allow connections from the private network<br />Blocks connection from the Internet<br />Security/usability tradeoff<br />Blocks attackers from harming your system<br />PROBLEM: Also blocks incoming signaling and media<br />Home<br />Internet<br />Home NAT<br />
    60. 60. Corporate Firewalls<br />Though more scrutinized, goals are similar<br />Sharing of IP addresses<br />Controlling data traffic from the internet<br />Two firewalls isolate via perimeter network<br />Work<br />Perimeter<br />Network<br />Internet<br />Inner FW<br />Outer FW<br />
    61. 61. Why is NAT Traversal a problem?<br />SIP signaling over TCP uses Access Edge<br />UDP media flows over separate channel<br />Pre-ICE endpoints uses local IPs & ports<br />No media can be sent between (a) and (w)<br />UDP<br />TCP<br />INVITE<br />m/c = a<br />200 OK<br />m/c = w<br />Access<br />Edge<br />Home<br />Work<br />a<br />w<br />Outer FW<br />Inner FW<br />Home NAT<br />
    62. 62. Solution – STUN, TURN, ICE <br />Add a Media Relay (aka A/V Edge Server)<br />STUN reflects NAT addresses (b) and (e)<br />TURN relays media packets (c) (d) (x) (y)<br />ICE exchanges candidates (cand) and determines optimal media path<br />All three protocols based IETF standards<br />UDP<br />TCP<br />INVITE<br />m/c = a<br />200 OK<br />m/c = w<br />Access<br />Edge<br />Home<br />Work<br />cand=a,b,c,d,e<br />cand=w,x,y<br />c<br />b<br />a<br />STUN<br />TURN Server<br />(AV Edge)<br />w<br />d<br />e<br />x<br />y<br />Inner FW<br />Outer FW<br />Home NAT<br />
    63. 63. Edge Topologies<br />
    64. 64. Single IP address Edge<br />Edge Server<br /><br /><br />SIP: 5061 <br />Web Conf: 8057<br />A/V Conf: 443, 3478<br /><br /><br />SIP: 5061 <br />Web Conf: 444<br />A/V Conf: 443, 3478<br />Internal<br />External<br />
    65. 65. Multiple IP address Edge<br />Edge Server<br /><br /> 443, 5061<br />External SIP<br /><br /><br />SIP: 5061 <br />Web Conf: 8057<br />A/V Conf: 443, 3478<br /><br /> 443<br />Internal<br />External Web Conf<br /><br /> 443, 3478<br />External AV<br />
    66. 66. Edge using NAT IP addresses<br />Public IP space<br />NAT<br />Edge Server<br />IP1<br />IP1’<br />External SIP<br />Lync Server does not need<br />to know translated SIP and<br />Web Conf IP<br />IP2’<br />IP2<br />Client<br />Int<br />External Web Conf<br />Clients connect to <br />IP for A/V traffic<br />Translated AV IP must<br />be configured in Lync<br />Server<br />IP3’<br />IP3<br />External AV<br />
    67. 67. What Load Balancing options are available?<br /><ul><li>DNS Load Balancing using NAT
    68. 68. Hardware Load Balancing (HLB)</li></li></ul><li>DNS Load Balanced Edge<br />Public IP space<br />Edge Server 1<br />IP1<br />DNS A records <br /> IP1 and IP4<br /> IP2 and IP5<br /> IP3 and IP6<br />Int<br />IP2<br />IP3<br />Edge Server 2<br />IP4<br />Client<br />Int<br />IP5<br />Client can retrieve and handle multiple IP<br />addresses and can fail over<br />DNS server returns randomized IP address<br />IP6<br />
    69. 69. DNS Load Balanced Edge using NAT <br />NAT<br />Public IP space<br />Edge Server 1<br />IP1<br />IP1’<br />DNS A records <br /> IP1’ and IP4’<br /> IP2’ and IP5’<br /> IP3’ and IP6’<br />Int<br />IP2<br />IP2’<br />IP3<br />IP3’<br />Translated AV IP addresses must<br />be configured in Lync Server individually<br />IP3 to IP3’<br />IP6 to IP6’<br />Edge Server 2<br />IP4<br />IP4’<br />Int<br />IP5<br />IP5’<br />IP6<br />IP6’<br />
    70. 70. Hardware Load Balanced Edge<br />HLB<br />Public IP space<br />Edge Server 1<br />IP1<br />DNS A records <br /> VIP1<br /> VIP2<br /> VIP3<br />Int<br />IP2<br />IP3<br />VIP1<br />VIP2<br />AV client connections are initiated over the VIP. <br />Subsequent client AV traffic (UDP) connect directly to Edge.<br />TCP traffic continues to use VIP.<br />NAT and HLB is not possible <br />Edge Server 2<br />VIP3<br />IP4<br />Int<br />IP5<br />IP6<br />
    71. 71. DNS Load Balancing and Interop/Migraion<br />Co-existence/Side-by-Side<br />OCS 2007 OR OCS 2007 R2 pool and Edge Server can co-exist with Lync Server pool and Lync Edge Server<br />Only a single Edge (server/pool) for Federation is possible<br />DNS Load Balancing <br />Legacy components do not support DNS LB<br />If co-existence time is short: DNS LB<br />If co-existence time is long: Hardware LB<br />
    72. 72. Reverse Proxy<br />
    73. 73. Reverse Proxy and external access<br />Forwards External HTTPS and HTTP traffic to Front End and Director Pool<br />HTTPS<br />Simple URLs (Join Launcher URL)<br />Address Book (download and/or web service) ABS<br />Distribution List Expansion DLX<br />Web Ticket (Web Auth)<br />HTTP<br />Device Updates (Firmware)<br />Device Update logs upload<br />
    74. 74. Reverse Proxy and external access<br />Simple URL forward to Director (recommended)<br />Forwarding rule for Simple URL to a single Director (or Pool); port 443<br />Reverse Proxy certificate’s SAN to contain base FQDN of each Simple URL <br />Web External Pool traffic forwarded to pools by Reverse Proxy<br />Reverse Proxy requires a forwarding rule each Web External FQDN (Front End Pool and Director); port 443<br />If external Phone Devices are implemented, Reverse Proxy rule for port 80 is required <br />Reverse Proxy certificate’s SAN to contain base FQDN of all configured Web external Pools (Front End Pool and Director)<br />
    75. 75. Reverse Proxy<br />Front End Pool1<br />Reverse Proxy<br />Front End Pool2<br />Client<br />Director<br /> to Director<br /> to Director<br /> to Pool 1<br /> to Pool 2<br />DNS LB not supported for HTTP/S traffic<br />SAN in Reverse Proxy Certificate<br />
    76. 76. Authentication<br />
    77. 77. Credentials for remote client<br />MTLS<br />MRAS<br />A/V<br />Edge<br />SIP Subscribe<br />200 OK<br />Access<br />Edge<br />ms-user-logon-data: RemoteUser<br /><mrasUri><br />OCS FE<br />Server<br />SIP Service<br /><location>internet</location><br />200 OK<br /><hostName><br /><udpPort>3478<br /><tcpPort>443<br /><username> 77qq8yXccBc2lwOmFy<br /><password> Wnujl0eo00YkV/5dg=<br /><duration>480<br />Service<br />200 OK<br />Inner<br />Firewall<br />Outer<br />Firewall<br />Endpoint<br />
    78. 78. Credentials for remote client<br />02/09/2011|10:00:41.608 1B9C:A24 INFO :: Sending Packet - 208.115.110.XXX:443 (From Local Address: 1334 bytes:<br />02/09/2011|10:00:41.608 1B9C:A24 INFO :: SERVICE;gruu;opaque=srvr:MRAS:v6H_I-uZa1irVldx3Z_CdgAA SIP/2.0<br />ms-user-logon-data: RemoteUser<br />Via: SIP/2.0/TLS<br />Max-Forwards: 70<br />From: <sip:<userName>>;tag=6adfd24c1b;epid=92a17ee2ce<br />To: <;gruu;opaque=srvr:MRAS:v6H_I-uZa1irVldx3Z_CdgAA><br />Call-ID: 0ba8a0c30bf74534a7d94a182b4d72f8<br />CSeq: 1 SERVICE<br />Contact: <sip: <userName>;opaque=user:epid:1dRPOJppUlG-Qszig4EXYgAA;gruu><br />User-Agent: UCCAPI/4.0.7577.108 OC/4.0.7577.108 (Microsoft Lync 2010)<br />Proxy-Authorization: TLS-DSK qop="auth", realm="SIP Communications Service", opaque="6436AC83", targetname="", crand="eee9b681", cnum="7", response="63d56f98d452b3e25266ba340e88dfb47e96c7de"<br />Content-Type: application/msrtc-media-relay-auth+xml<br />Content-Length: 478<br /><request requestID="128326152" version="2.0" to="sip:;gruu;opaque=srvr:MRAS:v6H_I-uZa1irVldx3Z_CdgAA" from="sip: " xmlns="" xmlns:xsi=""><credentialsRequest credentialsRequestID="128326152"><identity>sip: <userName> </identity><location>internet</location><duration>480</duration></credentialsRequest></request><br />
    79. 79. Credentials for remote client<br /><?xml version="1.0"?><br /><response xmlns:xsi="" xmlns:xsd="" requestID="128326152" version="2.0" serverVersion="2.0" to=";gruu;opaque=srvr:MRAS:v6H_I-uZa1irVldx3Z_CdgAA" from="sip:<userName>" reasonPhrase="OK" xmlns=""><br /> <credentialsResponsecredentialsRequestID="128326152"><br /> <credentials><br /> <userName>AgAAJEqlo9QBy8itWiOmR2d4zw8ZJqfwTPDagP7i95AAAAAAbdyNu23CueVPKAjFdxLksF0ihSk=</userName><br /> <password>eulmSPLxOMZZAYZvkq78HBo2uSk=</password><br /> <duration>480</duration><br /> </credentials><br /> <mediaRelayList><br /> <mediaRelay><br /> <location>internet</location><br /><hostName></hostName><br /> <udpPort>3478</udpPort><br /> <tcpPort>443</tcpPort><br /> </mediaRelay><br /> </mediaRelayList><br /> </credentialsResponse><br /></response><br />02/09/2011|10:00:41.873 1B9C:A24 INFO :: End of Data Received - (To Local Address: 1727 bytes<br />
    80. 80. Credentials for Conferencing<br />SIP Invite<br />OCS FE<br />Server<br />200 OK<br />Access<br />Edge<br /><hostName><br /><udpPort>3478<br /><tcpPort>443<br /><username> 77qq8yXccBc2lwOmFy<br /><password> Wnujl0eo00YkV/5dg=<br /><duration>480<br />3CP: Add User<br />200 OK<br />{MRAS Credentials}<br />Service<br />MTLS<br />A/V<br />MCU<br />200 OK<br />A/V Auth<br />A/V<br />Edge<br />Outer<br />Firewall<br />Inner<br />Firewall<br />Endpoint<br />
    81. 81. Credentials for remote client<br />Direction: incoming;source="external edge";destination="internal edge"<br />Peer:<br />Message-Type: request<br />Start-Line: INVITE;gruu;opaque=app:conf:audio-video:id:FZG8SYVR SIP/2.0<br />From: <>;tag=75336413c0;epid=3821b40476<br />To: <;gruu;opaque=app:conf:audio-video:id:FZG8SYVR>;tag=a4f2e92356;epid=0B08BA10A9<br />CSeq: 3 INVITE<br />m=audio 50743 RTP/SAVP 9 111 0 8 97 13 118 101<br />a=ice-ufrag:cGUT<br />a=ice-pwd:eUrBEAMFNrwFGgroXuUMaLtS<br />a=candidate:4 1 UDP 16648703 50743 typ relay raddr rport 31602 <br />a=candidate:4 2 UDP 16648702 55309 typ relay raddr rport 31603 <br />a=cryptoscale:1 client AES_CM_128_HMAC_SHA1_80 inline:FU4Gl7hGYS894KJYhEvNq72Jo7ADq2e0gkLUzPV1|2^31|1:1<br />a=remote-candidates:1 53622 2 53623<br />a=maxptime:200<br />a=rtcp:55309<br />a=rtpmap:9 G722/8000<br />a=rtpmap:111 SIREN/16000<br />a=fmtp:111 bitrate=16000<br />a=rtpmap:0 PCMU/8000<br />a=rtpmap:8 PCMA/8000<br />a=rtpmap:97 RED/8000<br />a=rtpmap:13 CN/8000<br />a=rtpmap:118 CN/16000<br />a=rtpmap:101 telephone-event/8000<br />a=fmtp:101 0-16<br />a=encryption:required<br />m=video 56786 RTP/SAVP 121 34<br />a=ice-ufrag:eQIo<br />
    82. 82. Security<br />
    83. 83. Secure Communications in LyncCan someone sniff the packets and access my IM/audio/video/data?<br />
    84. 84. Edge Validation <br />Public Web Service Tool available for Edge Validation<br />Supports OCS 2007 R2 and Lync Server 2010<br /><br />
    85. 85. Auto Discovery<br />
    86. 86. More Terms<br />Internal IP address<br />The IP address assigned to the network interface of the client computer.<br />Reflexive IP address<br />IP address of the public address assigned to the home router.<br />Media relay address<br />The public IP address of the Audio/Video Edge service that is associated with the internal Lync 2010 user’s pool.<br />
    87. 87. nic<br />a<br />c<br />default<br />MRAS<br />a<br />b<br />b<br />c<br />Allocate UDP<br /> candidate list<br />c<br />Media<br />Relay<br />Allocate TCP<br />d<br />e<br />d<br />e<br />UDP<br />TCP<br /> local<br />remote<br />Endpoint<br />NAT/Firewall<br />AddressDiscovery (AV) <br />
    88. 88. c<br />Address Discovery (Desktop Sharing)<br />nic<br />a<br />default<br />a<br />MRAS<br />b<br />c<br /> candidate list<br />Media<br />Relay<br />Allocate TCP<br />c<br />b<br />UDP<br />TCP<br /> local<br />remote<br />Endpoint<br />NAT/Firewall<br />
    89. 89. Address Exchange<br />TURN<br />TURN<br />nic<br />nic<br />a<br />b<br />w<br />x<br /> SIP INVITE<br /> c :: a,b,c,d<br /> local<br />remote<br /> local<br />remote<br />y<br />y<br />c<br />c<br />default<br />default<br /> 183 Session Progress<br /> y :: w,x,y,z<br />w<br />a<br />a<br />w<br /> 200 OK<br /> y :: w,x,y,z<br />x<br />b<br />b<br />x<br /> candidate list<br /> candidate list<br />y<br />c<br />c<br />y<br />z<br />d<br />d<br />z<br />c<br />y<br />d<br />z<br />SIP<br />NAT/Firewall<br />Endpoint<br />NAT/Firewall<br />Endpoint<br />45<br />
    90. 90. Address Exchange (Caller-Invite)<br />05/31/2011|16:55:25.856 2D7C:1FF8 INFO :: Sending Packet - (From Local Address: 7439 bytes:<br />05/31/2011|16:55:25.856 2D7C:1FF8 INFO :: INVITE SIP/2.0<br />Via: SIP/2.0/TLS<br />Max-Forwards: 70<br />From: <>;tag=c4a189acf6;epid=92a17ee2ce<br />To: <><br />Call-ID: eb472e8ebc384c68a07b1e5beb70be38<br />CSeq: 1 INVITE<br />m=audio 55336 RTP/AVP 114 9 112 111 0 8 116 115 4 97 13 118 101<br />a=ice-ufrag:6QrA<br />a=ice-pwd:LColjpNYVTQVn6KK6Bg7D9k1<br />a=candidate:5 2 UDP 2130703870 25743 typ host <br />a=candidate:6 1 TCP-PASS 6556159 50162 typ relay raddr rport 30907 <br />a=candidate:6 2 TCP-PASS 6556158 50162 typ relay raddr rport 30907 <br />a=candidate:7 1 UDP 16648703 55336 typ relay raddr rport 52259 <br />a=candidate:7 2 UDP 16648702 54267 typ relay raddr rport 52282 <br />a=candidate:8 1 UDP 1694233599 52259 typsrflxraddr rport 11252 <br />a=candidate:8 2 UDP 1694232062 52282 typsrflxraddr rport 11253 <br />a=candidate:9 1 TCP-ACT 7074303 50162 typ relay raddr rport 30907 <br />a=candidate:9 2 TCP-ACT 7073790 50162 typ relay raddr rport 30907 <br />a=candidate:10 1 TCP-ACT 1684795391 30907 typsrflxraddr rport 15645 <br />a=candidate:10 2 TCP-ACT 1684794878 30907 typsrflxraddr rport 15645 <br />
    91. 91. Address Exchange (Callee-Response)<br />05/31/2011|16:55:28.485 2D7C:1FF8 INFO :: Data Received - (To Local Address: 3093 bytes:<br />05/31/2011|16:55:28.485 2D7C:1FF8 INFO :: SIP/2.0 183 Session Progress<br />ms-user-logon-data: RemoteUser<br />From: "bob"<>;tag=c4a189acf6;epid=92a17ee2ce<br />To: <>;epid=73f1df72ee;tag=ed247c795f<br />Call-ID: eb472e8ebc384c68a07b1e5beb70be38<br />CSeq: 1 INVITE<br />Record-Route: <;transport=tls;opaque=state:T:F;lr;received=;ms-received-cid=73BB7E00><br />Contact: <;opaque=user:epid:bEfyhOYmMVynmDXlgp2D6gAA;gruu><br />User-Agent: UCCAPI/4.0.7577.256 OC/4.0.7577.280 (Microsoft Lync 2010)<br />m=audio 57501 RTP/SAVP 114 9 112 111 0 8 116 115 4 97 13 118 101<br />a=candidate:2 1 TCP-PASS 6556159 55275 typ relay raddr rport 4523 <br />a=candidate:2 2 TCP-PASS 6556158 55275 typ relay raddr rport 4523 <br />a=candidate:3 1 UDP 16648703 57501 typ relay raddr rport 32250 <br />a=candidate:3 2 UDP 16648702 56075 typ relay raddr rport 32251 <br />a=candidate:4 1 UDP 1694235647 32250 typsrflxraddr rport 32250 <br />a=candidate:4 2 UDP 1694234110 32251 typsrflxraddr rport 32251 <br />a=candidate:5 1 TCP-ACT 7076351 55275 typ relay raddr rport 4523 <br />a=candidate:5 2 TCP-ACT 7075838 55275 typ relay raddr rport 4523 <br />a=candidate:6 1 TCP-ACT 1684797439 4523 typsrflxraddr rport 4523 <br />a=candidate:6 2 TCP-ACT 1684796926 4523 typsrflxraddr rport 4523<br />
    92. 92. Federation<br />
    93. 93. Port Requirements for Audio/Video<br />Lync 2010<br />UDP 3478, TCP 443<br />UDP/TCP 50,000-59,999 inbound/outbound<br />Enables federation with OCS 2007 Edges<br />OCS 2007 R2<br />UDP 3478, TCP 443<br />No additional ports needed for remote access only<br />TCP 50,000-59,999 outbound<br />Enables federation with R2 Edges<br />UDP/TCP 50,000-59,999 inbound/outbound<br />Enables federation with OCS 2007 Edges<br />OCS 2007<br />UDP 3478, TCP 443<br />UDP/TCP 50,000-59,999 inbound/outbound<br />
    94. 94. A/V Federation 2007-2007<br />Access<br />Proxy<br />Access<br />Proxy<br />Work2<br />OC/Console<br />A/V MCU<br />w2<br />w1<br />Work1<br />OC/Console<br />A/V MCU<br />UDP<br />3478<br />TCP<br />443<br />UDP<br />3478<br />TCP<br />443<br />UDP/TCP<br />50000<br />.<br />.<br />.<br />.<br />.<br />.<br />.<br />.<br />.<br />UDP/TCP<br />59999<br />UDP/TCP<br />50000<br />.<br />.<br />.<br />.<br />.<br />.<br />.<br />.<br />.<br />UDP/TCP<br />59999<br />w2<br />w1<br />w2<br />w1<br />2007<br />Edge<br />2007<br />Edge<br />Outer FWs<br />(no NAT)<br />Inner FW<br />Inner FW<br />
    95. 95. A/V Federation R2 Tunnel Mode<br />Access<br />Proxy<br />Access<br />Proxy<br />Work2<br />OC/Console<br />A/V MCU<br />w2<br />Work1<br />OC/Console<br />A/V MCU<br />w1<br />UDP<br />3478<br />TCP<br />443<br />UDP<br />3478<br />TCP<br />443<br />UDP/TCP<br />50000<br />.<br />.<br />.<br />.<br />.<br />.<br />.<br />.<br />.<br />UDP/TCP<br />59999<br />UDP/TCP<br />50000<br />.<br />.<br />.<br />.<br />.<br />.<br />.<br />.<br />.<br />UDP/TCP<br />59999<br />w2<br />w1<br />w2<br />w1<br />R2<br />Edge<br />R2<br />Edge<br />Outer FWs<br />(no NAT)<br />Inner FW<br />Inner FW<br />
    96. 96. A/V Federation R2-2007 Interop<br />Access<br />Proxy<br />Access<br />Proxy<br />Work2<br />OC/Console<br />A/V MCU<br />w2<br />Work1<br />OC/Console<br />A/V MCU<br />w1<br />UDP<br />3478<br />TCP<br />443<br />UDP<br />3478<br />TCP<br />443<br />UDP/TCP<br />50000<br />.<br />.<br />.<br />.<br />.<br />.<br />.<br />.<br />.<br />UDP/TCP<br />59999<br />UDP/TCP<br />50000<br />.<br />.<br />.<br />.<br />.<br />.<br />.<br />.<br />.<br />UDP/TCP<br />59999<br />w2<br />w1<br />w2<br />w1<br />2007<br />Edge<br />R2<br />Edge<br />Outer FWs<br />(no NAT)<br />Inner FW<br />Inner FW<br />
    97. 97. A/V Federation Lync<br />Access<br />Proxy<br />Access<br />Proxy<br />Work2<br />OC/Console<br />A/V MCU<br />w2<br />Work1<br />OC/Console<br />A/V MCU<br />w1<br />UDP<br />3478<br />TCP<br />443<br />UDP<br />3478<br />TCP<br />443<br />UDP/TCP<br />50000<br />.<br />.<br />.<br />.<br />.<br />.<br />.<br />.<br />.<br />UDP/TCP<br />59999<br />UDP/TCP<br />50000<br />.<br />.<br />.<br />.<br />.<br />.<br />.<br />.<br />.<br />UDP/TCP<br />59999<br />Lync<br />Edge<br />Lync<br />Edge<br />Outer FWs<br />(no NAT)<br />Inner FW<br />Inner FW<br />
    98. 98. Summary<br /><ul><li>Architecture
    99. 99. Edge Scenarios – Users point of view
    100. 100. Interoperability Federation
    101. 101. Certificates
    102. 102. Edge Scenario – DNS Load Balancing
    103. 103. Authentication
    104. 104. Discovery
    105. 105. Federation</li></ul>54<br />
    106. 106. 55<br />