Edge Server environmental requirements in Skype for Business Server 2015

Skype for Business Server 2015
 

마지막으로 수정된 항목: 2016-07-11

Summary: Learn about the environmental requirements for 에지 서버 in 비즈니스용 Skype 서버 2015.

A lot of planning and preparation needs to take place outside of the 비즈니스용 Skype 서버 2015 에지 서버 environment itself. In this article, we'll review what preparations need to be made in the organizational environment, as per our list below:

비즈니스용 Skype 서버 2015 에지 서버 topologies are able to use:

  • Routable public IP addresses.

  • Non-routable private IP addresses, if symmetric network address translation (NAT) is used.

tip팁:
Your 에지 서버 can be configured to use a single IP address with distinct ports for each service, or it can use distinct IP addresses for each service, but use the same default port (which by default will be TCP 443). We have more information in IP Address requirements section, below.

If you choose non-routable private IP addresses with NAT, remember these points:

  • You need to use routable private IP addresses on all three external interfaces.

  • You need to configure symmetric NAT for incoming and outgoing traffic. Symmetric NAT is the only supported NAT you can use with 비즈니스용 Skype 서버 2015 에지 서버.

  • Configure your NAT to not change incoming source addresses. The UNRESOLVED_TOKEN_VAL(nm_AVEdgeService) needs to be able to receive the incoming source address to find the optimal media path.

  • Your 에지 서버 need to be able to communicate with one another from their public UNRESOLVED_TOKEN_VAL(AVEdge_short) IP addresses. Your firewall needs to allow this traffic.

  • NAT can only be used for scaled consolidated 에지 서버 if you use UNRESOLVED_TOKEN_VAL(DNSLoadBalancing). If you use hardware load balancing (HLB), you need to use publicly routable IP addresses without NAT.

You'll have no problems having your Access, UNRESOLVED_TOKEN_VAL(WebConf) and UNRESOLVED_TOKEN_VAL(AVEdge_short) interfaces behind a router or firewall performing symmetric NAT for both single and scaled consolidated 에지 서버 topologies (as long as you're not using hardware load balancing).

We have several topology options available for 비즈니스용 Skype 서버 2015 에지 서버 deployments:

  • Single consolidated Edge with private IP addresses and NAT

  • Single consolidated Edge with public IP addresses

  • Scaled consolidated Edge with private IP addresses and NAT

  • Scaled consolidated Edge with public IP addresses

  • Scaled consolidated Edge with hardware load balancers

To help you choose one, we have the following table which gives a summary of what options you have for each topology:

 

TopologyHigh availabilityAdditional DNS records required for external 에지 서버 in the 에지 풀?Edge failover for 비즈니스용 Skype 서버 sessionsEdge failover for 비즈니스용 Skype 서버 federation sessions

Single consolidated Edge with private IP addresses and NAT

No

No

No

No

Single consolidated Edge with public IP addresses

No

No

No

No

Scaled consolidated Edge with private IP addresses and NAT (DNS load balanced)

Yes

Yes

Yes

Yes*

Scaled consolidated Edge with public IP addresses (DNS load balanced)

Yes

Yes

Yes

Yes*

Scaled consolidated Edge with hardware load balancers

Yes

No (one DNS A record per VIP)

Yes

Yes

*Exchange 통합 메시징(UM) remote user failover using UNRESOLVED_TOKEN_VAL(DNSLoadBalancing) requires Exchange 2013 or newer.

On a fundamental level, three services need IP addresses; UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService), UNRESOLVED_TOKEN_VAL(nm_WebConfEdgeService), and UNRESOLVED_TOKEN_VAL(nm_AVEdgeService). You have the option of either using three IP addresses, one for each of the services, or you can use one and opt to put each service on a different port (you can check out the Port and firewall planning section for more information on some of that). For a single consolidated Edge environment, that's pretty much it.

note참고:
As noted above, you can choose to have one IP address for all three services and run them on different ports. But to be clear, we don't recommend this. If your customers can't access the alternate ports you'd be using in this scenario, they can't access the full functionality of your Edge environment, either.

It can be a little more complicated with scaled consolidated topologies, so let's look at some tables that lay out the IP Address requirements, keeping in mind that the primary decision points for topology selection are high availability and load balancing. High availability needs can influence your load balancing choice (we'll talk about that more after the tables).

 

Number of 에지 서버 per poolNumber of required IP addresses for DNS load balancingNumber of required IP addresses for hardware load balancing

2

6

3 (1 per VIP) + 6

3

9

3 (1 per VIP) + 9

4

12

3 (1 per VIP) + 12

5

15

3 (1 per VIP) +15

 

Number of 에지 서버 per poolNumber of required IP addresses for DNS load balancingNumber of required IP addresses for hardware load balancing

2

2

1 (1 per VIP) + 2

3

3

1 (1 per VIP) + 3

4

4

1 (1 per VIP) + 4

5

5

1 (1 per VIP) + 5

Let's look at some additional things to think about while planning.

  • High availability: If you need high availability in your deployment, you should deploy at least two 에지 서버 in a pool. It's worth noting that a single 에지 풀 will support up to 12 에지 서버 (though 토폴로지 작성기 will allow you to add up to 20, that's not tested or supported, so we advise you don't do that). If you need more than 12 에지 서버, you should create additional 에지 풀 for them.

  • Hardware load balancing: We recommend UNRESOLVED_TOKEN_VAL(DNSLoadBalancing) for most scenarios. Hardware load balancing is also supported, of course, but notably it's required for a single scenario over UNRESOLVED_TOKEN_VAL(DNSLoadBalancing):

    • External access to Exchange 2007 or Exchange 2010 (with no SP) UNRESOLVED_TOKEN_VAL(nm_UM_noEx).

  • DNS load balancing: For UM, Exchange 2010 SP1 and newer are able to be supported by UNRESOLVED_TOKEN_VAL(DNSLoadBalancing). Note that if you need to go with UNRESOLVED_TOKEN_VAL(DNSLoadBalancing) for an earlier version of Exchange, it'll work, but all the traffic for this will go to the first server in the pool, and if it's not available, that traffic will subsequently fail.

    UNRESOLVED_TOKEN_VAL(DNSLoadBalancing) is also recommended if you're federating with companies using Lync Server 2010, Lync Server 2013, and Microsoft Office 365.

When it comes to 비즈니스용 Skype 서버 2015 에지 서버 deployment, it's vital to prepare for DNS properly. With the right records in place, the deployment will be much more straightforward. Hopefully you've chosen a topology in the section above, as we're going to do an overview, and then list a couple of tables outlining the DNS records for those scenarios. We'll also have some Advanced DNS planning for Skype for Business Server 2015 for more in-depth reading, if you need it.

These will be the DNS records you're going to need for a singe 에지 서버 using either public IPs or private IPs with NAT. Because this is sample data, we'll give example IPs so you can work out your own entries more easily:

  • Internal network adapter: 172.25.33.10 (no default gateway's assigned)

    note참고:
    Ensure that there is a route from the network containing the Edge internal interface to any networks that contain servers running 비즈니스용 Skype 서버 2015 or Lync Server 2013 clients (for example, from 172.25.33.0 to 192.168.10.0).
  • External network adapter:

    • Public IP:s

      • UNRESOLVED_TOKEN_VAL(AccessEdge_short): 131.107.155.10 (this is the primary, with default gateway set to your public router, ex: 131.107.155.1)

      • UNRESOLVED_TOKEN_VAL(WebConfEdge_short): 131.107.155.20 (secondary)

      • UNRESOLVED_TOKEN_VAL(AVEdge_short): 131.107.155.30 (secondary)

      UNRESOLVED_TOKEN_VAL(WebConf) and UNRESOLVED_TOKEN_VAL(AVEdge_short) public IP addresses are additional (secondary) IP addresses in the Advanced section of the properties of Internet Protocol Version 4 (TCP/IPv4) and Internet Protocol Version 6 (TCP/IPv6) of the Local Area Connection Properties in Windows Server.

    • Private IPs:

      • UNRESOLVED_TOKEN_VAL(AccessEdge_short): 10.45.16.10 (this is the primary, with default gateway set to your router, ex: 10.45.16.1)

      • UNRESOLVED_TOKEN_VAL(WebConfEdge_short): 10.45.16.20 (secondary)

      • UNRESOLVED_TOKEN_VAL(AVEdge_short): 10.45.16.30 (secondary)

UNRESOLVED_TOKEN_VAL(WebConf) and UNRESOLVED_TOKEN_VAL(AVEdge_short) public IP addresses are additional (secondary) IP addresses in the Advanced section of the properties of Internet Protocol Version 4 (TCP/IPv4) and Internet Protocol Version 6 (TCP/IPv6) of the Local Area Connection Properties in Windows Server.

tip팁:
There are other possible configurations here:
  • You could use one IP address on the external network adapter. We don't recommend this because then you're going to need to differentiate between the thee services using different ports (which you can do in 비즈니스용 Skype 서버) but there are some firewalls that may block the alternate ports. See the Port and firewall planning section for more about this.

  • You can have three external network adapters instead of one, and assign one of the service IPs to each one. Why do this? It would separate the services and if something goes wrong, that would make it easier to troubleshoot, and potentially let your other services continue working while you resolve an issue.

 

LocationTypePortFQDN or DNS recordIP address or FQDNNotes

External DNS

A record

NA

sip.contoso.com

 

publicprivate

131.107.155.10

10.45.16.10

An external interface for your UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService). You'll need one for every SIP domain with 비즈니스용 Skype users.

External DNS

A record

NA

webcon.contoso.com

 

publicprivate

131.107.155.20

10.45.16.20

An external interface for your UNRESOLVED_TOKEN_VAL(nm_WebConfEdgeService).

External DNS

A record

NA

av.contoso.com

 

publicprivate

131.107.155.30

10.45.16.30

An external interface for your UNRESOLVED_TOKEN_VAL(nm_AVEdgeService).

External DNS

SRV record

443

_sip._tls.contoso.com

sip.contoso.com

An external interface for your UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService). This SRV record is required for 비즈니스용 Skype 서버 2015, Lync Server 2013, and Lync Server 2010 clients to work externally. You'll need one for every domain with 비즈니스용 Skype users.

External DNS

SRV record

5061

_sipfederationtls._tcp.contoso.com

sip.contoso.com

An external interface for your UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService). This SRV record is required for automatic DNS discovery of federated partners called Allowed SIP domains. You'll need one for every domain with 비즈니스용 Skype users.

Internal DNS

A record

NA

sfvedge.contoso.net

172.25.33.10

The internal interface for your consolidated Edge.

These will be the DNS records you're going to need for a singe 에지 서버 using either public IPs or private IPs with NAT. Because this is sample data, we'll give example IPs so you can work out your own entries more easily:

  • Internal network adapter:

    • Node 1: 172.25.33.10 (no default gateway's assigned)

    • Node 2: 172.25.33.11 (no default gateway's assigned)

    note참고:
    Ensure that there is a route from the network containing the Edge internal interface to any networks that contain servers running 비즈니스용 Skype 서버 2015 or Lync Server 2013 clients (for example, from 172.25.33.0 to 192.168.10.0).
  • External network adapter:

    • Node 1

      • Public IPs:

        • UNRESOLVED_TOKEN_VAL(AccessEdge_short): 131.107.155.10 (this is the primary, with default gateway set to your public router, ex: 131.107.155.1)

        • UNRESOLVED_TOKEN_VAL(WebConfEdge_short): 131.107.155.20 (secondary)

        • UNRESOLVED_TOKEN_VAL(AVEdge_short): 131.107.155.30 (secondary)

        UNRESOLVED_TOKEN_VAL(WebConf) and UNRESOLVED_TOKEN_VAL(AVEdge_short) public IP addresses are additional (secondary) IP addresses in the Advanced section of the properties of Internet Protocol Version 4 (TCP/IPv4) and Internet Protocol Version 6 (TCP/IPv6) of the Local Area Connection Properties in Windows Server.

      • Private IPs:

        • UNRESOLVED_TOKEN_VAL(AccessEdge_short): 10.45.16.10 (this is the primary, with default gateway set to your router, ex: 10.45.16.1)

        • UNRESOLVED_TOKEN_VAL(WebConfEdge_short): 10.45.16.20 (secondary)

        • UNRESOLVED_TOKEN_VAL(AVEdge_short): 10.45.16.30 (secondary)

      UNRESOLVED_TOKEN_VAL(WebConf) and UNRESOLVED_TOKEN_VAL(AVEdge_short) public IP addresses are additional (secondary) IP addresses in the Advanced section of the properties of Internet Protocol Version 4 (TCP/IPv4) and Internet Protocol Version 6 (TCP/IPv6) of the Local Area Connection Properties in Windows Server.

    • Node 2

      • Public IPs:

        • UNRESOLVED_TOKEN_VAL(AccessEdge_short): 131.107.155.11 (this is the primary, with default gateway set to your public router, ex: 131.107.155.1)

        • UNRESOLVED_TOKEN_VAL(WebConfEdge_short): 131.107.155.21 (secondary)

        • UNRESOLVED_TOKEN_VAL(AVEdge_short): 131.107.155.31 (secondary)

        UNRESOLVED_TOKEN_VAL(WebConf) and UNRESOLVED_TOKEN_VAL(AVEdge_short) public IP addresses are additional (secondary) IP addresses in the Advanced section of the properties of Internet Protocol Version 4 (TCP/IPv4) and Internet Protocol Version 6 (TCP/IPv6) of the Local Area Connection Properties in Windows Server.

      • Private IPs:

        • UNRESOLVED_TOKEN_VAL(AccessEdge_short): 10.45.16.11 (this is the primary, with default gateway set to your router, ex: 10.45.16.1)

        • UNRESOLVED_TOKEN_VAL(WebConfEdge_short): 10.45.16.21 (secondary)

        • UNRESOLVED_TOKEN_VAL(AVEdge_short): 10.45.16.31 (secondary)

      UNRESOLVED_TOKEN_VAL(WebConf) and UNRESOLVED_TOKEN_VAL(AVEdge_short) public IP addresses are additional (secondary) IP addresses in the Advanced section of the properties of Internet Protocol Version 4 (TCP/IPv4) and Internet Protocol Version 6 (TCP/IPv6) of the Local Area Connection Properties in Windows Server.

tip팁:
There are other possible configurations here:
  • You could use one IP address on the external network adapter. We don't recommend this because then you're going to need to differentiate between the thee services using different ports (which you can do in 비즈니스용 Skype 서버) but there are some firewalls that may block the alternate ports. See the Port and firewall planning section for more about this.

  • You can have three external network adapters instead of one, and assign one of the service IPs to each one. Why do this? It would separate the services and if something goes wrong, that would make it easier to troubleshoot, and potentially let your other services continue working while you resolve an issue.

 

LocationTypePortFQDN or DNS recordIP address or FQDNNotes

External DNS

A record

NA

sip.contoso.com

 

publicprivate

131.107.155.10 and 131.107.155.11

10.45.16.10 and 10.45.16.11

An external interface for your UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService). You'll need one for every SIP domain with 비즈니스용 Skype users.

External DNS

A record

NA

webcon.contoso.com

 

publicprivate

131.107.155.20 and 131.107.155.21

10.45.16.20 and 10.45.16.21

An external interface for your UNRESOLVED_TOKEN_VAL(nm_WebConfEdgeService).

External DNS

A record

NA

av.contoso.com

 

publicprivate

131.107.155.30 and 131.107.155.31

10.45.16.30 and 10.45.16.31

An external interface for your UNRESOLVED_TOKEN_VAL(nm_AVEdgeService).

External DNS

SRV record

443

_sip._tls.contoso.com

sip.contoso.com

An external interface for your UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService). This SRV record is required for 비즈니스용 Skype 서버 2015, Lync Server 2013, and Lync Server 2010 clients to work externally. You'll need one for every domain with 비즈니스용 Skype.

External DNS

SRV record

5061

_sipfederationtls._tcp.contoso.com

sip.contoso.com

An external interface for your UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService). This SRV record is required for automatic DNS discovery of federated partners called Allowed SIP domains. You'll need one for every domain with 비즈니스용 Skype.

Internal DNS

A record

NA

sfvedge.contoso.net

172.25.33.10 and 172.25.33.11

The internal interface for your consolidated Edge.

 

LocationTypePortFQDNFQDN host recordNotes

External DNS

SRV

5061

_sipfederationtls_tcp.contoso.com

sip.contoso.com

The SIP UNRESOLVED_TOKEN_VAL(AccessEdge_short) external interface required for automatic DNS discovery. Used by your other potential federation partners. It's also known as "Allow SIP domains." You'll need one of these for each SIP domain with 비즈니스용 Skype users.

note참고:
You will need this SRV record for mobility and the push notification clearing house.

 

LocationTypePortFQDNIP address or FQDN host recordNotes

External DNS

SRV

5269

_xmpp-server._tcp.contoso.com

xmpp.contoso.com

The XMPP proxy interface on your UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService) or 에지 풀. You need to repeat this as needed for all internal SIP domains with 비즈니스용 Skype enabled users, where contact with XMPP contacts is allowed through:

  • a global policy

  • a site policy where the user's enabled

  • a user policy applied to the 비즈니스용 Skype enabled user

An allowed XMPP policy also needs to be configured in the XMPP federated users policy.

External DNS

SRV

A

xmpp.contoso.com

IP address of the UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService) on the 에지 서버 or 에지 풀 hosting your UNRESOLVED_TOKEN_VAL(nm_XMPPProxyService)

This points to the UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService) on the 에지 서버 or 에지 풀 that hosts theUNRESOLVED_TOKEN_VAL(nm_XMPPProxyService). Typically the SRV record that you create will point to this host (A or AAAA) record.

비즈니스용 Skype 서버 2015 uses certificates for secure, encrypted communications both between servers and from server to client. As you'd expect, your certificates will need to have DNS records for your servers match up to any subject name (SN) and subject alternate name (SAN) on your certificates. This will take work now, at the planning stage, to ensure you have the right FQDNs registered in DNS for the SN and SAN entries for your certificates.

We'll discuss external and internal certificate needs separately, and then look at a table providing the requirements for both.

At a minimum, the certificate assigned to your external 에지 서버 interfaces will need to be provided by a public Certificate Authority (CA). We can't recommend a specific CA to you, but we do have a list of CAs, Unified Communications certificate partners that you can take a look at to see if your preferred CA is listed.

When will you need to submit a request to a CA for this public certificate, and how do you do it? There are a couple of ways to accomplish this:

  • You can go through the installation of 비즈니스용 Skype 서버, and then the 에지 서버 deployment. The 비즈니스용 Skype 서버 배포 마법사 will have a step to generate a certificate request, which you can then send to your chosen CA.

  • You can also use Windows PowerShell commands to generate this request, if that's more inline with your business needs or deployment strategy.

  • Finally, your CA may have their own submission process, which may also involve Windows PowerShell or another method. In that case, you'll need to rely on their documentation, in addition to the information provided here for your reference.

After you've gotten the certificate, you'll need to go ahead and assign it to these services in 비즈니스용 Skype 서버:

  • UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService) interface

  • UNRESOLVED_TOKEN_VAL(nm_WebConfEdgeService) interface

  • Audio/Video Authentication service (don't confuse this with the UNRESOLVED_TOKEN_VAL(nm_AVEdgeService), as that doesn't use a certificate to encrypt audio and video streams)

important중요:
All Edge Servers need to have the exact same certificate with the same private key for the Media Relay Authentication service.

For the internal 에지 서버 interface, you can use a public certificate from a public CA, or a certificate issued from your organization's internal CA. The thing to remember about the internal certificate is that it uses an SN entry, and no SAN entries, so you don't have to worry about SAN on the internal cert at all.

We have a table here to help you out with your requests. The FQDN entries here are for sample domains only. You're going to need to make requests based on your own private and public domains, but here's a guide to what we've used:

  • contoso.com: Public FQDN

  • fabrikam.com: Second public FQDN (added as a demo of what to request if you have multiple SIP domains)

  • Contoso.net: Internal domain

Regardless of whether you're doing a single 에지 서버 or an 에지 풀, this is what you'll need for your certificate:

 

ComponentSubject name (SN)Subject alternative names (SAN)/orderNotes

External Edge

sip.contoso.com

sip.contoso.com

webcon.contoso.com

sip.fabrikam.com

This is the certificate you need to request from a public CA. It'll need to be assigned to the external Edge interfaces for the following:

  • UNRESOLVED_TOKEN_VAL(AccessEdge_short)

  • UNRESOLVED_TOKEN_VAL(WebConfEdge_short)

  • Audio/Video Authentication

The good news is that SANs are automatically added to your certificate request, and therefore your certificate after you submit the request, based on what you defined for this deployment in 토폴로지 작성기. You'll only need to add SAN entries for any additional SIP domains or other entries you need to support. Why is sip.contoso.com replicated in this instance? That happens automatically as well, and it's needed for things to work properly.

note참고:
This certificate can also be used for Public Instant Messaging connectivity. You don't need to do anything differently with it, but in previous versions of this documentation, it was listed as a separate table, and now it's not.

Internal Edge

sfbedge.contoso.com

NA

You can get this certificate from a public CA or an internal CA. It'll need to contain the server EKU (Enhanced Key Usage), and you'll assign it to the internal Edge interface.

note참고:
If you need a certificate for Extensible Messaging and Presence Protocol (XMPP), it will look identical to the External Edge table entries above, but will have the following two additional SAN entries:
  • xmpp.contoso.com

  • *.contoso.com

Please remember that currently XMPP is only supported for Google Talk, if you want or need to use it for anything else, you need to confirm that functionality with the third-party vendor involved.

Getting your planning right for ports and firewalls for 비즈니스용 Skype 서버 에지 서버 deployments can save you days or weeks of troubleshooting and stress. As a result, we're going to list a couple of tables that will indicate our protocol usage and what ports you need to have open, inbound and outbound, both for NAT and public IP scenarios. We'll also have separate tables for hardware load balanced scenarios (HLB) and some further guidance on that. For more reading from there, we also have 비즈니스용 Skype 서버 2015의 기술 다이어그램, as well as some Edge Server scenarios in Skype for Business Server 2015 you can check out for your particular deployment concerns.

Before we look at the summary tables for external and internal firewalls, let's consider the following table as well:

 

Audio/Video transportUsage

UDP

The preferred transport layer protocol for audio and video.

TCP

The fallback transport layer protocol for audio and video.

The required transport layer protocol for application sharing to 비즈니스용 Skype 서버 2015, Lync Server 2013, and Lync Server 2010.

The required transport layer protocol for file transfer to 비즈니스용 Skype 서버 2015, Lync Server 2013, and Lync Server 2010.

The Source IP address and Destination IP address will contain information for users who are using Private IP addresses with NAT, as well as people using public IP addresses. This will cover all the permutations in our Edge Server scenarios in Skype for Business Server 2015 section.

 

Role or protocolTCP or UDPDestination Port or port rangeSource IP addressDestination IP addressNotes

XMPP

TCP

5269

Any

UNRESOLVED_TOKEN_VAL(nm_XMPPProxyService) (shares an IP address with the UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService)

The UNRESOLVED_TOKEN_VAL(nm_XMPPProxyService) accepts traffic from XMPP contacts in defined XMPP federations.

Access/HTTP

TCP

80

 

Private IP using NATPublic IP

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService)

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService) public IP address

Any

Certificate revocation and CRL check and retrieval.

Access/DNS

TCP

53

 

Private IP using NATPublic IP

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService)

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService) public IP address

Any

DNS query over TCP.

Access/DNS

UDP

53

 

Private IP using NATPublic IP

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService)

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService) public IP address

Any

DNS query over UDP.

Access/SIP(TLS)

TCP

443

Any

 

Private IP using NATPublic IP

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService)

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService) public IP address

Client-to-server SIP traffic for external user access.

Access/SIP(MTLS)

TCP

5061

Any

 

Private IP using NATPublic IP

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService)

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService) public IP address

For federated and public IM connectivity using SIP.

Access/SIP(MTLS)

TCP

5061

 

Private IP using NATPublic IP

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService)

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService) public IP address

Any

For federated and public IM connectivity using SIP.

Web conferencing/PSOM(TLS)

TCP

443

Any

 

Private IP using NATPublic IP

에지 서버 UNRESOLVED_TOKEN_VAL(nm_WebConfEdgeService)

에지 서버 UNRESOLVED_TOKEN_VAL(nm_WebConfEdgeService) service public IP address

UNRESOLVED_TOKEN_VAL(WebConf) media.

A/V/RTP

TCP

50000-59999

 

Private IP using NATPublic IP

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AVEdgeService) service

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AVEdgeService) public IP address

Any

This is used for relaying media traffic.

A/V/RTP

UDP

50000-59999

 

Private IP using NATPublic IP

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AVEdgeService) service

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AVEdgeService) public IP address

Any

This is used for relaying media traffic.

A/V/STUN.MSTURN

UDP

3478

 

Private IP using NATPublic IP

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AVEdgeService)

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AVEdgeService) public IP address

Any

3478 outbound is:

  • Used by 비즈니스용 Skype 서버 to determine the version of 에지 서버 it's communicating with.

  • Used for media traffic between 에지 서버.

  • Required for federation with Lync Server 2010.

  • Needed if multiple 에지 풀 are deployed within your organization.

A/V/STUN.MSTURN

UDP

3478

Any

 

Private IP using NATPublic IP

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AVEdgeService)

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AVEdgeService) public IP address

STUN/TURN negotiation of candidates over UDP on port 3478.

A/V/STUN.MSTURN

TCP

443

Any

 

Private IP using NATPublic IP

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AVEdgeService)

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AVEdgeService) public IP address

STUN/TURN negotiation of candidates over TCP on port 443.

A/V/STUN.MSTURN

TCP

443

 

Private IP using NATPublic IP

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AVEdgeService)

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AVEdgeService) public IP address

Any

STUN/TURN negotiation of candidates over TCP on port 443.

 

ProtocolTCP or UDPPortSource IP addressDestination IP addressNotes

XMPP/MTLS

TCP

23456

Any of the following running the XMPP Gateway service:

  • 프런트 엔드 서버

  • 프런트 엔드 풀

에지 서버 internal interface

Outbound XMPP traffic from your XMPP Gateway service running on your 프런트 엔드 서버 or 프런트 엔드 풀.

SIP/MTLS

TCP

5061

Any:

  • 디렉터

  • 디렉터 풀

  • 프런트 엔드 서버

  • 프런트 엔드 풀

에지 서버 internal interface

Outbound SIP traffic from your 디렉터, 디렉터 풀, 프런트 엔드 서버 or 프런트 엔드 풀 to your 에지 서버 internal interface.

SIP/MTLS

TCP

5061

에지 서버 internal interface

Any:

  • 디렉터

  • 디렉터 풀

  • 프런트 엔드 서버

  • 프런트 엔드 풀

Inbound SIP traffic to your 디렉터, 디렉터 풀, 프런트 엔드 서버, or 프런트 엔드 풀 from your 에지 서버 internal interface.

PSOM/MTLS

TCP

8057

Any:

  • 프런트 엔드 서버

  • Each 프런트 엔드 서버

    in your 프런트 엔드 풀

에지 서버 internal interface

Web conferencing traffic from your 프런트 엔드 서버 or each 프런트 엔드 서버 (if you have a 프런트 엔드 풀) to your 에지 서버 internal interface.

SIP/MTLS

TCP

5062

Any:

  • 프런트 엔드 서버

  • 프런트 엔드 풀

  • Any SBA(Survivable Branch Appliance) using this 에지 서버

  • Any 지속 가능 분기 서버 using this 에지 서버

에지 서버 internal interface

Authentication of A/V users from your 프런트 엔드 서버 or 프런트 엔드 풀, or your SBA(Survivable Branch Appliance) or 지속 가능 분기 서버, using your 에지 서버.

STUN/MSTURN

UDP

3478

Any

에지 서버 internal interface

Preferred path for A/V media transfer between your internal and external users and your SBA(Survivable Branch Appliance) or 지속 가능 분기 서버.

STUN/MSTURN

TCP

443

Any

에지 서버 internal interface

Fallback path for A/V media transfer between your internal and external users and your SBA(Survivable Branch Appliance) or 지속 가능 분기 서버, if UDP communication doesn't work. TCP is then used for file transfers and desktop sharing.

HTTPS

TCP

4443

Any:

  • 프런트 엔드 서버 that holds the 중앙 관리 저장소

  • 프런트 엔드 풀 that holds the 중앙 관리 저장소

에지 서버 internal interface

Replication of changes from your 중앙 관리 저장소 store to your 에지 서버.

MTLS

TCP

50001

Any

에지 서버 internal interface

중앙 로깅 서비스 controller using 비즈니스용 Skype 서버 관리 쉘 and 중앙 로깅 서비스 cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection.

MTLS

TCP

50002

Any

에지 서버 internal interface

중앙 로깅 서비스 controller using 비즈니스용 Skype 서버 관리 쉘 and 중앙 로깅 서비스 cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection.

MTLS

TCP

50003

Any

에지 서버 internal interface

중앙 로깅 서비스 controller using 비즈니스용 Skype 서버 관리 쉘 and 중앙 로깅 서비스 cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection.

We're giving hardware load balancers (HLBs) and Edge ports their own section, as things are a little more complicated with the additional hardware. Please refer to the tables below for guidance for this particular scenario:

The Source IP address and Destination IP address will contain information for users who are using Private IP addresses with NAT, as well as people using public IP addresses. This will cover all the permutations in our Edge Server scenarios in Skype for Business Server 2015 section.

 

Role or protocolTCP or UDPDestination Port or port rangeSource IP addressDestination IP addressNotes

Access/HTTP

TCP

80

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService) public IP address

Any

Certificate revocation and CRL check and retrieval.

Access/DNS

TCP

53

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService) public IP address

Any

DNS query over TCP.

Access/DNS

UDP

53

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService) public IP address

Any

DNS query over UDP.

A/V/RTP

TCP

50000-59999

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AVEdgeService) IP address

Any

This is used for relaying media traffic.

A/V/RTP

UDP

50000-59999

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AVEdgeService) public IP address

Any

This is used for relaying media traffic.

A/V/STUN.MSTURN

UDP

3478

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AVEdgeService) public IP address

Any

3478 outbound is:

  • Used by 비즈니스용 Skype 서버 to determine the version of 에지 서버 it's communicating with.

  • Used for media traffic between 에지 서버.

  • Required for federation.

  • Needed if multiple 에지 풀 are deployed within your organization.

A/V/STUN.MSTURN

UDP

3478

Any

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AVEdgeService) public IP address

STUN/TURN negotiation of candidates over UDP on port 3478.

A/V/STUN.MSTURN

TCP

443

Any

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AVEdgeService) public IP address

STUN/TURN negotiation of candidates over TCP on port 443.

A/V/STUN.MSTURN

TCP

443

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AVEdgeService) public IP address

Any

STUN/TURN negotiation of candidates over TCP on port 443.

 

ProtocolTCP or UDPPortSource IP addressDestination IP addressNotes

XMPP/MTLS

TCP

23456

Any of the following running the XMPP Gateway service:

  • 프런트 엔드 서버

  • 프런트 엔드 풀 VIP address running the XMPP Gateway service

에지 서버 internal interface

Outbound XMPP traffic from your XMPP Gateway service running on your 프런트 엔드 서버 or 프런트 엔드 풀.

HTTPS

TCP

4443

Any:

  • 프런트 엔드 서버 that holds the 중앙 관리 저장소

  • 프런트 엔드 풀 that holds the 중앙 관리 저장소

에지 서버 internal interface

Replication of changes from your 중앙 관리 저장소 to your 에지 서버.

PSOM/MTLS

TCP

8057

Any:

  • 프런트 엔드 서버

  • Each 프런트 엔드 서버 in your 프런트 엔드 풀

에지 서버 internal interface

Web conferencing traffic from your 프런트 엔드 서버 or each 프런트 엔드 서버 (if you have a 프런트 엔드 풀) to your 에지 서버 internal interface.

STUN/MSTURN

UDP

3478

Any:

  • 프런트 엔드 서버

  • Each 프런트 엔드 서버 in your 프런트 엔드 풀

에지 서버 internal interface

Preferred path for A/V media transfer between your internal and external users and your SBA(Survivable Branch Appliance) or 지속 가능 분기 서버.

STUN/MSTURN

TCP

443

Any:

  • 프런트 엔드 서버

  • Each 프런트 엔드 서버 in your pool

에지 서버 internal interface

Fallback path for A/V media transfer between your internal and external users and your SBA(Survivable Branch Appliance) or 지속 가능 분기 서버, if UDP communication doesn't work. TCP is then used for file transfers and desktop sharing.

MTLS

TCP

50001

Any

에지 서버 internal interface

중앙 로깅 서비스 controller using 비즈니스용 Skype 서버 관리 쉘 and 중앙 로깅 서비스 cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection.

MTLS

TCP

50002

Any

에지 서버 internal interface

중앙 로깅 서비스 controller using 비즈니스용 Skype 서버 관리 쉘 and 중앙 로깅 서비스 cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection.

MTLS

TCP

50003

Any

에지 서버 internal interface

중앙 로깅 서비스 controller using 비즈니스용 Skype 서버 관리 쉘 and 중앙 로깅 서비스 cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection.

 

Role or protocolTCP or UDPDestination Port or port rangeSource IP addressDestination IP addressNotes

XMPP

TCP

5269

Any

UNRESOLVED_TOKEN_VAL(nm_XMPPProxyService) (shares an IP address with the UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService))

The UNRESOLVED_TOKEN_VAL(nm_XMPPProxyService) accepts traffic from XMPP contacts in defined XMPP federations.

XMPP

TCP

5269

UNRESOLVED_TOKEN_VAL(nm_XMPPProxyService) (shares an IP address with the UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService))

Any

The UNRESOLVED_TOKEN_VAL(nm_XMPPProxyService) sends traffic from XMPP contacts in defined XMPP federations.

Access/SIP(TLS)

TCP

443

Any

 

Private IP using NATPublic IP

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService)

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService) public IP address

Client-to-server SIP traffic for external user access.

Access/SIP(MTLS)

TCP

5061

Any

 

Private IP using NATPublic IP

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService)

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService) public IP address

For federated and public IM connectivity using SIP.

Access/SIP(MTLS)

TCP

5061

 

Private IP using NATPublic IP

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService) service

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService) public IP address

Any

For federated and public IM connectivity using SIP.

UNRESOLVED_TOKEN_VAL(WebConf)/PSOM(TLS)

TCP

443

Any

 

Private IP using NATPublic IP

에지 서버 UNRESOLVED_TOKEN_VAL(nm_WebConfEdgeService)

에지 서버 UNRESOLVED_TOKEN_VAL(nm_WebConfEdgeService) public IP address

UNRESOLVED_TOKEN_VAL(WebConf) media.

A/V/STUN.MSTURN

UDP

3478

Any

 

Private IP using NATPublic IP

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AVEdgeService)

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AVEdgeService) public IP address

STUN/TURN negotiation of candidates over UDP on port 3478.

A/V/STUN.MSTURN

TCP

443

Any

 

Private IP using NATPublic IP

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AVEdgeService)

에지 서버 UNRESOLVED_TOKEN_VAL(nm_AVEdgeService) public IP address

STUN/TURN negotiation of candidates over TCP on port 443.

Our guidance here is going to be a little different. In actuality, in a HLB situation, we now recommend you only have routing through an internal VIP under the following circumstances:

  • If you are using Exchange 2007 or Exchange 2010 UNRESOLVED_TOKEN_VAL(nm_UM_noEx).

  • If you have legacy clients using the Edge.

The following table does give guidance for those scenarios, but otherwise, you should be able to depend on 중앙 관리 저장소 (CMS) to route traffic to the individual 에지 서버 it's aware of (this does require that CMS is kept up to date on 에지 서버 information, of course).

 

ProtocolTCP or UDPPortSource IP addressDestination IP addressNotes

Access/SIP(MTLS)

TCP

5061

Any:

  • 디렉터

  • 디렉터 풀 VIP address

  • 프런트 엔드 서버

  • 프런트 엔드 풀 VIP address

에지 서버 internal interface

Outbound SIP traffic from your 디렉터, 디렉터 풀 VIP address, 프런트 엔드 서버, or 프런트 엔드 풀 VIP address to your 에지 서버 internal interface.

Access/SIP(MTLS)

TCP

5061

에지 서버 internal VIP interface

Any:

  • 디렉터

  • 디렉터 풀 VIP address

  • 프런트 엔드 서버

  • 프런트 엔드 풀 VIP address

Inbound SIP traffic to your 디렉터, 디렉터 풀 VIP address, 프런트 엔드 서버, or 프런트 엔드 풀 VIP address from your 에지 서버 internal interface.

SIP/MTLS

TCP

5062

Any:

  • 프런트 엔드 서버 IP address

  • 프런트 엔드 풀 IP address

  • Any UNRESOLVED_TOKEN_VAL(nm_SurviveBranchApp) using this 에지 서버

  • Any UNRESOLVED_TOKEN_VAL(nm_SurviveBranchServer) using this 에지 서버

에지 서버 internal interface

Authentication of A/V users from your 프런트 엔드 서버 or 프런트 엔드 풀, or your UNRESOLVED_TOKEN_VAL(nm_SurviveBranchApp) or UNRESOLVED_TOKEN_VAL(nm_SurviveBranchServer), using your 에지 서버.

STUN/MSTURN

UDP

3478

Any

에지 서버 internal interface

Preferred path for A/V media transfer between your internal and external users.

STUN/MSTURN

TCP

443

Any

에지 서버 internal VIP interface

Fallback path for A/V media transfer between your internal and external users if UDP communication doesn't work. TCP is then used for file transfers and desktop sharing.

 
표시: