Understanding Lync Security – Part 2


this is Part 2 of understanding Lync Security, you can find part 1 here


As you already know, SSL certificates are a method of establishing trust between the client and the server so both are sure they are talking to the correct end.

As mentioned in Part-1, servers and clients uses Certificate to encrypt the communications, for that you need to consider the following:

  1. You must have a CRL      (certificate revocation list) configured.
  2. You must have EKU (Enhanced      Key Usage) configured  for your      certificate,  All Lync certificate      must support EKU which is important for MTLS

The Edge Server certificate:

On the Edge server a certificate is used on both network interface of the server, but in the external Interface the certificate used need to be issued by a trusted public CA.

Good thing about Lync is that you can use one certificate with all Edge roles as long as it has the correct names in it.

Two things to consider when ordering your Public Certificate:

  • Subject name of the certificate need to be the name of the Access edge service e.g. access.lyncdude.net or sip.lyncdude.net
  • The first SAN  should be also the name of the Access Edge service, then the other services follows.
  • Create the certificate with Exportable private Key
  • Make sure to include each sip.domain.com to the certificate for each SIP domain you have in your deployment

The following photo is taken from my Lab, I have an Edge Pool called Lync-pool02.lyncdude.net with two Edge servers deployed in it.

I have ordered one certificate with one SN of Access edge server, and all other web services required as a SAN in the certificate.


Internal Certificate:



External Certificate



Your certificates should be something similar to those two :)


So what do you need to tell your network team to open for the remote users is always a pain in the ***.

So the following Diagram isolate the required ports for the external access:



Note that it’s best practice to open the TCP ports 50.000 to 59.999 for the AV service. While the UDP ports 50.000 to 59.999 are required to enable communication with OCS 2007 clients.

The use of the IPsec on Network effect the Lync Media traffic by creating a delay because packages need to be inspected, so to use IPsec you will need to turn it off for

The media traffic.

About these ads

Mostafa Tohamey is a Senior Microsoft Unified Communications Specialist working with Microsoft Exchange and Microsoft Lync Server, from Egypt, lives and works in Frankfurt - Germany. Worked Closely with Microsoft Dubai for 3 years designing , building and supporting Exchange and Lync Infrastructures. A Microsoft Certified ITP in Lync, Exchange and also attended Microsoft Partner Primer Filed Support Engineer T1 Training for Microsoft Lync 2010.

Tagged with: , ,
Posted in Microsoft Lync 2010, Microsoft Lync 2013, Unified Communication
2 comments on “Understanding Lync Security – Part 2
  1. […] Understanding Lync Security – Part 2 […]

  2. […] Understand Lync Security – Part II […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow me on Twitter
Contact me

Notes to Myself Shared For Everyone


The World of Lync 2010 & Lync 2013

Julian Frank's Blog

Some Random Thoughts You May Like

TechOnTip Weblog

Run book for Technocrats

JC's Blog-O-Gibberish

Microsoft Lync and Exchange info, and things I can't remember

Just a Lync Guy

Guy Bachar's IT blog


UC and beyond

Mastering Lync

Yet another Lync blog but this one by Masters & MVP's

UC Ninjas

By the UC Community, for the UC Community!


Random collection of thoughts that are more than 140 characters

EighTwOne (821)

If you can't explain it simply, you don't understand it well enough.

All about Lync and soon Skype 4 Business

Hany George's Blog

All about Lync and soon Skype 4 Business

VoIPNorm's Unified Communications Blog

All about Lync and soon Skype 4 Business

All about Lync and soon Skype 4 Business

Unified Communications with Microsoft

All about Lync and soon Skype 4 Business


Get every new post delivered to your Inbox.

Join 33 other followers

%d bloggers like this: