Understanding Lync Security – Part 2


this is Part 2 of understanding Lync Security, you can find part 1 here


As you already know, SSL certificates are a method of establishing trust between the client and the server so both are sure they are talking to the correct end.

As mentioned in Part-1, servers and clients uses Certificate to encrypt the communications, for that you need to consider the following:

  1. You must have a CRL      (certificate revocation list) configured.
  2. You must have EKU (Enhanced      Key Usage) configured  for your      certificate,  All Lync certificate      must support EKU which is important for MTLS

The Edge Server certificate:

On the Edge server a certificate is used on both network interface of the server, but in the external Interface the certificate used need to be issued by a trusted public CA.

Good thing about Lync is that you can use one certificate with all Edge roles as long as it has the correct names in it.

Two things to consider when ordering your Public Certificate:

  • Subject name of the certificate need to be the name of the Access edge service e.g. access.lyncdude.net or sip.lyncdude.net
  • The first SAN  should be also the name of the Access Edge service, then the other services follows.
  • Create the certificate with Exportable private Key
  • Make sure to include each sip.domain.com to the certificate for each SIP domain you have in your deployment

The following photo is taken from my Lab, I have an Edge Pool called Lync-pool02.lyncdude.net with two Edge servers deployed in it.

I have ordered one certificate with one SN of Access edge server, and all other web services required as a SAN in the certificate.


Internal Certificate:



External Certificate



Your certificates should be something similar to those two 🙂


So what do you need to tell your network team to open for the remote users is always a pain in the ***.

So the following Diagram isolate the required ports for the external access:



Note that it’s best practice to open the TCP ports 50.000 to 59.999 for the AV service. While the UDP ports 50.000 to 59.999 are required to enable communication with OCS 2007 clients.

The use of the IPsec on Network effect the Lync Media traffic by creating a delay because packages need to be inspected, so to use IPsec you will need to turn it off for

The media traffic.

Author: Lyncdude

A Senior Service Engineer with more than 9 years of experience in Microsoft Exchange and Microsoft Lync Server / Skype for Business. Egyptian guy lives and works in Frankfurt - Germany. what is written in this blog is my own opinion and thoughts, not my employer and does not reflect their opinion

2 thoughts on “Understanding Lync Security – Part 2”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: