Understanding Lync Security – Part 2


this is Part 2 of understanding Lync Security, you can find part 1 here


As you already know, SSL certificates are a method of establishing trust between the client and the server so both are sure they are talking to the correct end.

As mentioned in Part-1, servers and clients uses Certificate to encrypt the communications, for that you need to consider the following:

  1. You must have a CRL      (certificate revocation list) configured.
  2. You must have EKU (Enhanced      Key Usage) configured  for your      certificate,  All Lync certificate      must support EKU which is important for MTLS

The Edge Server certificate:

On the Edge server a certificate is used on both network interface of the server, but in the external Interface the certificate used need to be issued by a trusted public CA.

Good thing about Lync is that you can use one certificate with all Edge roles as long as it has the correct names in it.

Two things to consider when ordering your Public Certificate:

  • Subject name of the certificate need to be the name of the Access edge service e.g. access.lyncdude.net or sip.lyncdude.net
  • The first SAN  should be also the name of the Access Edge service, then the other services follows.
  • Create the certificate with Exportable private Key
  • Make sure to include each sip.domain.com to the certificate for each SIP domain you have in your deployment

The following photo is taken from my Lab, I have an Edge Pool called Lync-pool02.lyncdude.net with two Edge servers deployed in it.

I have ordered one certificate with one SN of Access edge server, and all other web services required as a SAN in the certificate.


Internal Certificate:



External Certificate



Your certificates should be something similar to those two 🙂


So what do you need to tell your network team to open for the remote users is always a pain in the ***.

So the following Diagram isolate the required ports for the external access:



Note that it’s best practice to open the TCP ports 50.000 to 59.999 for the AV service. While the UDP ports 50.000 to 59.999 are required to enable communication with OCS 2007 clients.

The use of the IPsec on Network effect the Lync Media traffic by creating a delay because packages need to be inspected, so to use IPsec you will need to turn it off for

The media traffic.

Author: Lyncdude

A Senior Microsoft Unified Communications Consultant with more than 9 years of experience in Microsoft Exchange and Microsoft Lync Server / Skype for Business. Egyptian guy lives and works in Frankfurt - Germany. Worked Closely with Microsoft Dubai for 3 years designing , building and supporting Exchange and Lync Infrastructures. A Microsoft Certified ITP in Lync, Exchange and also attended Microsoft Partner Primer Filed Support Engineer T1 Training for Microsoft Lync 2010.

2 thoughts on “Understanding Lync Security – Part 2”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s