You should consider the following requirements for users and your network infrastructure while planning for a hybrid deployment.
You must have the following available in your environment to implement and configure a Lync Server 2013 hybrid deployment.
- An Office 365 tenant with Lync Online enabled.
- Optionally, if you want to support Single Sign-on with Office 365, an Active Directory Federation Services (AD FS) Server either on-premises or using Microsoft Azure Active Directory.
- An on-premises deployment of Lync Server 2013 or Lync Server 2010 with Cumulative Updates for Lync Server 2010: March 2013 or later applied.
Lync Server 2013 administrative tools.
- AAD Sync
Topology RequirementsTo configure Lync 2013 deployment for hybrid with SFB Online, we need to have one of the following supported topologies:
- Microsoft Lync Server 2010 with Cumulative Updates: (March 2013 or later) applied, and the Lync Server 2013 administrative tools installed on-premises. Move-CSuser will be run on the Lync 2013 Admin Tools.
- The federation Edge Server must be running on Lync Server 2010 with Cumulative Updates: (March 2013 or later) applied, or Lync Server 2013.
- A Lync Server 2013 deployment with all servers running Lync Server 2013.
Requirements for Federation
- The Blocked domains list in the on-premises deployment must exactly match the Blocked domains list for your online tenant.
- The Allowed domains list in the on-premises deployment must exactly match the Allowed domains list for your online tenant.
- Federation must be enabled for the external communications for the online tenant, which is configured by using the Lync Online Control Panel.
DNS SettingsWhen creating DNS SRV records for hybrid deployments, the records, _sipfederationtls._tcp.<domain> and _sip._tls.<domain>, should point to the on-premises Access Proxy.
Firewall ConsiderationsComputers on your network must be able to perform standard Internet DNS lookups. If these computers can reach standard Internet sites, your network meets this requirement.
Depending on the location of your Microsoft Online Services data center, you must also configure your network firewall devices to accept connections based on wildcard domain names (for example, all traffic from *.outlook.com). If your organization’s firewalls do not support wildcard name configurations, you will have to manually determine the IP address ranges that you would like to allow and the specified ports.
Refer to the Help topic Office 365 URLs and IP address ranges.
Port and Protocol RequirementsIn addition to the port requirements for internal Lync Server 2013 communication, you must also configure the following ports.
Protocol / Port
|TCP 443||Open inbound |
|TCP 80 and 443||Open inbound |
|TCP 5061||Open inbound/outbound on the Edge Server|
|PSOM/TLS 443||Open inbound/outbound for data sharing sessions|
|STUN/TCP 443||Open inbound/outbound for audio, video, application sharing sessions|
|STUN/UDP 3478||Open inbound/outbound for audio and video sessions|
|RTP/TCP 50000-59999||Open outbound for audio and video sessions|