Manualshelf

HP Survivable Branch Communication zl Module powered by Microsoft Lync Planning and Design Guide 2011-02

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
61626364656667686970
2-33
Design Considerations
Planning Security
Planning Security
This section helps you to plan an SBM solution that fits within your business’s
security policies. You will need to examine your security policies in three main
areas:
Firewall policies
Domain computer policies that might be pushed to the SBM with GPOs
Privacy policies (related to call logging)
Adjusting Firewall Policies
If one or more firewalls stand between your branch and central sites, you must
ensure that the correct ports are open:
TCP 5060/5061—The SBM and the other Lync Servers communicate on
TCP 5061 if they are using Transport Layer Security (TLS) (recom-
mended). Otherwise, they communicate on TCP 5060.
Clients also use this port to contact the Mediation Server.
TCP 444—If the SBM is acting as a backup registrar for users at another
site, they might need to contact the SBM at this port.
TCP/UDP ports for peer-to-peer communicationsAs you recall,
after initiating a call with Session Initiation Protocol (SIP), Lync clients
(at both the same and different sites) can communicate directly using RTP.
By default, clients can negotiate any TCP/UDP port between 1024 and
65535 for these communications, as well as for peer-to-peer file transfers,
peer-to-peer video sessions, and peer-to-peer application sharing.
It is recommended that you allow these communications through your
firewall. Otherwise, your clients will have to pass all communications
through a Lync Server on TCP port 5060/5061, which greatly decreases the
scalability of the solution. However, leaving all of the ports in the default
range open can pose a security risk. It is recommended that you choose
one of the following alternatives:
If your firewall supports a SIP Application Layer Gateway (ALG),
enable that ALG. The ALG will automatically open the correct ports
for a particular RTP session just for the duration of that session. You
do not need to open any ports manually except TCP 5060/5061.