Setup a Fully Functional Lync 2013 Lab Using only One Public IP Address

Note: This article assumes you know how to setup Lync 2013 already and just need to know the intricacies of changing the default ports.

Ever since I was exposed to Lync in 2011, I’ve been a huge proponent of using chat to communicate at work. Years ago, I recall corporate chat being a hard sell, but now it seems generally accepted; many customers who don’t use chat are open to it, they just haven’t have the resources to set it up yet. I’ve setup Google Apps w/Talk for small businesses in the past, but I’ve have been curious implementing Microsoft Lync on-premise so I setup a lab last week to better understand it.

Because my lab is limited on RAM, I attempted to use just one server to accomplish everything I wanted — chat, “PC-to-PC” calls, and video conferencing. I was able to get chat working fine for internal and external users, but video conferencing and calls failed for users who were not on the same internal network.

After learning about the Edge server’s role in providing media services, I gave in and added an Edge server to my topology. I also added a Reverse Proxy because holy smokes, setting up a Reverse Proxy using IIS ARR was way easier than I thought it’d be (and I already had a web server that could do this.)

Here’s the thing about the Edge server: both the Front End and the Edge server use port 443 for very different things. Autodiscovery, which is provided by the Front End/Reverse Proxy, requires HTTPS (though you can use HTTP but I don’t want), and Autodiscovery was a requirement that I gave myself so, I was left having to modify the A/V port for the Edge server. In the setup below, you can see that I changed it to port 442. Modifying the port in the Topology was easy enough, but then I had to figure out exactly what DNS records needed to change.

The DNS change seems obvious now, but I started this with little knowledge about AutoDiscovery and service records. Because of this, I ended up with a ton of unnecessary/incorrect DNS entries.

Here’s how my lab is configured:

Internal SIP domain: ad.local
External SIP domain:
External IP address
DMZ Subnet: 10.0.10.x
Internal Subnet: 10.0.0.x

Role Hostname Internal IP External IP
Lync Front End None
Lync Edge lyncedge
Reverse proxy (optional) rp

Port Forwarding
Protocol Port Function IP
TCP 443 Autodiscovery (HTTPS)
TCP 444* Web Conferencing
TCP 5061** MTLS
Both 50000-59999 RTP

* I’m not entirely sure this needs to be exposed, but I opened mine anyway.
** In order to support the widest variety of Lync clients, 5061 appears to
be required for authentication even if you don’t do federation.

External DNS A & CNAME Records
Type Hostname Points to

External DNS SRV Record
Service Protocol Port Target
_sip _tls 442

Some DNS providers offer an SRV Host field. This is useful if your users authenticate as [email protected] instead of [email protected] In this case, “x” would be your host. Also, I’ve seen different numbers of Priority and Weight. I left mine at 100 and 1, though I’ve seen it at 0 and 0. I don’t think it matters much unless you’re doing load balancing.

Also, after examining client logs, I noticed that some external logins for desktop clients failed when didn’t exist, so I added it to DNS. Microsoft documentation mentions A records in a whole lot of places, but I found CNAMES work just as well.

A few things to note:

I didn’t hook Lync into Exchange and I didn’t even attempt Enterprise Voice because I don’t have the equipment (or desire.) Authentication was accomplished by adding [email protected] to each AD account email property, then using [email protected] as the sign-in name and ad\username for User Name. Of course, my domain’s Root CA cert had to be installed on all of the client computers, including mobile devices.

I did test to see if Office Web Apps was required for Lync-to-Lync calls (it wasn’t) and blew up one of my server’s IIS configs in the process. OWA doesn’t like to share and deletes all of your IIS Sites during configuration, so don’t install it on a server that does anything else related to IIS.

Also, if you have just one internal subnet and you’re comfortable with the security repercussions, you don’t need a reverse proxy — just a router that can forward from port 443 to port 4443. Also, your edge server will need 2 IPs (no way around that), so you can just give it two on the same subnet and make sure your router NATs to the “External” IP of the Edge server as listed in the Lync Topology.

Chrissy has worked in IT for nearly 20 years, and currently serves as a Sr. Systems Engineer for a federal contractor in Belgium. Always an avid scripter, she attended the Monad session at Microsoft’s Professional Developers Conference in Los Angeles back in 2005 and has worked and played with PowerShell ever since. Chrissy is currently pursuing an MS in Systems Engineering at Regis University and helps maintain in her spare time. She holds a number of certifications, including those relating to SQL Server, SuSE Linux, SharePoint and network security. She recently became a Microsoft PowerShell MVP. You can follow her on Twitter at @cl.

Posted in Lync
14 comments on “Setup a Fully Functional Lync 2013 Lab Using only One Public IP Address
  1. Maxime says:


    Thanks for this topic.
    I have installed a lab environnement with this infos but I still have a problème.
    Desktop sharing works on the LAN but external users connected in Lync cannot share or view shared desktop.
    Do you have an idea ?
    Thanks by advance.


  2. Allan says:

    Thank you for your post, got a question for you if you don’t mind. I see you are using 442 instead of 443, that would make my life very easy. Do you have to make custom settings in your external clients?

    Another angle, if I do not change port 443 in my topology. I’m going with the most simple solution, single external IP, single subnet, but my exchange is also on this LAN and so I have 443 already redirected to my Exchange Server from my router. Cannot mess with that. Wondering if I can use a custom port for 443, in other words… can I redirect say, 445 to 443? I do that often with remote desktops so I can send different people from the outside to 3389 on the inside… just put the custom external port into my RDP client. If this is possible, then I can put a custom port into my external clients?

    • Chrissy LeMaire says:

      Hey Allan,
      My external clients were not explicitly configured to go to port 442. The External DNS SRV Record record did that for them.

  3. Daimian WIlliams says:

    Hi, this guide is great! One question – How did you manage to change the AV port to 442?


  4. Daimian WIlliams says:

    Also, am I right in thinking that no actual ports are forwarded to the External NIC of the Edge server? 443 & 80 (4443 & 8080) are forward to FE and all others to Internal NIC of Edge?


    • Daimian WIlliams says:

      Should have said, I am using two NICS on same subnet on Edge, so it would be: – FE – Edge (internal) – Edge (external)

      and also not using reverse proxy and port forwarding 443/80 to 4443/8080 to

      Sorry for all this, just trying to clear my head.

      Thank you,

      • Chrissy LeMaire says:

        That was my bad, I updated the blog post, though unfortunately I can’t test it. A majority of the ports should be forwarded to the external edge IP.

  5. Mehran says:

    Dear Friend

    Thank you for your very valuable guidances on Lync they are wonderful and very comprehensive.

    We faced an strange problem after Lync 2013 fully implementation, would you give us any issue to solve this problems
    1- Whiteboard works about 30 minutes each time after Lync server restarting, for internal and external user both, and after that, it stops and give an error says “An error occurred while presenting”
    2- Totally we face “An error occurred while presenting” by PowerPoint sharing
    3- The call communication among two users that are both outside of domain is possible but the same call communication among a user inside domain and one outside of domain could be established , we added the user outside of domain the certificate and also in host etc, relevant IPs is added.
    We are in desperate need of a solution or guidance for this problem.


    • Chrissy LeMaire says:

      Hey Mehran,
      Unfortunately, I wouldn’t be able to help because I can’t duplicate the problem on my own systems :|

  6. TIsola says:

    Hi Chrissy,

    Thanks for your guidance.
    Just a clarification of your IP configurations; I noticed that you mentioned as below:
    DMZ Subnet: 10.0.10.x
    Internal Subnet: 10.0.0.x

    However, in your actual IP configurations you specified as your Internal and External for Lync edge respectively. I am thinking it should be the other way round since DMZ will connect to the External NIC of the Lync edge.

    Please clarify.


    • Chrissy LeMaire says:

      I think you’re right TIsola! I’ve updated the blog post. Please let me know if it works for you. I don’t have my lab setup to test it again, and kind of forgot everything ;)

  7. Muthupandi Mk says:


    I tested it in both Lync 2013 coexistance with Lync 2010 worked well..

    Thank you so much…

Leave a Reply

Your email address will not be published. Required fields are marked *



We are IT pros who grew up living and loving life in Cajun Country.


Chrissy LeMaire
View Chrissy LeMaire, BSc. MCITP's profile on LinkedIn

Brandon Abshire
View Brandon Abshire, MCDBA's profile on LinkedIn


Chrissy LeMaire
Microsoft PowerShell MVP