Setup a Fully Functional Lync 2013 Lab Using only One Public IP Address

Note: This article assumes you know how to setup Lync 2013 already and just need to know the intricacies of changing the default ports.

Ever since I was exposed to Lync in 2011, I’ve been a huge proponent of using chat to communicate at work. Years ago, I recall corporate chat being a hard sell, but now it seems generally accepted; many customers who don’t use chat are open to it, they just haven’t have the resources to set it up yet. I’ve setup Google Apps w/Talk for small businesses in the past, but I’ve have been curious implementing Microsoft Lync on-premise so I setup a lab last week to better understand it.

Because my lab is limited on RAM, I attempted to use just one server to accomplish everything I wanted — chat, “PC-to-PC” calls, and video conferencing. I was able to get chat working fine for internal and external users, but video conferencing and calls failed for users who were not on the same internal network.

After learning about the Edge server’s role in providing media services, I gave in and added an Edge server to my topology. I also added a Reverse Proxy because holy smokes, setting up a Reverse Proxy using IIS ARR was way easier than I thought it’d be (and I already had a web server that could do this.)

Here’s the thing about the Edge server: both the Front End and the Edge server use port 443 for very different things. Autodiscovery, which is provided by the Front End/Reverse Proxy, requires HTTPS (though you can use HTTP but I don’t want), and Autodiscovery was a requirement that I gave myself so, I was left having to modify the A/V port for the Edge server. In the setup below, you can see that I changed it to port 442. Modifying the port in the Topology was easy enough, but then I had to figure out exactly what DNS records needed to change.

The DNS change seems obvious now, but I started this with little knowledge about AutoDiscovery and service records. Because of this, I ended up with a ton of unnecessary/incorrect DNS entries.

Here’s how my lab is configured:

Internal SIP domain: ad.local
External SIP domain:
External IP address
DMZ Subnet: 10.0.10.x
Internal Subnet: 10.0.0.x

Role Hostname Internal IP External IP
Lync Front End None
Lync Edge lyncedge
Reverse proxy (optional) rp

Port Forwarding
Protocol Port Function IP
TCP 443 Autodiscovery (HTTPS)
TCP 444* Web Conferencing
TCP 5061** MTLS
Both 50000-59999 RTP

* I’m not entirely sure this needs to be exposed, but I opened mine anyway.
** In order to support the widest variety of Lync clients, 5061 appears to
be required for authentication even if you don’t do federation.

External DNS A & CNAME Records
Type Hostname Points to

External DNS SRV Record
Service Protocol Port Target
_sip _tls 442

Some DNS providers offer an SRV Host field. This is useful if your users authenticate as [email protected] instead of [email protected] In this case, “x” would be your host. Also, I’ve seen different numbers of Priority and Weight. I left mine at 100 and 1, though I’ve seen it at 0 and 0. I don’t think it matters much unless you’re doing load balancing.

Also, after examining client logs, I noticed that some external logins for desktop clients failed when didn’t exist, so I added it to DNS. Microsoft documentation mentions A records in a whole lot of places, but I found CNAMES work just as well.

A few things to note:

I didn’t hook Lync into Exchange and I didn’t even attempt Enterprise Voice because I don’t have the equipment (or desire.) Authentication was accomplished by adding [email protected] to each AD account email property, then using [email protected] as the sign-in name and ad\username for User Name. Of course, my domain’s Root CA cert had to be installed on all of the client computers, including mobile devices.

I did test to see if Office Web Apps was required for Lync-to-Lync calls (it wasn’t) and blew up one of my server’s IIS configs in the process. OWA doesn’t like to share and deletes all of your IIS Sites during configuration, so don’t install it on a server that does anything else related to IIS.

Also, if you have just one internal subnet and you’re comfortable with the security repercussions, you don’t need a reverse proxy — just a router that can forward from port 443 to port 4443. Also, your edge server will need 2 IPs (no way around that), so you can just give it two on the same subnet and make sure your router NATs to the “External” IP of the Edge server as listed in the Lync Topology.

Chrissy is a Cloud and Datacenter Management & Data Platform MVP who has worked in IT for over 20 years. She is the creator of the popular SQL PowerShell module dbatools, holds a master's degree in Systems Engineering and is coauthor of Learn dbatools in a Month of Lunches. Chrissy is certified in SQL Server, Linux, SharePoint and network security. You can follow her on Twitter at @cl.

Posted in Lync
19 comments on “Setup a Fully Functional Lync 2013 Lab Using only One Public IP Address
  1. Maxime says:


    Thanks for this topic.
    I have installed a lab environnement with this infos but I still have a problème.
    Desktop sharing works on the LAN but external users connected in Lync cannot share or view shared desktop.
    Do you have an idea ?
    Thanks by advance.


  2. Allan says:

    Thank you for your post, got a question for you if you don’t mind. I see you are using 442 instead of 443, that would make my life very easy. Do you have to make custom settings in your external clients?

    Another angle, if I do not change port 443 in my topology. I’m going with the most simple solution, single external IP, single subnet, but my exchange is also on this LAN and so I have 443 already redirected to my Exchange Server from my router. Cannot mess with that. Wondering if I can use a custom port for 443, in other words… can I redirect say, 445 to 443? I do that often with remote desktops so I can send different people from the outside to 3389 on the inside… just put the custom external port into my RDP client. If this is possible, then I can put a custom port into my external clients?

    • Chrissy LeMaire says:

      Hey Allan,
      My external clients were not explicitly configured to go to port 442. The External DNS SRV Record record did that for them.

  3. Daimian WIlliams says:

    Hi, this guide is great! One question – How did you manage to change the AV port to 442?


  4. Daimian WIlliams says:

    Also, am I right in thinking that no actual ports are forwarded to the External NIC of the Edge server? 443 & 80 (4443 & 8080) are forward to FE and all others to Internal NIC of Edge?


    • Daimian WIlliams says:

      Should have said, I am using two NICS on same subnet on Edge, so it would be: – FE – Edge (internal) – Edge (external)

      and also not using reverse proxy and port forwarding 443/80 to 4443/8080 to

      Sorry for all this, just trying to clear my head.

      Thank you,

      • Chrissy LeMaire says:

        That was my bad, I updated the blog post, though unfortunately I can’t test it. A majority of the ports should be forwarded to the external edge IP.

  5. Mehran says:

    Dear Friend

    Thank you for your very valuable guidances on Lync they are wonderful and very comprehensive.

    We faced an strange problem after Lync 2013 fully implementation, would you give us any issue to solve this problems
    1- Whiteboard works about 30 minutes each time after Lync server restarting, for internal and external user both, and after that, it stops and give an error says “An error occurred while presenting”
    2- Totally we face “An error occurred while presenting” by PowerPoint sharing
    3- The call communication among two users that are both outside of domain is possible but the same call communication among a user inside domain and one outside of domain could be established , we added the user outside of domain the certificate and also in host etc, relevant IPs is added.
    We are in desperate need of a solution or guidance for this problem.


    • Chrissy LeMaire says:

      Hey Mehran,
      Unfortunately, I wouldn’t be able to help because I can’t duplicate the problem on my own systems :|

  6. TIsola says:

    Hi Chrissy,

    Thanks for your guidance.
    Just a clarification of your IP configurations; I noticed that you mentioned as below:
    DMZ Subnet: 10.0.10.x
    Internal Subnet: 10.0.0.x

    However, in your actual IP configurations you specified as your Internal and External for Lync edge respectively. I am thinking it should be the other way round since DMZ will connect to the External NIC of the Lync edge.

    Please clarify.


    • Chrissy LeMaire says:

      I think you’re right TIsola! I’ve updated the blog post. Please let me know if it works for you. I don’t have my lab setup to test it again, and kind of forgot everything ;)

  7. Muthupandi Mk says:


    I tested it in both Lync 2013 coexistance with Lync 2010 worked well..

    Thank you so much…

  8. Matt says:


    you mentioned we can directly send Reverse proxy traffic to FE without using RP..
    I would like to know how we can achieve that, as far as my understanding is concern
    –>External Public IP is natted to suppose range,
    –>Edge is having 1 Ip from range 6.1 and one from 5.1
    –>and Lync servers are in Range , so in this case how we will achieve
    DO we need to add another adapter on FE having Ip from range?

  9. Aaron says:

    If I try this, and then go to, I get an error saying “The autodiscovered port 442 for Access Edge Server (via record isn’t a recommeneded port number for the domain of user [email protected]

    Any ideas?

    • Chrissy LeMaire says:

      Hey Aaron, I tried to follow this awhile back and it’s not as clear as it should be.Port 442 isn’t a recommended port, but it still works. Unfortunately, I don’t even have my lab setup anymore to rewrite the article so I’ll be waiting until the next version to update it.

      • Aaron says:

        I see. Well, as you described, it does work fully as far as all the test I ran manually on it. Just can’t run the connectivity test from Microsoft. But not a huge deal as long as it’s working, so THANK YOU! :)

  10. sepe says:


    i am doing the same implementation, but when i am running lync connectivity analyser, i see my edge server is pushing ssl internal edge server certificate instead of external….
    i am not using reverse proxy or anything…dont think it matters….

    i did the test on 5061..port///

    please help

Leave a Reply