none
SRV records and port numbers RRS feed

  • Question

  • Hello,

    I am finding conflicting information about external SRV records. 

    _sipfederationtls._tcp.domain.com

    _sipexternaltls. _tcp.domain.com

    _sip._tls.domain.com

    All of those records should point to sip.domain.com.  The problem is that I see conflicting information about the port number.  In some places it says that the port number should be 443, others say it should be 5061.

    What is the port number that I should use?  Which one is correct?

    Thank you.


    Thank you. Eric.

    Tuesday, September 4, 2012 3:26 AM

Answers

  • Hi Eric,

    I believe you're deploying your Access Edge and stumble across to this confusion.

    Here's the article from TechNet to address to your concern: Reference Architecture: DNS Summary

    In short:

    _sipfederationstls._tcp.domain.com uses 5061

    _sip._tls.domain.com uses 443 as users are suppose to secure sign-in over TLS

    There isn't any records for _sipexternaltls._tcp.domain.com as far as I'm concerned.

    Hope this helps.


    James Ooi MCITP Lync Server 2010 | Blog: http://jamesosw.wordpress.com | Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

    • Marked as answer by KPABA Tuesday, September 4, 2012 4:19 PM
    Tuesday, September 4, 2012 8:51 AM
  • You do not need a sipexternal.sipdomain.com record.  If your client is falling back to this record, then that means it can't connect using the SRV method which would mean you have a DNS or firewall issue for your Access Edge.  The _sipfederationtls._tcp.sipdomain.com record should always use 5061.  The default for the _sip._tls.sipdomain.com records is 443, but could use port 5061 if you are using the single IP method for your Edge servers.

    If you want to use a single IP address for all three Edge services (Access, AV, Web Con), this is definitely a supported configuration. The issue is that you must use different ports for all three services. If using a sepereate IP and FQDN for each service, these would be assigned to port 443. In a single IP config, the recommendation is to assign the Access to port 5061, AV to 443 and WC to 444. The issue that could come up is if you are at a remote site or invite a partner or anonymous user to a conference and their firewall is blocking outbound nonstandard ports. In this case the external user would either not be able to join the conference at all or have other issues within the conference. The recommendation is to use 3 seperate IPs since almost all companies/firewalls allow 443 outbound.


    Tim Harrington | Lync: MCM/MVP | Blog: http://HowDoUC.blogspot.com | Twitter: @twharrington

    • Marked as answer by KPABA Tuesday, September 4, 2012 4:19 PM
    Tuesday, September 4, 2012 12:39 PM

All replies

  • For external DNS, you only need two SRV records:

      • _sipfederationtls._tcp.sipdomain.com using port 5061
      • _sip._tls.sipdomain.com using port 443

    The first one is to support partner discovery for federation, the second is to support automatic configuration of your lync client external to your network.  They should point to sip.sipdomain.com that should point to the IP of the Access Edge server.


    Tim Harrington | Lync: MCM/MVP | Blog: http://HowDoUC.blogspot.com | Twitter: @twharrington

    Tuesday, September 4, 2012 3:44 AM
  • Hi Eric,

    I believe you're deploying your Access Edge and stumble across to this confusion.

    Here's the article from TechNet to address to your concern: Reference Architecture: DNS Summary

    In short:

    _sipfederationstls._tcp.domain.com uses 5061

    _sip._tls.domain.com uses 443 as users are suppose to secure sign-in over TLS

    There isn't any records for _sipexternaltls._tcp.domain.com as far as I'm concerned.

    Hope this helps.


    James Ooi MCITP Lync Server 2010 | Blog: http://jamesosw.wordpress.com | Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

    • Marked as answer by KPABA Tuesday, September 4, 2012 4:19 PM
    Tuesday, September 4, 2012 8:51 AM
  • Thank you for your reply. 

    How about the following post on the Microsoft forum?:

    http://social.technet.microsoft.com/Forums/en-US/ocsedge/thread/1160af33-57d1-414e-b246-f8511f92f06e/

    At least two people are saying that it should be 5061.  This is one of the posts (saw more) that I found where people are saying that it should be 5061.

    Thank you.


    Thank you. Eric.

    Tuesday, September 4, 2012 12:20 PM
  • You do not need a sipexternal.sipdomain.com record.  If your client is falling back to this record, then that means it can't connect using the SRV method which would mean you have a DNS or firewall issue for your Access Edge.  The _sipfederationtls._tcp.sipdomain.com record should always use 5061.  The default for the _sip._tls.sipdomain.com records is 443, but could use port 5061 if you are using the single IP method for your Edge servers.

    If you want to use a single IP address for all three Edge services (Access, AV, Web Con), this is definitely a supported configuration. The issue is that you must use different ports for all three services. If using a sepereate IP and FQDN for each service, these would be assigned to port 443. In a single IP config, the recommendation is to assign the Access to port 5061, AV to 443 and WC to 444. The issue that could come up is if you are at a remote site or invite a partner or anonymous user to a conference and their firewall is blocking outbound nonstandard ports. In this case the external user would either not be able to join the conference at all or have other issues within the conference. The recommendation is to use 3 seperate IPs since almost all companies/firewalls allow 443 outbound.


    Tim Harrington | Lync: MCM/MVP | Blog: http://HowDoUC.blogspot.com | Twitter: @twharrington

    • Marked as answer by KPABA Tuesday, September 4, 2012 4:19 PM
    Tuesday, September 4, 2012 12:39 PM
  • Great.  Now I understand why they discussed that 5061 port.

    Thank you for your help.


    Thank you. Eric.

    Tuesday, September 4, 2012 4:19 PM
  • For Lync Hybrid with SFB Online if we have to create _sipfederationtls._tcp.sipdomain.com on internal DNS in split-brain DNS scenario then where should we point it to?

    1) Internal IP of Edge server

    OR

    2) Internal IP of FE servers

    Naveen

    Monday, January 7, 2019 7:52 PM