System and Infrastructure Requirements for Devices


Topic Last Modified: 2013-03-19

This section describes the hardware, port, Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), and security configurations that must be in place before you deploy IP phones. These requirements are in addition to the required components described in Required Lync Server Components for Devices.


Review the manufacturer’s data sheet for the devices that you are deploying to learn about additional requirements.

Hardware Requirements

IP phones running Lync Phone Edition support Link Layer Discovery Protocol-Media Endpoint Discovery (LLDP-MED) and Power over Ethernet (PoE). To take advantage of LLDP-MED, the switch must support IEEE802.1AB and ANSI/TIA-1057. To take advantage of PoE, the switch must support PoE802.3AF or 802.3at.

To enable LLDP-MED, the administrator must enable LLDP by using the switch console window and set the LLDP-MED network policy with the correct voice VLAN ID.


You can configure the switch for Enhanced 9-1-1 (E9-1-1), if the switch supports this.

File Store Requirements

We highly recommend that you create a quota on the Device Update Web service log file store at %ProgramFiles%\Microsoft Lync Server <version>\Web Services\DeviceUpdateFiles, using the File Server Resource Manager. A quota will help to ensure that the number of log files does not increase greater than the size of the file store, which could cause problems on the Web Services role. The Device Update Web service log file store is installed as part of the Front End Server role, and we recommend that the quota be set up whether or not you are using the Device Update Web service.


If you do not create a quota your network may be vulnerable.

For details about setting up a quota using the File Server Resource manager, see "File Server Resource Manager Step-by-Step Guide for Windows Server 2008" at

Port Requirements

IP phone use port 443 for the Device Update Web service and port 80 to receive the update when they device is inside the corporate network. They use Port 443 to both request and receive updates when the device is outside the corporate network.

Port 80 is also required for the device to download the Root certification authority (CA) chain if personal identification number (PIN) and certificate authentication is used.

DNS Requirements

IP phones require certain DNS records. The following table describes the records that you must create and publish to a DNS service, within the corporate network, if you are deploying IP phones. For details about the DNS records that are required for external IP phones, see the DNS Records for External Devices table later in this topic.

DNS Records for Internal Devices

Type Value Note


Fully qualified domain names (FQDNs) for the pool(s) hosting the Registrars.

The new Lync Server DNS load balancing feature requires you to specify the server FQDN and the pool FQDN, using the same IP address, for each server in the pool and to create DNS A records for all pools that contain a Registrar.

For example: RegistrarServerOneInPool.<SIP domain>:, RegistrarPool.<SIP domain>:, RegistrarServerTwoInPool.<SIP domain>:, and RegistrarPool.<SIP domain>: 1.2. 3.5.

If you are using hardware load balancing, just specify DNS A records for each pool that contains a Registrar. Allows external devices to connect by using SIP over TLS to the Registrar internally.


_sipinternal._tcp.<SIP domain>

_sipinternaltls._tcp.<SIP domain>

Specifies the two SIP FQDNs for internal routing, one for communications over TCP, and one for TCP communications that use TLS.


ucupdates-r2.<SIP domain>

Specifies the Web Services portion of the Device Update Web services URL. Make sure the hardware load balancer translates external requests to use “:443/RequestHandlerExt/ucdevice.upx.” The external port is 443.


If the pool is already deployed, you can get this information from Lync Server Control Panel on the Topology page by viewing the Edge Server properties.

DHCP Requirements

IP phones require the Web Services URL and Registrar FQDN from the DHCP server, for connectivity. You can configure this in your corporate DHCP server, or can use the stripped down DHCP server provided with the Registrar. The DHCP server on the Registrar does not lease addresses, and can be used safely in conjunctions with any other DHCP server. You can enable the DHCP components on the Registrar by doing the following:

  • Turn on this functionality by using this Lync Server Management Shell command as follows: set-CsRegistrarConfiguration -EnableDHCPServer $true

Make sure that the following information can be provided to IP phones:

  • Ensure that broadcast packets from devices can reach the DHCP server(s) by configuring DHCP relay agents to forward DHCP packets to the DHCP servers on the Registrar.

  • For internal communications, ensure that the options listed in the following table are set up on the organization’s DHCP server.

DHCP Options for Internal IP Phones

Option Value Note


Lync Pool Certificate Provisioning Service URL

Specify the internal URL in the form https://<LyncWebPoolFQDN>:443/CertProv/CertProvisioningService.svc*


FQDN for the CA pool Registrar

Specify the FQDN of the pool that will be the first logon server for the device. Typically this is a Director pool. If you do not deploy a Director pool, this is the Front End pool FQDN. The pool FQDN suffix must match the user's SIP URI.*



If you do not use a virtual local areal network (VLAN) for unified communications (UC), or if you use LLDP-enabled switches in your organization to provide VLAN IDs, do not set this option. Note that option 43 is not an independent option. Depending on the Vendor Class ID it is configured for, the option may have different values. The client identifies the vendor for which it wants the information as option 60 in the DHCP Request.


Install Virtual C++ 2008 x86 to run DHCPUtil.exe for DHCP Options.

*These are general examples. For details, see Obtaining Values of DHCP Options by Using DHCPUtil.exe in the Deployment documentation.

Security Requirements

If you are allowing external access for IP phones, a PKI infrastructure must be in place, and devices must have a valid Lync Server certificate, which they obtain when they log on and is issued from a public certification authority (CA) (recommended) or a private CA. This allows the devices to connect to the Device Update Web service from outside the intranet. For details, see Certificate Infrastructure Requirements in the Planning documentation.

Edge Server Requirements

If you are allowing external access for IP phones, deploy Edge Servers by following the instructions in Deploying Edge Servers in the Deployment documentation. However, during the setup process described in Set Up Network Interfaces for Edge Servers in the Deployment documentation, use the following configuration information to enable external access to the Device Update Web service:

  • In the Configure a Reverse Proxy step, configure the reverse HTTP proxy to use the Device Update Web service virtual directory https://<external Server FQDN>:443 for the external URL for Web Services and the Device Update Web service.

  • In the Configure DNS step, use the information in the following table.

    DNS Records for External Devices

    Type Value Note


    Edge Server: _sip._tls.<sip domain> (External TLS)

    Allows external devices to connect by using SIP over TLS to the Registrar internally.


    Reverse proxy FQDN:<server name>.<SIP domain>

    Allows external devices to connect by using TLS over HTTP to the Device Update Web service.


    If the Edge Server is already deployed, you can get this information from Lync Server Control Panel on the Topology page by viewing the Edge Server properties.