Example public DMZ deployment
for remote Lync / Skype for Business environments
This section explains how to deploy Pexip Infinity in a public DMZ for enabling direct federation with remote Lync / Skype for Business
* Note that where this documentation refers to "Lync/SfB", it represents both Microsoft Lync and Skype for Business unless explicitly stated otherwise.
For integrating Pexip directly with remote Lync/SfB environments, the following requirements have to be satisfied:
- The Conferencing Nodes in the Pexip environment must be deployed in a public DMZ network, meaning all Conferencing Nodes must be assigned publicly-reachable IP addresses, either directly or they can be deployed behind static NAT.
For inbound call support, at least one Conferencing Node must be configured with a public TLS server certificate (provided by an official CA provider such as Verisign, Comodo, GlobalSign and similar). For outbound call support, all Conferencing Nodes in the public DMZ must be configured with a public TLS server certificate.
Note that RDP content sharing from Pexip Infinity towards a Lync/SfB client is considered an outbound call, even if the Lync/SfB client had dialed in to the conference, as RDP is a separately initiated SIP session.
- The Lync/SfB federation DNS SRV record for the video domain in use must resolve to the Conferencing Node(s) that will receive incoming calls.
The diagram above shows the example deployment which forms the basis of the public DMZ deployment in this guide. In this scenario, all Conferencing Nodes are deployed in a public DMZ network. Two Conferencing Nodes are configured to receive incoming calls (handle the SIP signaling). Additional Conferencing Nodes can optionally be deployed to increase the media capacity. Media processing is dynamically distributed among all the Conferencing Nodes.
The Management Node will typically also be located in the same public DMZ, but this is not a requirement. The Management Node can be located on an internal network behind the public DMZ, as long as:
- there is no NAT (Network Address Translation) taking place between Pexip Infinity nodes on the internal network and nodes on the public DMZ, and
- any firewalls between the two networks are configured to pass IPsec traffic in both directions between the Management Node and all Conferencing Nodes in the Pexip environment.
The following diagram illustrates the typical signaling (SIP) and media (RTP) paths for various call scenarios involving Pexip Infinity and Lync/SfB clients. Since media negotiation between Pexip Infinity and Lync/SfB involves ICE (Interactive Connectivity Establishment), media paths depend on network architecture and the presence of firewalls and NATs (Network Address Translators). Note that the actual media paths in a real deployment may differ.