As seen in the Edge Server section, the Edge Server is segregating SIP traffic but it is not responsible for authentication. There is unauthenticated traffic, for example presence status requests and traffic from remote users, which needs to be authenticated. Authentication can only be handled by a SIP Registrar, which is the Front End Server.

The Director role is another type of proxy server. It knows where a user is homed and can process the authentication. Afterwards, it will pass this authenticated traffic to the user’s home pool.

The Director Server can also act as an additional security layer. As this authentication was taken over from the sensitive, data-homing Front End servers – if there is a denial-of-service attack, the attack will not be able to reach the internal Lync Front End servers. If the network is flooded with this invalid external traffic, it will simply be terminated here with no impact to any other internal system.

Note: Every Lync Front End Server has its own web services which need to be published using the Reverse Proxy. These services cannot be redirected via the Director Server.