The Edge Server runs a Lync application for three services:

Access Edge Service: This application component is also called Access Proxy. It controls the remote user communication and passes through the authentication. Another feature of this component is the federation to other unified communication solutions, for example Lync or Office Communications Server (OCS), in addition to Public IM Connectivity (PIC) to MSN or Skype. The third component is Extensible Messaging and Presence Protocol (XMPP). Even though this is a dedicated service, it is related to Access Edge. The main purpose of this service is validating SIP connection between users inside and outside of the internal network.

Web Conferencing Edge Service: This is a dedicated service for web conferencing media distribution. The Edge Web Conferencing service proxies the conferencing data stream between the internal Front End Server hosting the conference and the external connected Lync client (rich and mobile).

Note: The Office Web Application Server is required for PowerPoint HTML5 rendering. This is not handled by the conferencing service.

Audio/Video Edge Service: The third core component in Lync Edge is the Audio/Video (A/V) component. This service does not only handle streams containing A/V only – it also proxies application/desktop sharing and file transfer to external users. The A/V Edge Service has two functions – the Audio/Video Edge Service and Audio/Video Authentication Service.

Note: All Edge server traffic must be encrypted using TLS. Public certificates need to be assigned to the Access Edge Service interface and Web Conferencing Edge Services interface. The A/V Edge Service does not need a certificate to be assigned to its interface – the certificate must be assigned to the A/V Authentication Service. The A/V Edge Service does not use the subject name or the Subject Alternative Name (SAN) entries.
Note: The A/V Authentication Service certificate in the Lync Edge Pool must share the same private key. The Edge Services are ignoring the Certificate’s Subject Name – therefore, only the SAN names are used and important.

How does Lync Edge for Audio/Video Work?

The Lync A/V Edge Service is the MRAS (Media Relay Access Server) which lets the A/V traffic pass through. The A/V Authentication Service is an internal Lync component related to the internal deployment which authenticates media traffic coming from internal and travelling to external destinations.

Secure Real Time Protocol (SRTP) contains its own security. The SRTP protocol exchanges security keys (a master key which protects the session key) within the SIP protocol first. Further information about SRTP can be found in the related RFC. It is important to understand the Edge Server Service positioning, either the external interfaces or the internal interface.

The Edge Servers require two network interfaces. As the A/V site is segregated into two sites – security must be ensured.