With this method, both the web and session traffic is encrypted. One obvious question is - if this traffic can reach the Lync servers from external clients, how do we ensure it is legitimate traffic?

The answer to this question is not simple – but since Microsoft improved IIS and security of Windows servers in general over the years, traffic can be segregated based on its origin to different targets, internal and external IIS websites (for example port segregation using 443/4443). Later in this document, we describe how it actually works.

Until the traffic reaches an internal Lync system – either the Director or Front End Server – the web traffic is not authenticated. Authentication must be carried out by the Domain Joined Lync Servers.

Session Initiation Protocol (SIP) is different to web traffic. Even when initiated from external networks, it will logically be seen as internal traffic. This behaviour is also discussed later in this document.

However, internal phone update and Certificate Revocation List (CRL) traffic cannot be encrypted – it needs to be HTTP rather than HTTPS.