Welcome to Part 2 on how to Enabe QoS for Lync Server 2013 and Various Clients. The purpose of this multi-part article is to lay everything out in a concise manner to help you, the reader, understand how to enable QoS. Keep in mind that this article is only for the ability to enable QOS, it is not a comprehensive guide on all the various dynamic ports available in Lync to lock down your firewalls. For that, you can check out my other article here. Second of all, the question may arise, why and when would you want to enable QoS. Audio and Video are synchronize traffic that can be affected by jitter, delay, and packet loss on an IP Network. Lync has been designed to work without QoS but Lync Administrators can choose to enable both Lync endpoints as well as servers to mark Differentiated Services Code Point (DSCP) values on audio and video packets. This ensures that audio/video packets get prioritized on a network that is enabled for Differentiated Services (DiffServ).
To better understand DiffServ and its affect on the network, please check out the excellent blog article written by fellow Lync MVP Jeff Schertz at the following URL: https://blog.schertz.name/2011/08/lync-qos-behavior/
Part 2
Server QOS
General Procedure for Server QoS
In Part 1, we talked about Windows Vista/7/8 vs Windows XP. Windows Vista, Windows 7, and Windows 8 utilize Policy based QoS and Windows XP used QoS based on the Packet Scheduler. For Lync 2013 Servers, you’ll always use Policy based QoS since Lync Server 2013 can only be installed on Windows 2008 R2 or Windows 2012 which both utilize Policy based QoS. For Lync 2010 Servers, you’ll always use Policy based QoS since Lync Server 2010 can only be installed on Windows 2008 or Windows 2008 R2 which both utilize Policy based QoS.
For Server based QoS, we can configure Conferencing Servers, Application Servers, and Edge Servers (which will use QoS based on the destination port rather than the source port as everything else does).
Client to Server Port Configuration for Conferencing Servers and Application Servers
Client to Server Port ranges are out of the box different for all modalities except for Application Sharing. In Lync Server 2013, there are no more dedicated Audio/Video Conferencing Servers as the Audio/Video Conferencing Servers are always located directly on a Front End. In Lync Server 2010, you still have the capability for deploying dedicated Audio/Video Conferencing Servers. The same GPO for Lync Server 2010 and Lync Server 2013 can be deployed. In Lync Server 2013, you will ensure that the GPO is deployed to the Lync Server 2013 Front End Servers whereas with Lync Server 2010, you will ensure the GPO is deployed to the Conferencing Servers whether that may be a Front End or a dedicated Audio/Video Conferencing Server.
The default ports for a Conferencing Server are as such:
- Audio: 49152 to 57500
- Video: 57501 to 65535
- Application Sharing: 49152 to 65535
At least 40 ports minimum are required for Application Sharing. We will specify a 8,348 port range that is unique from other ports. Ultimately, we will set Application Sharing to use the following ports:
- Application Sharing: 40803 to 49151
To set this, we will run the following command:
Configuring an Application Server is identical. The only difference is that you use the Set-CSApplicationServer command instead of the Set-CSConferenceServer. Make sure to include these ports in the QoS Policies for Edge Servers as you will learn later.
Client to Server Port Configuration for Dedicated Mediation Servers
A Mediation Server of course only handles Audio since it’s job is to transcode RTAudio to G.711. The default ports for a Mediation Server are as such:
- Audio: 49152 to 57500
No Changes to this port range will be required. If the Mediation Server is collocated on a Front End Server, no changes will need to be done as you can see the Audio Port Range for a dedicated Mediation Server is the same as the Audio Port Range for a Front End Conferencing Server.
Exchange Unified Messaging (UM)
I am not going to go into every step by step on how to enable Exchange UM for QoS as Lync MVP, Tom Pacyk, does that very well here. What I will show, is how Exchange UM ties into DSCP marking from the Lync Edge Server based on the port ranges we have defined through this article series.
Edge Server Policy Configuration
An Edge Server doesn’t get configured per se. But the policy that you create is based on a destination port (rather than source port like client peer to peer or client to server). The destination port configuration in the QoS Policy is configured based on the client peer to peer ports you defined in Part 1 of this article series as well as the client to server ports you defined in this Part 2 of this article series.
So if we take a look at everything we’ve done so far, we have the following peer to peer configuration from Part 1 of this article series:
- Audio: 20000 to 20039 (TCP/UDP with UDP being preferred with TCP fallback)
- Video: 20040 to 20079 (TCP/UDP with UDP being preferred with TCP fallback)
We have the following client to server configuration from Part 2 of this article series:
- Audio: 49152 to 57500 (TCP/UDP with UDP being preferred with TCP fallback)
- Video: 57501 to 65535 (TCP/UDP with UDP being preferred with TCP fallback)
- Application Sharing: 40803 to 49151 (TCP)
Exchange UM will utilize the following port configuration:
- Audio: 1024-65535 (UDP)
The Edge QoS Policy will need to have several QoS Policies configured to handle each modality (Application Sharing not as critical as Audio/Video but can be enabled) for peer to peer (Audio/Video) and client to server (Audio/Video). Additional QoS Policies may be needed depending on Application Servers in the environment and whether they have any different port ranges from your Peer to Peer or Client to Peer port configurations.
Configuring Policy Based QOS in Group Policy for Windows 2008 R2 and/or Windows 2012 for a Conferencing Server
As stated previously, Lync Server 2013 can only be installed on Windows 2008 R2 or Windows 2012. Both Windows 2008 R2 and Windows 2012 utilize Policy Based QOS which allows a wider variety of options for configuring QoS.
In the below example, we will show how to create the Policy-based QoS for Audio. Once finished, be sure to also create Policy-based QoS policies for Video. The DSCP Value for Audio will be 46 and the DSCP Value for Video will be 34. Open up Group Policy (in my examples, I am using Local Computer Policy but in a real production environment you would be using Group Policy at some level in your Domain Hierarchy) and navigate to Computer Configuration > Windows Settings > Policy-based QoS. Right-Click and choose Create new policy.
In the new Policy, give it a name and specify the DSCP Value. DSCP Values for audio is typically 46. Make sure the Outbound Throttle Rate check box is cleared. Click Next.
Because there are multiple applications that will stamp DSCP Values, we will choose All Applications. Click Next.
On the following screen, make sure you leave the defaults as “Any source IP address” and “Any destination IP Address.” Click Next.
On the following screen, choose TCP and UDP. In our information above we stated the default audio port range is 49152 to 57500 and does not need to be changed. Because of this, our source port range will 49152 to 575000 specified as 49152:57500.
Let’s go ahead and set the DSCP Value for Video with a DSCP value of 34. Right-Click Policy-based QoS and choose Create new policy. In the new Policy, give it a name and specify the DSCP Value. DSCP Values for video is typically 34. Make sure the Outbound Throttle Rate check box is cleared. Click Next.
Because there are multiple applications that will stamp DSCP Values, we will choose All Applications. Click Next.
On the following screen, make sure you leave the defaults as “Any source IP address” and “Any destination IP Address.” Click Next.
On the following screen, choose TCP and UDP. In our information above we stated the default video port range is 57501 to 65535 and does not need to be changed. Because of this, our source port range will 57501 to 65535 specified as 57501:65535.
If you would like Client to Server QoS for Application Sharing, feel free to also create a new QoS Policy that provides DSCP Values for the port ranges specified for Application Sharing. The same can be done for SIP if you really want SIP to be marked. If you made this port range contiguous with Video, feel free to modify your Video QoS Policy to add the ports for Application Sharing if you are fine with also using a DSCP value of 34.
Now go ahead and restart your Lync Conferencing Servers so they pick up the changes. After Group Policy have applied the settings, you should see the following settings within the registry:
Configuring Policy Based QOS in Group Policy for Windows 2008 and/or Windows 2008 R2 for a Dedicated Mediation Server
As stated previously, Lync Server 2013 can only be installed on Windows 2008 R2 or Windows 2012. Both Windows 2008 R2 and Windows 2012 utilize Policy Based QOS which allows a wider variety of options for configuring QoS. This same GPO Setting can also be applied to Lync 2010 Mediation Servers which utilize Windows 2008 or Windows 2008 R2 which both also utilize Policy Based QoS.
In the below example, we will show how to create the Policy-based QoS for Audio only. The DSCP Value for Audio will be 46. Open up Group Policy (in my examples, I am using Local Computer Policy but in a real production environment you would be using Group Policy at some level in your Domain Hierarchy) and navigate to Computer Configuration > Windows Settings > Policy-based QoS. Right-Click and choose Create new policy.
In the new Policy, give it a name and specify the DSCP Value. DSCP Values for audio is typically 46. Make sure the Outbound Throttle Rate check box is cleared. Click Next.
Since this is Policy-based QoS, we will want to take advantage of only tagging traffic that the Mediation Server uses utilizing the executable MediationServerSvc.exe. So make sure you choose the “Only applications with this executable name” and specify MediationServerSvc.exe. Click Next.
On the following screen, make sure you leave the defaults as “Any source IP address” and “Any destination IP Address.” Click Next.
On the following screen, choose TCP and UDP. In our information above we stated the default audio port range is 49152 to 57500 and does not need to be changed. Because of this, our source port range will 49152 to 575000 specified as 49152:57500.
Now go ahead and restart your Lync Mediation Servers so they pick up the changes. After Group Policy have applied the settings, you should see the following settings within the registry:
Configuring Policy Based QOS in Group Policy for Windows 2008 R2 and/or Windows 2012 for an Edge Server
As stated previously, Lync Server 2013 can only be installed on Windows 2008 R2 or Windows 2012. Both Windows 2008 R2 and Windows 2012 utilize Policy Based QOS which allows a wider variety of options for configuring QoS. This same GPO Setting can also be applied to Lync 2010 Edge Servers which utilize Windows 2008 or Windows 2008 R2 which both also utilize Policy Based QoS.
In the below example, we will show how to create the Policy-based QoS for Audio from Clients which utilize ports 20000 to 20039. Once finished, be sure to also create Policy-based QoS policies for Client Video as well as all the Audio/Video ranges for Conferencing Servers. The DSCP Value for Audio will be 46 and the DSCP Value for Video will be 34. Open up Local Group Policy since this is an Edge Server and navigate to Computer Configuration > Windows Settings > Policy-based QoS. Right-Click and choose Create new policy.
In the new Policy, give it a name and specify the DSCP Value. DSCP Values for audio is typically 46. Make sure the Outbound Throttle Rate check box is cleared. Click Next.
Since this is Policy-based QoS, we will typically want to specify the executable name to take advantage of only tagging traffic that the Edge Server uses utilizing the executable MediaRelaySvc.exe. Unfortunately, with the Edge Role, even in Lync 2013, no DSCP markings will happen when the executable name is specified. So make sure you choose All applications. Click Next.
On the following screen, we will want to restrict this GPO from the Internal IP of our Edge to ensure that only DSCP markings happen when we talk to the Internal Network as QoS does not get applied on the Internet. Make sure you leave the default for “Any destination IP Address.” In the following screenshot, 10.10.10.20/32 would be the IP Address assigned to the Internal NIC on our Edge Server. Click Next.
On the following screen, choose TCP and UDP. In our information above we stated the default audio port range is 49152 to 57500 and does not need to be changed. Because of this, our source port range will 49152 to 575000 specified as 49152:57500.
‘
I will not display the remainder of the QoS Policy configuration for the Edge as I’m sure by now, you are a master at configuring QoS Policies for Lync. The remainder of the four QoS Policies will look as such:
Peer to Peer Video:
- Policy Name: Lync 2010/2013 Client Video
- DSCP Value: 34
- All Applications
- Specify Outbound Throttle Rate is Unchecked
- Source IP: Your Internal Edge IP (Our example is 10.10.10.20/32)
- Destination Port Range of 20040:20079 TCP/UDP
Conferencing Server Audio:
- Policy Name: Lync 2010/2013 Conferencing Audio
- DSCP Value: 46
- All Applications
- Specify Outbound Throttle Rate is Unchecked
- Source IP: Your Internal Edge IP (Our example is 10.10.10.20/32)
- Destination Port Range of 49152:57500 TCP/UDP
Conferencing Server Video:
- Policy Name: Lync 2010/2013 Conferencing Video
- DSCP Value: 34
- All Applications
- Specify Outbound Throttle Rate is Unchecked
- Source IP: Your Internal Edge IP (Our example is 10.10.10.20/32)
- Destination Port Range of 57501:65535 TCP/UDP
Exchange UM Audio :
- Policy Name: Lync Edge to Exchange UM01 Audio (assuming UM01 is the UM Server)
- DSCP Value: 34
- All Applications
- Specify Outbound Throttle Rate is Unchecked
- Source IP: Your Internal Edge IP (Our example is 10.10.10.20/32)
- Destination IP: Your Exchange UM IP (Our example, 10.10.10.30/32)
- Destination Port Range of 1024-65535 UDP
Note: For Exchange UM, because we are using the entire 1024-65535 range, I like to create targeted GPO Policy Entries that include a destination IP for the Exchange UM Server. This way, it ensures this GPO that uses the entire upper port range does not interfere with other GPO QoS Policy Entries that have been defined as this QoS Policy Entry is more explicit in its Source/Target definitions. This also means you will need to create a policy for each UM Server.
After all QoS Policies are created, reboot the Lync Edge Server. You should see the following registry changes:
As always, log to ensure DSCP markings are being defined. In order to understand how to log, please refer to Part 1 of this article series at the bottom to get an understanding of how to enable DSCP monitoring in WireShark.
Hi Elan,__Great article but I am still a bit confused about source ports / destination ports. When setting the port ranges with a command like Set-CSConferencingConfiguration…is that configuring the source or destination ports? It suggest on source port while you do the dscp marking on source ports….But on destionation port sounds more logic while Most firewall rules are set on destination ports with source port any. And what is the difference with Edge servers….?
Thanks in advance.
It's definitely source port.
Hi Elan,
I am a bit confused. When talking about Client to Server Port ranges and changing them by using the command Set-CsConferenceServer I assume it sets the destination ports which a client can use to communicate to a server or vice versa.
But what about source ports…..normally in firewalls you set rules on destination ports….(with source port on any)
Why not using destination ports for dscp marking ??? In your item sometimes you use source ports and other times you use source ports …and that is confusing me…Can you please explain?
Thanks in advance,
Wim
Hello. In regards to configuring the policies against the servers, is it optional to create the GPO on the domain, or may I simply create the GPO with the specified settings local to each server?
After configuring the Set-CsConferencingConfiguration settings, my clients are now trying to get out of the AV Edge server on the port range specified. This is not default ports ofc, so they are closed. Why are the client behavior changing all the way to the Edge servers?? Any suggestion on this?
In the configuration for Lync 2010/2013 Client Audio on the Edge, the text says the port should be 49152:57500, but the image shows the correct configuration (20000:20039).
47001 TCP is Windows Remote Management Service and overlaps with the proposed new range for App Sharing. Will this not cause a problem?
No problem. The GPO's Policies are configured to specify lync.exe, communicator.exe, etc…