Microsoft Lync 2010 - 2013

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Microsoft Lync 2010 - 2013

Not applicable

Has anyone rolled out MS Lync 2010 servers in your network and worked out the policies & rules for the Lync traffic. If so would someone be willing to share the details. I am very new to the PANOS and i do not want to create security risk.

Thank you in advance,



L3 Networker

This is an example of the "Single Consolidated Edge" we are using.  Good Luck!

MikeLync Topology.jpg

Thank you for the diagram Mike, it will be usefull. however i am looking for something more basic to the policies and rules and what they will look like in the PA-500 GUI...

Thanks Mike

Hi Plano,

So in my case, the PAN is the internal firewall.  I created custom application for the Lync ports (8057, 5061, 5062, 4443).  I created an application group for all the FE -> Edge services that includes the aforementioned ports and additionally included ssl and stun.

I made App Override policies for the Lync ports so they were mapped correctly and implemented security rules per the diagram.  So it sort if looks like this:

Custom App:

12-11-2012 11-27-56 AM.png

App Group:

12-11-2012 11-28-14 AM.png

App Override:

12-11-2012 11-31-41 AM.png

Sec Pol:

12-11-2012 11-33-03 AM.png

Obviously, your actual mileage may vary, but this should get you close for the FE <-> Edge server policy.




there is a document from Palo Alto Networks and Citrix Netscaler (as load balancer for Lync) describing a reference setup:

This is a fantastic document.

Thank you for posting.

msullivan - Why do you need to create custom apps and app override policies? Can it not work with service (port) based policies? What setting have you configured for custom apps. I am interested in knowing about the timeout values.

Hi Sly,

You don't need to setup custom apps and overrides, but I do for two reasons:

- Seeing the app identified makes for better reporting

- If you want reporting and consistant functionality, you best use app overrides because the next App ID update might break production rules.  Case in point, some Lync traffic was originally identified as SSL (that's fine with me), then PA came out with an update and now identifies the same traffic over port 443 as ms-lync (or something like that).  That broke our clients for a few minutes.

If you want to tune timeouts, you'll need to create a custom app.  I use the defautl timeouts for Lync connections, but I do have some custom timeouts for other long lived app connections.



msullivan - can you please share screenshot for the details of custom apps?

  • 8 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!