http://blogs.technet.com/b/nexthop/archive/2011/11/15/enabling-lync-media-to-bypass-a-vpn-tunnel.aspxMany organizations utilize Virtual Private Networks (VPNs) to secure traffic when users are outside the corporate network. VPNs have numerous security benefits, but they can actually degrade the call experience for Microsoft Lync users. This occurs becauseen-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.technet.com/b/nexthop/archive/2011/11/15/enabling-lync-media-to-bypass-a-vpn-tunnel.aspx#3521787Fri, 21 Sep 2012 15:38:25 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3521787Kevin Peters<p>Hi Austin,</p> <p>If you block the traffic on the server side there is still the possibility of Peer to Peer connectivity (from one Lync client to another) over the tunnel. So unless you also block internal client subnets from reaching VPN subnets that wouldn&#39;t resolve the problem for all media flows.</p> <p>Hope this helps!</p> <p>Kevin</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3521787" width="1" height="1">http://blogs.technet.com/b/nexthop/archive/2011/11/15/enabling-lync-media-to-bypass-a-vpn-tunnel.aspx#3521494Thu, 20 Sep 2012 23:11:13 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3521494Austin Bailey<p>Great Article!</p> <p>I have one question for you though. If I was to give my VPN users a separate DHCP pool, could I implement the firewall rules on the Lync server side rather than the client side? It would be a gigantic undertaking to modify all of my mobile users windows firewalls to make the suggested change. My thought is to block the VPN IP Subnet on the servers themselves so that the client would be forced to look at the edge for connectivity. Thoughts?</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3521494" width="1" height="1">http://blogs.technet.com/b/nexthop/archive/2011/11/15/enabling-lync-media-to-bypass-a-vpn-tunnel.aspx#3476186Thu, 19 Jan 2012 01:23:18 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3476186Jason<p>Has anyone that implemented this noticed that the Lync client takes a long time to login when on VPN? &nbsp;Just a nusance, otherwise this solution rocks! &nbsp;Users &quot;Internal&quot; flag is set to fale when on VPN and traffic is routing over the Internet tunnel exclusively - excelelnt article!</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3476186" width="1" height="1">http://blogs.technet.com/b/nexthop/archive/2011/11/15/enabling-lync-media-to-bypass-a-vpn-tunnel.aspx#3475567Mon, 16 Jan 2012 10:01:22 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3475567Mac alvano<p>Nice article, keep it up good work, kevin and randy!</p> <p>does link media bypass &lt;a href=&quot;<a rel="nofollow" target="_new" href="http://bestvpnservice.com/providers/22/strong_vpn.html&quot;&gt;strong">bestvpnservice.com/.../strong_vpn.html&quot;&gt;strong</a> vpn&lt;/a&gt;?</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3475567" width="1" height="1">http://blogs.technet.com/b/nexthop/archive/2011/11/15/enabling-lync-media-to-bypass-a-vpn-tunnel.aspx#3475186Thu, 12 Jan 2012 17:48:05 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3475186Kevin Peters<p>Hi Jason,</p> <p>You would want to use a separate DNS server for VPN clients, so public IPs are provided to the VPN users (bypassing the tunnel), but internal IPs are still provided to your internal users. &nbsp;This could not be done from the same DNS server, so you&#39;d need to create at least one, specifically for serving the VPN connections.</p> <p>HTH,</p> <p>-Kevin</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3475186" width="1" height="1">http://blogs.technet.com/b/nexthop/archive/2011/11/15/enabling-lync-media-to-bypass-a-vpn-tunnel.aspx#3475145Thu, 12 Jan 2012 15:51:19 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3475145Jason<p>Same goes for meet and dialin, I already have these registered on internal DNS using internal IP&#39;s. </p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3475145" width="1" height="1">http://blogs.technet.com/b/nexthop/archive/2011/11/15/enabling-lync-media-to-bypass-a-vpn-tunnel.aspx#3475143Thu, 12 Jan 2012 15:46:49 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3475143Jason<p>I am confused, I already have an internal DNS entry for &quot;Sip.contoso.com&quot; pointing to an internal address, this suggests resolving it to the edge interface. &nbsp;What will happen to internal users?</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3475143" width="1" height="1">http://blogs.technet.com/b/nexthop/archive/2011/11/15/enabling-lync-media-to-bypass-a-vpn-tunnel.aspx#3466223Sat, 19 Nov 2011 14:00:28 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3466223soder<p>Finally, this has been properly documented. I have to start testing it, and if works, becomes part of my implementation best practices list. Good job!</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3466223" width="1" height="1">http://blogs.technet.com/b/nexthop/archive/2011/11/15/enabling-lync-media-to-bypass-a-vpn-tunnel.aspx#3466205Sat, 19 Nov 2011 06:43:29 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3466205seo training noida<p>Thank you</p> <p>Your blog is very Informative.</p> <p>&nbsp;</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3466205" width="1" height="1">http://blogs.technet.com/b/nexthop/archive/2011/11/15/enabling-lync-media-to-bypass-a-vpn-tunnel.aspx#3466158Fri, 18 Nov 2011 19:51:23 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3466158Peyton McManus<p>Nice article guys! </p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3466158" width="1" height="1">