Microsoft Teams and Skype for Business News and Thoughts

Tom Arbuthnot MVP
Tom Arbuthnot MCSM Communications

This site uses cookies

Find this blog useful? Please take a second to share, thanks!

How to enable Lync Media Bypass over TCP (rather than TLS)

Published 07/10/2012 - 6 Comments

I’ve had this question a couple of times so thought it might make a good post.

Media-Bypass allows a Lync client and gateway to transmit media (RTP) directly between each other, you are “bypassing” the Mediation Server (in OCS media had to go via a mediation server). Signalling will still go via the Mediation Server.  Note: Using TCP will mean your media traffic is running over the network in the clear.

Lync certified gateways should support Media Bypass. The default way to install these is with a TLS connection, but if for whatever reason you want to use TCP, Media Bypass is still supported. I have set this up with Sonus (NET) UX gateways and Cisco ISR’s, it should apply equally to other gateways.

There are three settings on Lync you need to get lined up.

Ensure your trunk to your gateway is setup to Encryption Not Supported and Enable Media Bypass is ticked


Ensure your CAC settings allow the gateway and users to do Media Bypass or you have always Bypass on


The above settings (apart from encryption) are the same on TLS, this is the unique setting:

set-csmediaconfiguration –identity global –encryptionlevel supportencryption

This allows the clients to make a non-encrypted connection directly to the gateway


The Sonus UX gateways have a nice feature on the Web GUI of showing you when calls are in Bypass with a “B” on the call watcher


You can also find out after a call via the monitoring server reports:

User Activity Report –> <user you want to look for> –> Details –> Media Quality Report –> Call Information –> Mediation Server bypass call (true/false). (source)

Tom Arbuthnot

Tom Arbuthnot

Principal Solutions Architect at Modality Systems
Tom Arbuthnot is Principal Solutions Architect at Unified Communications specialist Modality Systems. He is a Microsoft Certified Master and MVP, blogger, has a regular podcast with UCToday at and is a regular speaker at events including Microsoft TechEd and Ignite. He co-runs The Microsoft UC User Group London.


Alan Klein - 07/10/2012 Reply

Hey Tom,

Thanks for your regular valuable content. For the sentence, “Note: Using TCP will mean your media traffic is running over the network in the clear.”, I believe you wanted to say your signaling traffic will be in the clear.

As well, your media traffic will also be in the clear since SRTP will not be used (since the media encryption keys would be exposed in the SDP body of the non-encrypted SIP signaling), media traffic often uses UDP on the internal enterprise LAN.

    Tom Arbuthnot - 08/10/2012 Reply

    Hi Alan,

    Thanks for the comment.

    Media will be in the clear, direct from the client to the gateway.

    Signalling from client to med should still by encrypted (though I haven’t physically tested this), signalling from med – GW will be TCP/in the clear.

    Any thoughts?



Jonathan Trent - 15/10/2012 Reply

So signaling traffic and media are both in the clear using TCP?

Gilberto - 24/01/2013 Reply

Tom, how can i know the VX 1800 from NET is capable to support media bypass. On the Microsoft Supported IP PBX & Gateways it shows VX1800 as enhanced Gateway and Qualified with SRTP & TLS. Does that mean it supports media bypass?


    Tom Arbuthnot - 26/01/2013 Reply

    I’ve setup other VX’s with media bypass, so I’d guess it would, but Sonus/Net should be able to confirm


Leave a Reply:


Weekly Email Update 
of all the key 
Microsoft Teams and Skype for Business News
every Tuesday

No Spam ever, I promise - Tom