Subscribe via RSS Feed Connect on LinkedIn

How to enable Lync Media Bypass over TCP (rather than TLS)

07/10/2012 6 Comments

I’ve had this question a couple of times so thought it might make a good post.

Media-Bypass allows a Lync client and gateway to transmit media (RTP) directly between each other, you are “bypassing” the Mediation Server (in OCS media had to go via a mediation server). Signalling will still go via the Mediation Server.  Note: Using TCP will mean your media traffic is running over the network in the clear.

Lync certified gateways should support Media Bypass. The default way to install these is with a TLS connection, but if for whatever reason you want to use TCP, Media Bypass is still supported. I have set this up with Sonus (NET) UX gateways and Cisco ISR’s, it should apply equally to other gateways.

There are three settings on Lync you need to get lined up.

Ensure your trunk to your gateway is setup to Encryption Not Supported and Enable Media Bypass is ticked


Ensure your CAC settings allow the gateway and users to do Media Bypass or you have always Bypass on


The above settings (apart from encryption) are the same on TLS, this is the unique setting:

set-csmediaconfiguration –identity global –encryptionlevel supportencryption

This allows the clients to make a non-encrypted connection directly to the gateway


The Sonus UX gateways have a nice feature on the Web GUI of showing you when calls are in Bypass with a “B” on the call watcher


You can also find out after a call via the monitoring server reports:

User Activity Report –> <user you want to look for> –> Details –> Media Quality Report –> Call Information –> Mediation Server bypass call (true/false). (source)

Useful? Please take a second to shareTweet about this on TwitterShare on LinkedInShare on Google+Email this to someone
Tom Arbuthnot

Tom Arbuthnot

Principal Solutions Architect at Modality Systems
Tom Arbuthnot is Principal Solutions Architect at Unified Communications specialist Modality Systems. He is a Microsoft Certified Master and MVP, blogger, regular on The UC Architects Podcast, and speaker at events including Microsoft Lync Conference, TechEd and Ignite. He co-runs The Microsoft UC User Group London.
Tom Arbuthnot
Filed in: vendor • Tags: , ,

Comments (6)

Trackback URL | Comments RSS Feed

  1. Alan Klein says:

    Hey Tom,

    Thanks for your regular valuable content. For the sentence, “Note: Using TCP will mean your media traffic is running over the network in the clear.”, I believe you wanted to say your signaling traffic will be in the clear.

    As well, your media traffic will also be in the clear since SRTP will not be used (since the media encryption keys would be exposed in the SDP body of the non-encrypted SIP signaling), media traffic often uses UDP on the internal enterprise LAN.

    • Hi Alan,

      Thanks for the comment.

      Media will be in the clear, direct from the client to the gateway.

      Signalling from client to med should still by encrypted (though I haven’t physically tested this), signalling from med – GW will be TCP/in the clear.

      Any thoughts?



  2. So signaling traffic and media are both in the clear using TCP?

  3. Gilberto says:

    Tom, how can i know the VX 1800 from NET is capable to support media bypass. On the Microsoft Supported IP PBX & Gateways it shows VX1800 as enhanced Gateway and Qualified with SRTP & TLS. Does that mean it supports media bypass?


Leave a Reply