Tom Talks Microsoft Teams and Microsoft 365 Collaboration news and opinions

How to enable Lync Media Bypass over TCP (rather than TLS)

I’ve had this question a couple of times so thought it might make a good post.

Media-Bypass allows a Lync client and gateway to transmit media (RTP) directly between each other, you are “bypassing” the Mediation Server (in OCS media had to go via a mediation server). Signalling will still go via the Mediation Server.  Note: Using TCP will mean your media traffic is running over the network in the clear.

Lync certified gateways should support Media Bypass. The default way to install these is with a TLS connection, but if for whatever reason you want to use TCP, Media Bypass is still supported. I have set this up with Sonus (NET) UX gateways and Cisco ISR’s, it should apply equally to other gateways.

There are three settings on Lync you need to get lined up.

Ensure your trunk to your gateway is setup to Encryption Not Supported and Enable Media Bypass is ticked


Ensure your CAC settings allow the gateway and users to do Media Bypass or you have always Bypass on


The above settings (apart from encryption) are the same on TLS, this is the unique setting:

set-csmediaconfiguration –identity global –encryptionlevel supportencryption

This allows the clients to make a non-encrypted connection directly to the gateway


The Sonus UX gateways have a nice feature on the Web GUI of showing you when calls are in Bypass with a “B” on the call watcher


You can also find out after a call via the monitoring server reports:

User Activity Report –> <user you want to look for> –> Details –> Media Quality Report –> Call Information –> Mediation Server bypass call (true/false). (source)

About the author

Tom Arbuthnot

A Microsoft MVP and Microsoft Certified Master, Tom Arbuthnot is Principal Solutions Architect at Microsoft Collaboration specialists Modality Systems.

Tom stays up to date with industry developments and shares news and his opinions on his blog, Microsoft Teams Podcast and email list. He is a regular speaker at events around the world.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Hey Tom,

    Thanks for your regular valuable content. For the sentence, “Note: Using TCP will mean your media traffic is running over the network in the clear.”, I believe you wanted to say your signaling traffic will be in the clear.

    As well, your media traffic will also be in the clear since SRTP will not be used (since the media encryption keys would be exposed in the SDP body of the non-encrypted SIP signaling), media traffic often uses UDP on the internal enterprise LAN.

    • Hi Alan,

      Thanks for the comment.

      Media will be in the clear, direct from the client to the gateway.

      Signalling from client to med should still by encrypted (though I haven’t physically tested this), signalling from med – GW will be TCP/in the clear.

      Any thoughts?



  • Tom, how can i know the VX 1800 from NET is capable to support media bypass. On the Microsoft Supported IP PBX & Gateways it shows VX1800 as enhanced Gateway and Qualified with SRTP & TLS. Does that mean it supports media bypass?


Tom Talks Microsoft Teams and Microsoft 365 Collaboration news and opinions