Beruflich Dokumente
Kultur Dokumente
This document is provided "as-is". Information and views expressed in this document, including URL and other Internet Web site references, may change without
notice. This document does not provide you with any legal rights to any intellectual property in any Microsoft product or product name. You may copy and use
this document for your internal, reference purposes. You may modify this document for your internal, reference purposes. 2013 Microsoft. All rights reserved.
Terms of Use (http://technet.microsoft.com/cc300389.aspx) | Trademarks (http://www.microsoft.com/library/toolbar/3.0/trademarks/en-us.mspx)
Table Of Contents
Chapter 1
Port Requirements
Ports and Protocols for Internal Servers
IPsec Exceptions
Port Summary - Single Consolidated Edge with Private IP Addresses Using NAT
Port Summary - Single Consolidated Edge with Public IP Addresses
Port Summary - Scaled Consolidated Edge, DNS Load Balancing with Private IP Addresses Using NAT
Port Summary - Scaled Consolidated Edge, DNS Load Balancing with Public IP Addresses
Port Summary - Scaled Consolidated Edge with Hardware Load Balancers
Port Summary - Reverse Proxy
Port Summary - SIP, XMPP Federation and Public Instant Messaging
Chapter 1
Port Requirements
Lync Server 2013
In This Section
This section includes the following topics:
Service name
Port
Protocol
Notes
All Servers
SQL Browser
1434
UDP
SQL Browser for the local replicated copy of the the Central Management Store database.
5060
TCP
Optionally used by Standard Edition servers and Front End Servers for static routes to trusted
services, such as remote call control servers.
5061
TCP (TLS)
Used by Standard Edition servers and Front End pools for all internal SIP communications
between servers (MTLS), for SIP communications between Server and Client (TLS) and for SIP
communications between Front End Servers and Mediation Servers (MTLS). Also used for
communications with Monitoring Server.
444
HTTPS
TCP
Used for HTTPS communication between the Focus (the Lync Server component that manages
conference state) and the individual servers.
This port is also used for TCP communication between Survivable Branch Appliances and Front
End Servers.
135
DCOM
and
remote
procedure
call (RPC)
Used for DCOM based operations such as Moving Users, User Replicator Synchronization, and
Address Book Synchronization.
Lync Server IM
Conferencing
service
5062
TCP
Used for incoming SIP requests for instant messaging (IM) conferencing.
8057
TCP (TLS)
Used to listen for Persistent Shared Object Model (PSOM) connections from client.
8058
TCP (TLS)
Used to listen for Persistent Shared Object Model (PSOM) connections from the Live Meeting
client and previous versions of Lync Server.
Lync Server
Audio/Video
Conferencing
service
5063
TCP
Lync Server
Audio/Video
Conferencing
service
5750165535
TCP/UDP
80
HTTP
Used for communication from Front End Servers to the web farm FQDNs (the URLs used by IIS
web components) when HTTPS is not used.
443
HTTPS
Used for communication from Front End Servers to the web farm FQDNs (the URLs used by IIS
web components).
8080
TCP and
HTTP
Web server
component
4443
HTTPS
Web server
component
8060
TCP
(MTLS)
Web server
component
8061
TCP
(MTLS)
Mobility Services
component
5086
TCP
(MTLS)
Mobility Services
component
5087
TCP
(MTLS)
Mobility Services
component
443
HTTPS
Lync Server
Conferencing
Attendant service
(dial-in
conferencing)
5064
TCP
Lync Server
Conferencing
Attendant service
(dial-in
conferencing)
5072
TCP
Lync Server
Mediation service
5070
TCP
Used by the Mediation Server for incoming requests from the Front End Server to the
Mediation Server.
Lync Server
Mediation service
5067
TCP (TLS)
Used for incoming SIP requests from the PSTN gateway to the Mediation Server.
Lync Server
Mediation service
5068
TCP
Used for incoming SIP requests from the PSTN gateway to the Mediation Server.
Lync Server
Mediation service
5081
TCP
Used for outgoing SIP requests from the Mediation Server to the PSTN gateway.
Lync Server
Mediation service
5082
TCP (TLS)
Used for outgoing SIP requests from the Mediation Server to the PSTN gateway.
Lync Server
Application
Sharing service
5065
TCP
Lync Server
Application
Sharing service
4915265535
TCP
Lync Server
Conferencing
Announcement
service
5073
TCP
Used for incoming SIP requests for the Lync Server Conferencing Announcement service (that is,
for dial-in conferencing).
5075
TCP
Used for incoming SIP requests for the Call Park application.
5076
TCP
Used for incoming SIP requests for the Audio Test service.
Not applicable
5066
TCP
Lync Server
Response Group
service
5071
TCP
Used for incoming SIP requests for the Response Group application.
Lync Server
Response Group
service
8404
TCP
(MTLS)
Used for incoming SIP requests for the Response Group application.
Lync Server
Bandwidth Policy
Service
5080
TCP
Used for call admission control by the Bandwidth Policy service for A/V Edge TURN traffic.
Lync Server
Bandwidth Policy
Service
448
TCP
Used for call admission control by the Lync Server Bandwidth Policy Service.
445
TCP
Used to push configuration data from the Central Management store to servers running Lync
Server.
All Servers
SQL Browser
1434
UDP
SQL Browser for local replicated copy of Central Management store data in local SQL Server
instance
Various
4915257500
TCP/UDP
Media port range used for audio conferencing on all internal servers. Used by all servers that
terminate audio: Front End Servers (for Lync Server Conferencing Attendant service, Lync Server
Conferencing Announcement service, and Lync Server Audio/Video Conferencing service), and
Mediation Server.
Directors
5060
TCP
Optionally used for static routes to trusted services, such as remote call control servers.
Directors
444
HTTPS
TCP
Inter-server communication between Front End and Director. Additionally, client certificate
publish (to Front End Servers) or validate if the client certificate has already been published.
Directors
80
TCP
Used for initial communication from Directors to the web farm FQDNs (the URLs used by IIS
web components). In normal operation, will switch to HTTPS traffic, using port 443 and protocol
type TCP.
Directors
443
HTTPS
Used for communication from Directors to the web farm FQDNs (the URLs used by IIS web
components).
Directors
5061
TCP
Used for internal communications between servers and for client connections.
Mediation Servers
Lync Server
Mediation service
5070
TCP
Used by the Mediation Server for incoming requests from the Front End Server.
Mediation Servers
Lync Server
Mediation service
5067
TCP (TLS)
Mediation Servers
Lync Server
Mediation service
5068
TCP
Mediation Servers
Lync Server
Mediation service
5070
TCP
(MTLS)
Persistent Chat
Front End Server
5041
TCP
(MTLS)
Persistent Chat
Front End Server
Persistent Chat
Windows
Communication
Foundation (WCF)
881
TCP (TLS)
and TCP
(MTLS)
Persistent Chat
Front End Server
443
TCP (TLS)
Note:
Some remote call control scenarios require a TCP connection between the Front End Server or Director and the PBX. Although Lync Server no longer uses TCP
port 5060, during remote call control deployment you create a trusted server configuration, which associates the RCC Line Server FQDN with the TCP port that the
Front End Server or Director will use to connect to the PBX system. For details, see the CsTrustedApplicationComputer cmdlet in the Lync Server Management
Shell documentation.
For your pools that use only hardware load balancing (not DNS load balancing), the following table shows the ports that need to open the hardware load balancers.
Port
Protocol
5061
TCP (TLS)
444
HTTPS
135
80
HTTP
8080
TCP - Client and device retrieval of root certificate from Front End Server clients and devices
authenticated by NTLM
443
HTTPS
4443
5072
TCP
5073
TCP
5075
TCP
5076
TCP
5071
TCP
5080
TCP
448
TCP
5070
TCP
Front End Server load balancer (if the pool also runs
Mediation Server)
5070
TCP
443
HTTPS
444
HTTPS
5061
TCP
4443
Your Front End pools and Director pools that use DNS load balancing also must have a hardware load balancer deployed. The following table shows the ports that
need to be open on these hardware load balancers.
Port
Protocol
80
HTTP
443
HTTPS
8080
TCP - Client and device retrieval of root certificate from Front End Server clients and devices authenticated by NTLM
4443
443
HTTPS
444
HTTPS
4443
Port
Protocol
Notes
Clients
67/68
DHCP
Used by Lync Server to find the Registrar FQDN (that is, if DNS SRV fails and manual settings are not
configured).
Clients
443
TCP (TLS)
Clients
443
TCP (PSOM/TLS)
Clients
443
TCP
(STUN/MSTURN)
Used for external user access to A/V sessions and media (TCP)
Clients
3478
UDP
(STUN/MSTURN)
Used for external user access to A/V sessions and media (TCP)
Clients
5061
TCP (MTLS)
Clients
68916901
TCP
Used for file transfer between Lync clients and previous clients (clients of Microsoft Office Communications
Server 2007 R2, Microsoft Office Communications Server 2007, and Live Communications Server 2005).
Clients
102465535
*
TCP/UDP
Clients
102465535
*
TCP/UDP
Clients
102465535
*
TCP
Peer-to-peer file transfer (for conferencing file transfer, clients use PSOM).
Clients
102465535
*
TCP
Application sharing.
Aastra 6721ip
common area phone
Aastra 6725ip desk
phone
HP 4110 IP Phone
(common area
phone)
HP 4120 IP Phone
(desk phone)
Polycom CX500 IP
common area phone
Polycom CX600 IP
desk phone
Polycom CX700 IP
desk phone
Polycom CX3000 IP
conference phone
67/68
DHCP
Used by the listed devices to find the Lync Server certificate, provisioning FQDN, and Registrar FQDN.
* To configure specific ports for these media types, use the CsConferencingConfiguration cmdlet (ClientMediaPortRangeEnabled, ClientMediaPort, and
ClientMediaPortRange parameters).
Note:
The set programs for Lync clients automatically create the required operating-system firewall exceptions on the client computer.
Note:
The ports that are used for external user access are required for any scenario in which the client must traverse the organizations firewall for example, any
external communications or meetings hosted by other organizations).
IPsec Exceptions
Lync Server 2013
Source IP
Destination IP
Protocol
Source port
Destination
port
Authentication
Requirement
Any
UDP and
TCP
Any
Any
Do not
authenticate
Any
UDP and
TCP
Any
Any
Do not
authenticate
Any
UDP &
TCP
Any
Any
Do not
authenticate
Any
UDP and
TCP
Any
Any
Do not
authenticate
Mediation Server
Inbound
Any
Mediation
Server(s)
UDP and
TCP
Any
Any
Do not
authenticate
Mediation Server
Outbound
Mediation
Server(s)
Any
UDP and
TCP
Any
Any
Do not
authenticate
Conferencing Attendant
Inbound
Any
UDP and
TCP
Any
Any
Do not
authenticate
Conferencing Attendant
Outbound
Any
UDP and
TCP
Any
Any
Do not
authenticate
A/V Conferencing
Inbound
Any
UDP and
TCP
Any
Any
Do not
authenticate
A/V Conferencing
Outbound
Any
UDP and
TCP
Any
Any
Do not
authenticate
Exchange Inbound
Any
UDP and
TCP
Any
Any
Do not
authenticate
Application Sharing
Servers Inbound
Any
TCP
Any
Any
Do not
authenticate
Application Sharing
Server Outbound
Any
TCP
Any
Any
Do not
authenticate
Exchange Outbound
Any
UDP and
TCP
Any
Any
Do not
authenticate
Clients
Any
Any
UDP
Specified media
port range
Any
Do not
authenticate
Firewall Summary for Single Consolidated Edge with Private IP Addresses using NAT: External Interface
Role/Protocol/TCP or UDP/Port
Source IP
address
Destination IP
address
XMPP/TCP/5269
Any
XMPP Proxy
service (shares
IP address with
Access Edge
service)
XMPP Proxy service accepts traffic from XMPP contacts in defined XMPP federations
Access/HTTP/TCP/80
Edge
Server Access
Edge service
Any
Access/DNS/TCP/53
Edge
Any
Notes
Server Access
Edge service
Access/DNS/UDP/53
Edge
Server Access
Edge service
Any
Access/SIP(TLS)/TCP/443
Any
Edge
Server Access
Edge service
Access/SIP(MTLS)/TCP/5061
Any
Edge
Server Access
Edge service
Access/SIP(MTLS)/TCP/5061
Edge
Server Access
Edge service
Any
Web
Conferencing/PSOM(TLS)/TCP/443
Any
Edge
Server Web
Conferencing
Edge service
A/V/RTP/TCP/50,000-59,999
Edge
Server A/V
Edge service
Any
Required for federating with partners running Office Communications Server 2007, Office
Communications Server 2007 R2, Lync Server 2010 and Lync Server 2013.
A/V/RTP/UDP/50,000-59,999
Edge
Server A/V
Edge service
Any
Required only for federation with partners running Office Communications Server 2007.
A/V/RTP/TCP/50,000-59,999
Any
Edge
Server A/V
Edge service
Required only for federation with partners running Office Communications Server 2007
A/V/RTP/UDP/50,000-59,999
Any
Edge
Server A/V
Edge service
Required only for federation with partners running Office Communications Server 2007
A/V/STUN,MSTURN/UDP/3478
Edge
Server A/V
Edge service
Any
3478 outbound is used to determine the version of Edge Server that Lync Server is
communicating with and also for media traffic from Edge Server-to-Edge Server. Required
for federation with Lync Server 2010, Windows Live Messenger, and Office
Communications Server 2007 R2, and also if multiple Edge pools are deployed within a
company.
A/V/STUN,MSTURN/UDP/3478
Any
Edge
Server A/V
Edge service
A/V/STUN,MSTURN/TCP/443
Any
Edge
Server A/V
Edge service
A/V/STUN,MSTURN/TCP/443
Edge Server
A/V Edge
service
Any
Firewall Summary for Single Consolidated Edge with Private IP Addresses Using NAT: Internal Interface
Protocol/TCP or
UDP/Port
Source IP address
Destination IP address
Comments
XMPP/MTLS/TCP/23456
SIP/MTLS/TCP/5061
SIP/MTLS/TCP/5061
PSOM/MTLS/TCP/8057
SIP/MTLS/TCP/5062
STUN/MSTURN/UDP/3478
Any
STUN/MSTURN/TCP/443
Any
HTTPS/TCP/4443
MTLS/TCP/50001
Any
MTLS/TCP/50002
Any
MTLS/TCP/50003
Any
Role/Protocol/TCP or UDP/Port
Source IP address
Destination IP address
Notes
Access/SIP(MTLS)/TCP/5061
Any
Role/Protocol/TCP or
UDP/Port
Source IP address
Destination IP address
Notes
Access/SIP(MTLS)/TCP/5061
Public IM connectivity
partners
Access/SIP(MTLS)/TCP/5061
Public IM connectivity
partners
Access/SIP(TLS)/TCP/443
Clients
A/V/RTP/TCP/50,000-59,999
A/V/STUN,MSTURN/UDP/3478
A/V/STUN,MSTURN/UDP/3478
Protocol/TCP or
UDP/Port
XMPP/TCP/5269
Any
XMPP/TCP/5269
Any
XMPP/MTLS/TCP/23456
Any
Internal XMPP traffic from the XMPP Gateway on the Front End Server or Front
End pool to the Edge Server internal IP address or each Edge pool members
internal IP address
Destination (IP
address)
Comments
Firewall Summary for Single Consolidated Edge with Public IP Addresses: External Interface
Role/Protocol/TCP or UDP/Port
Source IP
address
Destination IP
address
XMPP/TCP/5269
Any
XMPP Proxy
service (shares
IP address with
Access Edge
service)
XMPP Proxy service accepts traffic from XMPP contacts in defined XMPP federations
Access/HTTP/TCP/80
Edge
Server Access
Edge service
Any
Notes
public IP
address
Access/DNS/TCP/53
Edge
Server Access
Edge service
public IP
address
Any
Access/DNS/UDP/53
Edge
Server Access
Edge service
public IP
address
Any
Access/SIP(TLS)/TCP/443
Any
Edge
Server Access
Edge service
public IP
address
Access/SIP(MTLS)/TCP/5061
Any
Edge
Server Access
Edge service
public IP
address
Access/SIP(MTLS)/TCP/5061
Edge
Server Access
Edge service
public IP
address
Any
Web
Conferencing/PSOM(TLS)/TCP/443
Any
Edge
Server Web
Conferencing
Edge service
public IP
address
A/V/RTP/TCP/50,000-59,999
Edge
Server Access
Edge service
public IP
address
Any
Required for federating with partners running Office Communications Server 2007, Office
Communications Server 2007 R2, Lync Server 2010 and Lync Server 2013.
A/V/RTP/UDP/50,000-59,999
Edge
Server A/V
Edge service
public IP
address
Any
Required only for federation with partners running Office Communications Server 2007
A/V/RTP/TCP/50,000-59,999
Any
Edge
Server A/V
Edge service
public IP
address
Required only for federation with partners running Office Communications Server 2007.
A/V/RTP/UDP/50,000-59,999
Any
Edge
Server A/V
Edge service
public IP
address
Required only for federation with partners running Office Communications Server 2007.
A/V/STUN,MSTURN/UDP/3478
Edge
Server A/V
Edge service
public IP
address
Any
3478 outbound is used to determine the version of Edge Server that Lync Server is
communicating with and also for media traffic from Edge Server-to-Edge Server. Required
for federation with Lync Server 2010, Windows Live Messenger, and Office
Communications Server 2007 R2, and also if multiple Edge pools are deployed within a
company.
A/V/STUN,MSTURN/UDP/3478
Any
Edge
Server A/V
Edge service
public IP
address
A/V/STUN,MSTURN/TCP/443
Any
Edge
Server A/V
Edge service
public IP
address
A/V/STUN,MSTURN/TCP/443
Edge
Server A/V
Edge service
public IP
address
Any
Firewall Summary for Single Consolidated Edge with Public IP Addresses: Internal Interface
Protocol/TCP or
UDP/Port
Source IP address
Destination IP address
Comments
XMPP/MTLS/TCP/23456
SIP/MTLS/TCP/5061
SIP/MTLS/TCP/5061
PSOM/MTLS/TCP/8057
SIP/MTLS/TCP/5062
STUN/MSTURN/UDP/3478
Any
STUN/MSTURN/TCP/443
Any
HTTPS/TCP/4443
MTLS/TCP/50001
Any
MTLS/TCP/50002
Any
MTLS/TCP/50003
Any
Role/Protocol/TCP or UDP/Port
Source IP address
Destination IP address
Notes
Access/SIP(MTLS)/TCP/5061
Any
Role/Protocol/TCP or
UDP/Port
Source IP address
Destination IP address
Notes
Access/SIP(MTLS)/TCP/5061
Public IM connectivity
partners
Access/SIP(MTLS)/TCP/5061
Public IM connectivity
partners
Access/SIP(TLS)/TCP/443
Clients
A/V/RTP/TCP/50,000-59,999
A/V/STUN,MSTURN/UDP/3478
A/V/STUN,MSTURN/UDP/3478
Protocol/TCP or
UDP/Port
XMPP/TCP/5269
Any
XMPP/TCP/5269
Any
XMPP/MTLS/TCP/23456
Any
Internal XMPP traffic from the XMPP Gateway on the Front End Server or Front
End pool to the Edge Server internal IP address or each Edge pool members
internal IP address
Destination (IP
address)
Comments
Firewall Summary for Scaled Consolidated Edge, DNS Load Balancing with Private IP Addresses Using NAT: External
Interface Node 1 and Node 2 Example
Role/Protocol/TCP or UDP/Port
Source IP
address
Destination
IP address
XMPP/TCP/5269
Any
XMPP Proxy
service (shares
IP address
with Access
Edge service)
XMPP Proxy service accepts traffic from XMPP contacts in defined XMPP federations
XMPP/TCP/5269
XMPP Proxy
service (shares
IP address
with Access
Edge service)
Any
XMPP Proxy service sends traffic to XMPP contacts in defined XMPP federations
Access/HTTP/TCP/80
Edge
Server Access
Edge service
Any
Access/DNS/TCP/53
Edge
Server Access
Edge service
Any
Access/DNS/UDP/53
Edge
Server Access
Edge service
Any
Access/SIP(TLS)/TCP/443
Any
Edge
Server Access
Edge service
Access/SIP(MTLS)/TCP/5061
Any
Edge Server
Access Edge
service
Access/SIP(MTLS)/TCP/5061
Edge
Server Access
Edge service
Any
Web
Conferencing/PSOM(TLS)/TCP/443
Any
Edge
Server Web
Conferencing
Edge service
A/V/RTP/TCP/50,000-59,999
Edge
Server A/V
Edge service
Any
Required for federating with partners running Office Communications Server 2007, Office
Communications Server 2007 R2, Lync Server 2010 and Lync Server 2013.
A/V/RTP/UDP/50,000-59,999
Edge
Server A/V
Edge service
Any
Required only for federation with partners running Office Communications Server 2007.
A/V/RTP/TCP/50,000-59,999
Any
Edge
Server A/V
Edge service
Required only for federation with partners running Office Communications Server 2007
A/V/RTP/UDP/50,000-59,999
Any
Edge
Server A/V
Edge service
Required only for federation with partners running Office Communications Server 2007
A/V/STUN,MSTURN/UDP/3478
Edge
Server A/V
Edge service
Any
3478 outbound is used to determine the version of Edge Server that Lync Server is
communicating with and also for media traffic from Edge Server-to-Edge Server.
Required for federation with Lync Server 2010, Windows Live Messenger, and Office
Communications Server 2007 R2, and also if multiple Edge pools are deployed within a
company.
A/V/STUN,MSTURN/UDP/3478
Any
Edge
Server A/V
Edge service
A/V/STUN,MSTURN/TCP/443
Any
Edge
Server A/V
Edge service
A/V/STUN,MSTURN/TCP/443
Edge Server
A/V Edge
Any
Notes
service
Firewall Summary for Scaled Consolidated Edge, DNS Load Balancing with Private IP Addresses Using NAT: Internal
Interface Node 1 and Node 2 Example
Protocol/TCP or
UDP/Port
Source IP address
Destination IP address
Comments
XMPP/MTLS/TCP/23456
SIP/MTLS/TCP/5061
SIP/MTLS/TCP/5061
PSOM/MTLS/TCP/8057
SIP/MTLS/TCP/5062
STUN/MSTURN/UDP/3478
Any
STUN/MSTURN/TCP/443
Any
HTTPS/TCP/4443
MTLS/TCP/50001
Any
MTLS/TCP/50002
Any
MTLS/TCP/50003
Any
Role/Protocol/TCP or UDP/Port
Source IP address
Destination IP address
Notes
Access/SIP(MTLS)/TCP/5061
Any
Role/Protocol/TCP or
UDP/Port
Source IP address
Destination IP address
Notes
Access/SIP(MTLS)/TCP/5061
Public IM connectivity
partners
Access/SIP(MTLS)/TCP/5061
Public IM connectivity
partners
Access/SIP(TLS)/TCP/443
Clients
A/V/RTP/TCP/50,000-59,999
A/V/STUN,MSTURN/UDP/3478
A/V/STUN,MSTURN/UDP/3478
Protocol/TCP or
UDP/Port
XMPP/TCP/5269
Any
XMPP/TCP/5269
Any
XMPP/MTLS/TCP/23456
Any
Internal XMPP traffic from the XMPP Gateway on the Front End Server or Front
End pool to the Edge Server internal IP address or each Edge pool members
internal IP address
Destination (IP
address)
Comments
Firewall Summary for Scaled Consolidated Edge, DNS Load Balancing with Public IP Addresses: External Interface Node 1
and Node 2 (Example)
Role/Protocol/TCP or
UDP/Port
Source IP
address
Destination IP
address
XMPP/TCP/5269
Any
XMPP Proxy
service (shares
IP address with
Access Edge
service)
XMPP Proxy service accepts traffic from XMPP contacts in defined XMPP federations
Access/HTTP/TCP/80
Edge
Server Access
Edge service
public IP
address
Any
Access/DNS/TCP/53
Edge
Server Access
Edge service
public IP
address
Any
Access/DNS/UDP/53
Edge
Server Access
Edge service
public IP
address
Any
Access/SIP(TLS)/TCP/443
Any
Edge
Server Access
Edge service
public IP
address
Access/SIP(MTLS)/TCP/5061
Any
Edge
Server Access
Edge service
public IP
address
Access/SIP(MTLS)/TCP/5061
Edge
Server Access
Edge service
public IP
address
Any
Web
Conferencing/PSOM(TLS)TCP/443
Any
Edge
Server Web
Conferencing
Edge service
public IP
address
A/V/RTP/TCP/50,000-59,999
Edge
Server A/V
Edge service
public IP
address
Any
Required for federating with partners running Office Communications Server 2007, Office
Communications Server 2007 R2, Lync Server 2010 and Lync Server 2013.
A/V/RTP/UDP/50,000-59,999
Edge
Server A/V
Edge service
public IP
address
Any
Required only for federation with partners running Office Communications Server 2007.
A/V/RTP/TCP/50,000-59,999
Any
Edge
Server A/V
Edge service
public IP
address
Required only for federation with partners running Office Communications Server 2007
A/V/RTP/UDP/50,000-59,999
Any
Edge
Server A/V
Edge service
public IP
address
Required only for federation with partners running Office Communications Server 2007
A/V/STUN,MSTURN/UDP/3478
Edge
Any
3478 outbound is used to determine the version of Edge Server that Lync Server is
Notes
Server A/V
Edge service
public IP
address
communicating with and also for media traffic from Edge Server-to-Edge Server. Required
for federation with Lync Server 2010, Windows Live Messenger, and Office Communications
Server 2007 R2, and also if multiple Edge pools are deployed within a company.
A/V/STUN,MSTURN/UDP/3478
Any
Edge
Server A/V
Edge service
public IP
address
A/V/STUN,MSTURN/TCP/443
Any
Edge
Server A/V
Edge service
public IP
address
A/V/STUN,MSTURN/TCP/443
Edge Server
A/V Edge
service
Any
Firewall Summary for Scaled Consolidated Edge, DNS Load Balancing with Public IP Addresses: Internal Interface Node 1
and Node 2 (Example)
Protocol/TCP or
UDP/Port
Source IP address
Destination IP address
Comments
XMPP/MTLS/TCP/23456
SIP/MTLS/TCP/5061
SIP/MTLS/TCP/5061
PSOM/MTLS/TCP/8057
SIP/MTLS/TCP/5062
STUN/MSTURN/UDP/3478
Any
STUN/MSTURN/TCP/443
Any
HTTPS/TCP/4443
MTLS/TCP/50001
Any
MTLS/TCP/50002
Any
MTLS/TCP/50003
Any
Role/Protocol/TCP or UDP/Port
Source IP address
Destination IP address
Notes
Access/SIP(MTLS)/TCP/5061
Any
Role/Protocol/TCP or
UDP/Port
Source IP address
Destination IP address
Notes
Access/SIP(MTLS)/TCP/5061
Public IM connectivity
partners
Access/SIP(MTLS)/TCP/5061
Public IM connectivity
partners
Access/SIP(TLS)/TCP/443
Clients
A/V/RTP/TCP/50,000-59,999
A/V/STUN,MSTURN/UDP/3478
A/V/STUN,MSTURN/UDP/3478
Protocol/TCP or
UDP/Port
XMPP/TCP/5269
Any
XMPP/TCP/5269
Any
XMPP/MTLS/TCP/23456
Any
Internal XMPP traffic from the XMPP Gateway on the Front End Server or Front
End pool to the Edge Server internal IP address or each Edge pool members
internal IP address
Destination (IP
address)
Comments
Firewall Summary for Scaled Consolidated Edge, Hardware Load Balanced: External Interface Node 1 and Node 2
(Example)
Role/Protocol/TCP or
UDP/Port
Source IP
address
Destination
IP address
Notes
Access/HTTP/TCP/80
Edge
Server Access
Edge service
public IP
address
Any
Access/DNS/TCP/53
Edge
Server Access
Edge service
public IP
address
Any
Access/DNS/UDP/53
Edge
Server Access
Edge service
public IP
address
Any
A/V/RTP/TCP/50,000-59,999
Edge
Server A/V
Edge service
IP address
Any
Required for federating with partners running Office Communications Server 2007, Office
Communications Server 2007 R2, Lync Server 2010 and Lync Server 2013.
A/V/RTP/UDP/50,000-59,999
Edge
Server A/V
Edge service
public IP
address
Any
Required only for federation with partners running Office Communications Server 2007.
A/V/RTP/TCP/50,000-59,999
Any
Edge
Server A/V
Edge
service
public IP
address
Required only for federation with partners running Office Communications Server 2007
A/V/RTP/UDP/50,000-59,999
Any
Edge
Server A/V
Edge
service
public IP
address
Required only for federation with partners running Office Communications Server 2007
A/V/STUN,MSTURN/UDP/3478
Edge
Server A/V
Edge service
public IP
address
Any
3478 outbound is used to determine the version of Edge Server that Lync Server is
communicating with and also for media traffic from Edge Server-to-Edge Server. Required for
federation with Lync Server 2010, Windows Live Messenger, and Office Communications Server
2007 R2, and also if multiple Edge pools are deployed within a company.
A/V/STUN,MSTURN/UDP/3478
Any
Edge
Server A/V
Edge
service
public IP
address
A/V/STUN,MSTURN/TCP/443
Any
Edge
Server A/V
Edge
service
public IP
address
A/V/STUN,MSTURN/TCP/443
Edge
Server A/V
Edge service
public IP
address
Any
Firewall Summary for Scaled Consolidated Edge, Hardware Load Balanced: Internal Interface Node 1 and Node 2
Role/Protocol/TCP or
UDP/Port
Source IP address
Destination
IP address
Notes
XMPP/MTLS/TCP/23456
Edge Server
Outbound XMPP traffic from XMPP Gateway service running on Front End
internal
interface
HTTPS/TCP/4443
Edge Server
Internal
interface
PSOM/MTLS/TCP/8057
Edge Server
Internal
interface
STUN/MSTURN/UDP/3478
Edge Server
Internal
interface
Preferred path for A/V media transfer between internal and external
users, Survivable Branch Appliance or Survivable Branch Server
STUN/MSTURN/TCP/443
Edge Server
Internal
interface
Fallback path for A/V media transfer between internal and external users,
Survivable Branch Appliance or Survivable Branch Server if UDP
communication cannot be established, TCP is used for file transfer and
desktop sharing
MTLS/TCP/50001
Any
Edge Server
internal
interface
MTLS/TCP/50002
Any
Edge Server
internal
interface
MTLS/TCP/50003
Any
Edge Server
internal
interface
Hardware load balancers have specific requirements when deployed to provide availability and load balancing for Lync Server. The requirements are defined in the
following figure and tables. Third party vendors may use different terminology for the requirements defined here. It will be necessary to map the requirements of
Lync Server to the features and configuration options provided by your hardware load balancer vendor.
When configuring hardware load balancers, consider the following requirements:
Source Network Address Translation (SNAT) can be configured on the hardware load balancer (HLB) for Access Edge service and Web Conferencing Edge
service
SNAT cannot be configured on the A/V Edge service the A/V Edge service must respond with the real server address, not the HLB virtual IP VIP, for simple
traversal of UDP over NAT (STUN)/traversal using relay NAT (TURN)/federation TURN (FTURN) to work properly
Public IP addresses are used on each server interface and on the VIPs of the HLB, and your public IP address requirements are N+1, where there is a public IP
address for each real server interface and one for each HLB VIP. Where you have 2 Edge servers in the pool, this results in 6 public IP addresses, where 3 are
used for the HLB VIPs, and one for each Edge server interface (a total of six for the servers)
For the Access Edge service and Web Conferencing Edge service, (and using NAT on the HLB) the client contacts the VIP, the VIP changes the source IP
address from the client to its own IP address. The server interface addresses the return address to the VIP, the VIP changes the source address from the
server interface IP address and sends the packet to the client
For the A/V Edge service, the VIP must NOT change the source IP address, and the real server address is returned to the client directly you cannot configure
NAT on the HLB for AV traffic
For AV, the external firewall will retain the real server public IP address for all packets
Once established, client to A/V Edge service communication is to the real server, not the HLB
Internal edge to internal servers and clients must be routed, and persistent routes are set for all internal networks that host servers or clients
The HLB Access Edge service VIP will act as the default gateway for each Edge server interface
External Port Settings Required for Scaled Consolidated Edge, Hardware Load Balanced: External Interface Virtual IPs
Role/Protocol/TCP or UDP/Port
Source IP address
Destination IP address
Notes
XMPP/TCP/5269
Any
XMPP/TCP/5269
Any
Access/SIP(TLS)/TCP/443
Any
Access/SIP(MTLS)/TCP/5061
Any
Access/SIP(MTLS)/TCP/5061
Federated partner
Web
Conferencing/PSOM(TLS)/TCP/443
Any
A/V/STUN,MSTURN/UDP/3478
Any
A/V/STUN,MSTURN/TCP/443
Any
Firewall Summary for Scaled Consolidated Edge, Hardware Load Balanced: Internal Interface Virtual IPs
Role/Protocol/TCP or
UDP/Port
Source IP address
Destination IP address
Notes
Access/SIP(MTLS)/TCP/5061
Access/SIP(MTLS)/TCP/5061
SIP/MTLS/TCP/5062
STUN/MSTURN/UDP/3478
Any
STUN/MSTURN/TCP/443
Any
STUN/MSTURN/TCP/443
Any
External firewall requirements are the HTTPS/TCP/443 and the optional HTTP/TCP/80. HTTPS is used for SSL and TLS secure communications through the reverse
proxy. HTTP is used if you choose to allow access to the Autodiscover Service when modifying certificates might prove difficult or not cost justified.
Clients expect to contact the Office Web Apps Server on HTTPS. The Office Web Apps Server expects communication from internal clients on HTTPS/TCP/443. The
recommended configuration is to allow HTTPS/TCP/443 from the reverse proxy to the Office Web Apps Server.
Port 8080 is used to route traffic from the reverse proxy internal interface to the Front End Server, Front End pool virtual IP (VIP) or the optional Director or
Director pool VIP. Port TCP 8080 is required for mobile devices running Lync to locate the Autodiscover Service in situations where modifying the external web
service publishing rule certificate is undesirable (for example, if you have a large number of SIP domains). If you choose to acquire new certificates with the
necessary SAN entries, the port TCP 8080 is not needed and is optional.
Port 4443 is used for traffic from the reverse proxy internal interface to the Front End Server, Front End pool virtual IP (VIP) or the optional Director or Director
pool VIP
Caution:
Do not confuse the 4443 over TCP from the reverse proxy to the internal deployment for the port 4443 over TCP traffic from the Standard Edition server or
the Front End pool that manages the Central Management store role.
Source
IP
Address
HTTP/TCP/80
HTTPS/TCP/443
Destination
IP Address
Notes
Any
Reverse
proxy
listener
Any
Reverse
proxy
listener
Address book downloads, Address Book Web Query service, Autodiscover, client updates, meeting content, device
updates, group expansion, Office Web Apps for conferencing, dial-in conferencing, and meetings.
Source IP
Address
HTTP/TCP/8080
HTTPS/TCP/4443
Destination IP Address
Notes
Internal
reverse
proxy
interface
Required if using the Autodiscover Service for mobile devices running Lync in situations where the
organization does not want to modify the external web service publishing rule certificate.
Traffic sent to port 80 on the reverse proxy external interface is redirected to a pool on port 8080
from the reverse proxy internal interface so that the pool Web Services can distinguish it from
internal web traffic.
Internal
reverse
Traffic sent to port 443 on the reverse proxy external interface is redirected to a pool on port
4443 from the reverse proxy internal interface so that the pool web services can distinguish it from
HTTPS/TCP/443
proxy
interface
Director pool
Internal
reverse
proxy
interface
Role/Protocol/TCP or UDP/Port
Source IP address
Destination IP address
Notes
Access/SIP(MTLS)/TCP/5061
Any
Role/Protocol/TCP or
UDP/Port
Source IP address
Destination IP address
Notes
Access/SIP(MTLS)/TCP/5061
Public IM connectivity
partners
Access/SIP(MTLS)/TCP/5061
Public IM connectivity
partners
Access/SIP(TLS)/TCP/443
Clients
A/V/RTP/TCP/50,000-59,999
A/V/STUN,MSTURN/UDP/3478
A/V/STUN,MSTURN/UDP/3478
Protocol/TCP or
UDP/Port
XMPP/TCP/5269
Any
Destination (IP
address)
Comments
XMPP/TCP/5269
Any
XMPP/MTLS/23456
Any
Internal XMPP traffic from the XMPP Gateway on the Front End Server or Front End
pool to the Edge Server
See Also
Concepts
Scenarios for External User Access
Determine External A/V Firewall and Port Requirements
Other Resources
Manage XMPP Federated Partners for Your Organization