OCS 2007 R2 Firewall Port Settings
The below tables lists all of the required ports to be configured in server to server and server to server communication required to be configured in strict ports Infrastructure (we added after each section title notification about its validation in live environment, we will make our best to validate the configuration of all of the sections):
Edge Server Ports requirements:
Table 1 External Firewall Ports Settings Required for Consolidated Edge Topology
Edge Role |
Source |
Source Port |
Destination |
Destination Port |
Transport |
Application |
Notes |
Access |
Access External IP |
Any |
Any |
80 |
TCP |
HTTP |
Optional and Not required |
Access |
Access External IP |
Any |
Any |
53 |
UDP |
DNS |
Optional and Not required |
Access |
Internet Clients |
Any |
Access External IP |
443 |
TCP |
SIP (TLS) |
Client to server SIP traffic for external user access Although clients will connect on 443 or 5061, LM clients will connect to 443 only so if you configured access on port 5061 you will need to configure LM clients staticly. |
Access |
Internet Clients |
Any |
Access External IP |
5061 |
TCP |
SIP (MTLS) |
For federated and public IM connectivity using SIP |
Access |
Internet Clients |
Any |
Any |
5061 |
TCP |
SIP (MTLS) |
For federated and public IM connectivity using SIP |
Web Conferencing |
Internet Clients |
Any |
WebConf External IP |
443 |
TCP |
PSOM (TLS) |
|
A/V |
A/V External IP |
50,000 - 59,999 |
Any |
Any |
TCP |
RTP |
Required only for desktop sharing and/or federation with partners running Office Communications Server 2007 or Office Communications Server 2007 R2. Please not that you don't need that ports range if you will not use Video/Desktop Sharing with federated partners |
A/V |
A/V External IP |
50,000 - 59,999 |
Any |
Any |
UDP |
RTP |
Required only for federation with partners still running Office Communications Server 2007 |
A/V |
Any |
Any |
A/V External IP |
50,000 - 59,999 |
TCP |
RTP |
Required only for federation with partners still running Office Communications Server 2007. |
A/V |
Internet Clients |
Any |
A/V External IP |
3478 |
UDP |
STUN/MSTURN |
|
A/V |
Internet Clients |
Any |
A/V External IP |
443 |
TCP |
STUN/MSTURN |
for scaled consolidated Edge Deployment use the above table and open only required ports for each Edge.
Table 2 Internal Firewall Ports Settings Required for Consolidated Edge Topology:
Edge Role |
Source |
Source Port |
Destination |
Destination Port |
Transport |
Application |
Notes |
Access |
Edge Internal IP |
Any |
Front End Pool VIP |
5061 |
TCP |
SIP (MTLS) |
Destination will be the Next Hop server(s). In the case of the using Multiple FEs this will be the VIP, if single FE this will be the FE Server (either ENT or STD Edition) |
Access |
Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB |
Any |
Edge Internal IP |
5061 |
TCP |
SIP (MTLS) |
|
Web Conferencing |
Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB |
Any |
Edge Internal IP |
8057 |
TCP |
PSOM (MTLS) |
|
A/V |
Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB |
Any |
Edge Internal IP |
5062 |
TCP |
SIP (MTLS) |
Include all front end servers using this particular A/V authentication service. |
A/V |
Any |
Media Ports Range + 3478 |
Edge Internal IP |
Media Ports Range + 3478 |
UDP |
STUN/MSTURN |
in peer to peer A/Conference, the media is Exchanged peer to peer, in case 1 internal Client and 1 External Client then Internal Client connects to Edge Internal Interface and this is relayed to the External Client, Reference for Media ports configuration refer to the end of this wiki |
A/V |
Any |
Media Ports Range + 443 |
Edge Internal IP |
Media Ports Range + 443 |
TCP |
STUN/MSTURN |
in peer to peer A/Vconference, the media is Exchanged peer to peer, in case 1 internal Client and 1 External Client then Internal Client connects to Edge Internal Interface and this is relayed to the External Client, Reference. for Media ports configuration refer to the end of this wiki Keep in mind that you can configure either 3478 or 443 not both. |
and for scaled deployment open those ports for the VIP.
Mediation Server:
Source |
Source Port |
Destination |
Destination Port |
Transport |
Application |
Notes |
Mediation FE Side IP |
5061 |
Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB |
5061 |
TCP |
SIP (MTLS) |
This is 2 Way rule communcation is flowing from FE to mediation for outbound calls and from mediation to FE in inbound calls. |
Mediation GW Side IP |
5060/5061 |
Gateway IP |
5060/5061 |
TCP |
SIP (MTLS) |
|
Mediation GW Side IP |
60000-64000 |
Gateway IP |
60000-64000 |
TCP |
RTCP/SRTP |
|
Mediation FE Side IP |
60000-64000 |
Clients IP |
60000-64000 |
TCP |
RTCP/SRTP |
|
Mediation FE Side IP |
5062 |
Edge Internal IP |
5062 |
SIP/MTLS |
MRAS |
|
Mediation FE Side IP |
Any | Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB |
5062.5064,5069,5071,5072,5073,5074 |
TCP | This is to support RGS, telephony conferencing, QoE Agent, CAS and OVCS |
*** for Telephony configuration and Voice VLANs (Cisco or Avaya support), you will need to open media ports range (if configured) between Internal IP Clients Range and Phones Range, if not configured you will need to open ports range 1024 to 65535 for media exchange.***
Exchange 2007/2010/2010 SP1 Server (The Configuration has been validated in live environment) :
Source |
Source Port |
Destination |
Destination Port |
Transport |
Application |
Notes |
Internal Clients IP Range |
60000-64000 (or Media port Range if configured |
Exchange UM server IP |
5061,5065,5066 |
TCP |
RTCP/SRTP |
This is to allow clients to dial to voice mail and UM attendant if configured in Enterprise Voice Deployments, 5061 accepts connections and 5065 and 5066 handles actual media traffic, more information here http://autodiscover.wordpress.com/2010/12/30/exchange-exchange2010-a-deeper-look-to-the-um-worker-process-and-wp-recycling/ |
Table 3 Firewall Ports Settings Required for Servers VLAN and Clients VLAN (The Configuration has been validated in live environment):
Source |
Source Port |
Destination |
Destination Port |
Transport |
Application |
Notes |
Internal Clients |
5061 |
Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB |
5061 |
TCP |
SIP |
|
Internal Clients |
5062 |
Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB |
5062 |
TCP |
|
Used for incoming SIP listening requests for IM conferencing. |
Internal Clients |
5063 |
Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB |
5063 |
TCP |
|
Used for incoming SIP listening requests for audio/video (A/V) conferencing. |
Internal Clients |
5064 |
Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB |
5064 |
TCP |
|
Used for incoming SIP listening requests for telephony conferencing. |
Internal Clients |
5065 |
Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB |
5065 |
TCP |
|
Used for incoming SIP listening requests for application sharing. |
Internal Clients |
5071 |
Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB |
5071 |
TCP |
|
Used for incoming SIP listening requests for Response Group Service. |
Internal Clients |
5072 |
Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB |
5072 |
TCP |
|
Used for incoming SIP listening requests for Conferencing Attendant. |
Internal Clients |
5073 |
Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB |
5073 |
TCP |
|
Used for incoming SIP listening requests for Conferencing Announcement Service. |
Internal Clients |
5074 |
Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB |
5074 |
TLS |
|
Used for incoming SIP listening requests for Outside Voice Control. |
Any |
8057 |
Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB |
8057 |
TCP |
PSOM |
|
Internal Clients |
443 |
Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB |
443 |
TCP |
Conference Data/Metadata |
|
Internal Clients |
443 |
Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB |
443 |
STUN/TCP |
Conference Data/Metadata |
|
Internal Clients |
60000-64000 |
Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB |
60000-64000 |
SRTP/RTCP |
|
|
Internal Clients |
1024-65535 |
Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB |
49152 to 65535 |
TCP/UDP |
RDP/RTCP |
This range is used for media exchange, if you configured media port range then you don't need that range and need the media range only, for more information about media ports range refer to the end of this wiki. |
Internal Clients |
6891-6901 |
Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB |
6891-6901 |
TCP |
Port range used by Live Meeting for file transfer. |
|
Internal Clients |
3478 |
Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB |
3478 |
UDP |
STUN |
|
keep in mind in A/V media exchange and in presence of HLB the connection has to be maintained on the server directly meaning the connection or shall we say media does not traverse HLB.
also in CWA desktop sharing session scenario where limited ports is applied either you deploy EDGE server in order to CWA utilize internal Edge interface for Media Exchange otherwise you have to open default media range
You can change the default media ports using pool settings, this affects A/V Conferencing and all application performing media exchange , keep in mind you have to maintain minimum 128 ports
Office Communication Server Clients Media Range:
in OCS 2007 R2, you can configure clients to use specific range of media ports to exchange media between clients and servers, to configure OCS media ports range refer to the below articles
http://technet.microsoft.com/en-us/library/bb964029(office.12).aspx
Note: Please keep in mind that port media range is only for peer to peer calls/communications, in conferencing scenario port media range doesn't apply. if you don't configure media port range, clients will communicate using the edge server.
in summary you need at least 20 ports to be configured using the min/max ports configuration which will be used by the clients for media exchange.
Discussion Items - Depending on how people want to use the wiki, I am creating this section for topics people want to discuss or clarify if they choose not to edit the content itself.
Lync Server 2010
The same content for Lync Server 2010 is here - http://social.technet.microsoft.com/wiki/contents/articles/lync-server-2010-firewall-port-settings.aspx