Share via


OCS 2007 R2 Firewall Port Settings

The below tables lists all of the required ports to be configured in server to server and server to server communication required to be configured in strict ports Infrastructure (we added after each section title notification about its validation in live environment, we will make our best to validate the configuration of all of the sections):

Edge Server Ports requirements:

Table 1   External Firewall Ports Settings Required for Consolidated Edge Topology

Edge Role

Source 
IP Address

Source  Port

Destination 
IP Address

Destination Port

Transport

Application

Notes

Access

Access External IP

Any

Any

80

TCP

HTTP

 Optional and Not required

Access

Access External IP

Any

Any

53

UDP

DNS

 Optional and Not required

Access

Internet Clients

Any

Access External IP

443

TCP

SIP (TLS)

Client to server SIP traffic for external user access

Although clients will connect on 443 or 5061, LM clients will connect to 443 only so if you configured access on port 5061 you will need to configure LM clients staticly.

Access

Internet Clients

Any

Access External IP

5061

TCP

SIP (MTLS)

For federated and public IM connectivity using SIP

Access

Internet Clients

Any

Any

5061

TCP

SIP (MTLS)

For federated and public IM connectivity using SIP

Web Conferencing

Internet Clients

Any

WebConf External IP

443

TCP

PSOM (TLS)

 

A/V

A/V External IP

50,000 - 59,999

Any

Any

TCP

RTP

Required only for desktop sharing and/or federation with partners running Office Communications Server 2007 or Office Communications Server 2007 R2.

Please not that you don't need that ports range if you will not use Video/Desktop Sharing with federated partners

A/V

A/V External IP

50,000 - 59,999

Any

Any

UDP

RTP

Required only for federation with partners still running Office Communications Server 2007

A/V

Any

Any

A/V External IP

50,000 - 59,999

TCP

RTP

Required only for federation with partners still running Office Communications Server 2007.

A/V

Internet Clients

Any

A/V External IP

3478

UDP

STUN/MSTURN

A/V

Internet Clients

Any

A/V External IP

443

TCP

STUN/MSTURN

 

 

for scaled consolidated Edge Deployment use the above table and open only required ports for each Edge.

 

Table 2 Internal Firewall Ports Settings Required for Consolidated Edge Topology:

 

Edge Role

Source 
IP Address

Source  Port

Destination 
IP Address

Destination Port

Transport

Application

Notes

Access

Edge Internal IP

Any

Front End Pool VIP

5061

TCP

SIP (MTLS)

Destination will be the Next Hop server(s). In the case of the using Multiple FEs this will be the VIP, if single FE this will be the FE Server (either ENT or STD Edition)

Access

Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB

Any

Edge Internal IP

5061

TCP

SIP (MTLS)

Web Conferencing

Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB

Any

Edge Internal IP

8057

TCP

PSOM (MTLS)

A/V

Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB

Any

Edge Internal IP

5062

TCP

SIP (MTLS)

Include all front end servers using this particular A/V authentication service.

A/V

Any

Media Ports Range + 3478

Edge Internal IP

Media Ports Range + 3478

UDP

STUN/MSTURN

in peer to peer A/Conference, the media is Exchanged peer to peer, in case 1 internal Client and 1 External Client then Internal Client connects to Edge Internal Interface and this is relayed to the External Client, Reference

for Media ports configuration refer to the end of this wiki

A/V

Any

Media Ports Range + 443

Edge Internal IP

Media Ports Range + 443

TCP

STUN/MSTURN

in peer to peer A/Vconference, the media is Exchanged peer to peer, in case 1 internal Client and 1 External Client then Internal Client connects to Edge Internal Interface and this is relayed to the External Client, Reference.

for Media ports configuration refer to the end of this wiki

Keep in mind that you can configure either 3478 or 443 not both.

 

and for scaled deployment open those ports for the VIP.

Mediation Server:

Source 
IP Address

Source  Port

Destination 
IP Address

Destination Port

Transport

Application

Notes

Mediation FE Side IP

5061

Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB

5061

TCP

SIP (MTLS)

This is 2 Way rule communcation is flowing from FE to mediation for outbound calls and from mediation to FE in inbound calls.

Mediation GW Side IP

5060/5061

Gateway IP

5060/5061

TCP

SIP (MTLS)

Mediation GW Side IP

60000-64000

Gateway IP

60000-64000

TCP

RTCP/SRTP

Mediation FE Side IP

60000-64000

Clients IP

60000-64000

TCP

RTCP/SRTP

Mediation FE Side IP

5062

Edge Internal IP

5062

SIP/MTLS

MRAS

Mediation FE Side IP

Any

Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB

5062.5064,5069,5071,5072,5073,5074

TCP This is to support RGS, telephony conferencing, QoE Agent, CAS and OVCS

 

*** for Telephony configuration and Voice VLANs (Cisco or Avaya support), you will need to open media ports range (if configured) between Internal IP Clients Range and Phones Range, if not configured you will need to open ports range 1024 to 65535 for media exchange.***

Exchange 2007/2010/2010 SP1 Server (The Configuration has been validated in live environment) :

Source 
IP Address

Source  Port

Destination 
IP Address

Destination Port

Transport

Application

Notes

Internal Clients IP Range

60000-64000 (or Media port Range if configured

Exchange UM server IP

5061,5065,5066

TCP

RTCP/SRTP

 This is to allow clients to dial to voice mail
 and UM attendant if configured in Enterprise
Voice Deployments, 5061 accepts connections
 and 5065 and 5066 handles actual media traffic,
 more information here
http://autodiscover.wordpress.com/2010/12/30/exchange-exchange2010-a-deeper-look-to-the-um-worker-process-and-wp-recycling/

 

Table 3    Firewall Ports Settings Required for Servers VLAN and Clients VLAN (The Configuration has been validated in live environment):

 

Source 
IP Address

Source  Port

Destination 
IP Address

Destination Port

Transport

Application

Notes

Internal Clients

5061

Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB

5061

TCP

  SIP

Internal Clients

5062

Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB

5062

TCP

 

Used for incoming SIP listening requests for IM conferencing.

Internal Clients

5063

Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB

5063

TCP

 

Used for incoming SIP listening requests for audio/video (A/V) conferencing.

Internal Clients

5064

Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB

5064

TCP

 

Used for incoming SIP listening requests for telephony conferencing.

Internal Clients

5065

Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB

5065

TCP

 

Used for incoming SIP listening requests for application sharing.

Internal Clients

5071

Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB

5071

TCP

 

Used for incoming SIP listening requests for Response Group Service.

Internal Clients

5072

Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB

5072

TCP

 

Used for incoming SIP listening requests for Conferencing Attendant.

Internal Clients

5073

Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB

5073

TCP

 

Used for incoming SIP listening requests for Conferencing Announcement Service.

Internal Clients

5074

Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB

5074

TLS

 

Used for incoming SIP listening requests for Outside Voice Control.

Any

8057

Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB

8057

TCP

PSOM

 

Internal Clients

443

Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB

443

TCP

Conference Data/Metadata

 

Internal Clients

443

Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB

443

STUN/TCP

Conference Data/Metadata

 

Internal Clients

60000-64000

Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB

60000-64000

SRTP/RTCP

 

 

Internal Clients

1024-65535

Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB

49152 to 65535

TCP/UDP

RDP/RTCP

 This range is used for media exchange, if you configured media port range then you don't need that range and need the media range only, for more information about media ports range refer to the end of this wiki.

Internal Clients

6891-6901

Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB

6891-6901

TCP

Port range used by Live Meeting for file transfer.

 

Internal Clients

3478

Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB

3478

UDP

STUN

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

keep in mind in A/V media exchange and in presence of HLB the connection has to be maintained on the server directly meaning the connection or shall we say media does not traverse HLB.
also in CWA desktop sharing session scenario where limited ports is applied either you deploy EDGE server in order to CWA utilize internal Edge interface for Media Exchange otherwise you have to open default media range
You can change the default media ports using pool settings, this affects A/V Conferencing and all application performing media exchange , keep in mind you have to maintain minimum 128 ports

  
Office Communication Server Clients Media Range:

in OCS 2007 R2, you can configure clients to use specific range of media ports to exchange media between clients and servers, to configure OCS media ports range refer to the below articles

http://blogs.technet.com/b/drrez/archive/2010/09/27/limit-media-ports-in-office-communications-server-2007-r2-devices.aspx

http://technet.microsoft.com/en-us/library/bb964029(office.12).aspx

Note: Please keep in mind that port media range is only for peer to peer calls/communications, in conferencing scenario port media range doesn't apply. if you don't configure media port range, clients will communicate using the edge server.

in summary you need at least 20 ports to be configured using the min/max ports configuration which will be used by the clients for media exchange.

Discussion Items - Depending on how people want to use the wiki, I am creating this section for topics people want to discuss or clarify if they choose not to edit the content itself.

 

Lync Server 2010

The same content for Lync Server 2010 is here - http://social.technet.microsoft.com/wiki/contents/articles/lync-server-2010-firewall-port-settings.aspx