Share via

Ports and Protocols Requirement for Exchange and Lync Server Deployment

  • Article

Very often we might get confused in a new deployment project if we are running into multiple issues and tasks. The most confusing part that we will often run into is the port requirements for internal,external as well as related services. This is a consolidated document for the port requirements for a new deployment of on-premise Lync and Exchange server.

Lets have a look at the Lync Server requirements.

Following ports for the respective protocol and direction should be opened, for hassle free and full featured Lync enabled User to function perfectly fine.

Port                   Protocol            Direction               Usage

5060/5061          TCP/UDP               Bidirectional          For SIP

1434                  UDP                      Bidirectional          For SQL servers

443                    STUN/TCP            Outgoing              Audio, video, application sharing sessions

444                    HTTPS/TCP          Bidirectional          Lync Front End server  

443                    PSOM/TLS            Outgoing              Data sharing sessions

3478                  STUN/UDP            Outgoing              Audio, video sessions, Desktop Sharing

5223                  TCP                     Outgoing              Lync Mobile pushes notifications

50000 – 59999    RTP/UDP              Outgoing              Audio, video sessions

5067                  TCP/TLS              Bidirectional          Incoming SIP requests for Mediation servers.  

57501-65535     TCP/UDP              Bidirectional           VideoConferencing

8057,8058         TCP/TLS              Bidirectional          Front End Service 

For remote access to work for IM and Presence, it is mandatory that SIP traffic is allowed to flow bi-directionally. Hence, Port needs to be allowed as follows:

• Port 443 and 5061 from Internet to Access Edge External IP (bi-directional)
• Port 5061 from Edge Internal IP to Internal Network (bi-directional)

Edge server should be accessible from the Internet over port 443, 3478 and 5061.
Reverse Proxy require Port 443 to be opened.

For a Mobile Access user who is outside the corporate network, the request hits the Reverse Proxy and is then sent to the Front End pool or Director. No user level authentication is done on the reverse proxy.

Its always recommend to implement a Director Server Role for additional security. The Director is both offloading the authentication and providing an extra layer of security against DoS attacks.

Director must be in the same subnet as the Front End Servers, which reside in the Private network. It should not be in the perimeter.

Below will be the Flow of mobile application requests for Mobility Service :

All the External user Lync log in requests through mobile devices --> will go through the reverse proxy server --> and it will go to the edge server --> and hit the front end pool.

The Microsoft Lync Server gets user information from Auto-discover Service and then it returns all the Web Services URLs for the user's home pool, including the Mobility Service URLs.

Below are the list of additional features that require external access through a reverse proxy for users accessing them externally. We need to think of validating them once the deployment is completed.

1) Enabling external users to download meeting content for any meetings.
2) Enabling external users to expand distribution groups.
3) Enabling remote users to download files from the Address Book service.
4) Accessing the Microsoft Lync Web App client.
5) Accessing the Dial-in Conferencing Settings webpage.
6) Accessing the Location Information service.
7) Enabling external devices to connect to Device Update web service and obtain updates.

Now we will look into the port requirement for Exchange servers as well.

Port Requirements for Exchange On-premise Servers (Applies to Exchange2 2010 and 2013):

Port                   Protocol            Direction               Usage

25                     SMTP                  Bidirectional            For Sending and receiving emails

50636                 TCP                   Bidirectional            From Hub to Edge and Vice Versa

135                    TCP/RPC             Outgoing                HUB to Mailbox via MAPI

80/443               HTTP/HTTPS       Bidirectional            Autodiscover

993                     TCP                   Incoming                IMAP

995/110               TCP                   Incoming                POP3(Any one of the port depends upon config)

5075-5077           TCP                   Incoming                CAS to OCS Communications

5061                   TCP                   Outgoing                 CAS to OCS Communications

For OWA and Outlook Anywhere port 443 should be opened in firewall.

For IMAP port 993 should be opened in Firewall.Port 25 should be opened on Firewall for both internal and external internet mail flow traffic.

Most of the port requirement for Lync and Exchange deployment have been added above. Feel free to comment or correct anything that needs to be added or corrected.

References:

http://technet.microsoft.com/en-us/library/gg398833.aspx

http://technet.microsoft.com/en-us/library/bb331973.aspx

http://support.microsoft.com/kb/2409256#VerifyNetworkRequirements

http://support.microsoft.com/kb/2423848

http://technet.microsoft.com/en-us/library/gg425727