Share via


Ports and protocols for internal servers in Lync Server 2013

 

Topic Last Modified: 2016-04-06

This section summarizes the ports and protocols used by servers, load balancers, and clients in a Lync Server deployment.

Important

Lync and Communicator clients when involved in a one to one communication, is often referred to as peer-to-peer. Technically, the two clients are communicating in a one to one conversation, with the Instant Messaging multipoint control unit (IMMCU) in the middle. The IMMCU is a component of Front End Server. Placing the IMMCU in the required communication workflow allows call detail recording and other features that the Front End Server enables. Communication is from a dynamic source port on the client to the Front End Server port TLS/TCP/5061 (assuming the use of the recommended transport layer security). By design, peer-to-peer communication (as well as multi-party IM) is possible only when Lync Server and the IMMCU is active and available.

Port and Protocol Details

Note

Windows Firewall must be running before you start the Lync Server services on a server, because that is when Lync Server opens the required ports in the firewall.

For details about firewall configuration for edge components, see Determine external A/V firewall and port requirements for Lync Server 2013.

The following table lists the ports that need to be open on each internal server role.

Required Server Ports (by Server Role)

Server role Service name Port Protocol Notes

All Servers

SQL Browser

1434

UDP

SQL Browser for the local replicated copy of the Central Management Store database.

Front End Servers

Lync Server Front-End service

5060

TCP

Optionally used by Standard Edition servers and Front End Servers for static routes to trusted services, such as remote call control servers.

Front End Servers

Lync Server Front-End service

5061

TCP (TLS)

Used by Standard Edition servers and Front End pools for all internal SIP communications between servers (MTLS), for SIP communications between Server and Client (TLS) and for SIP communications between Front End Servers and Mediation Servers (MTLS). Also used for communications with Monitoring Server.

Front End Servers

Lync Server Front-End service

444

HTTPS

TCP

Used for HTTPS communication between the Focus (the Lync Server component that manages conference state) and the individual servers.

This port is also used for TCP communication between Survivable Branch Appliances and Front End Servers.

Front End Servers

Lync Server Front-End service

135

DCOM and remote procedure call (RPC)

Used for DCOM based operations such as Moving Users, User Replicator Synchronization, and Address Book Synchronization.

Front End Servers

Lync Server IM Conferencing service

5062

TCP

Used for incoming SIP requests for instant messaging (IM) conferencing.

Front End Servers

Lync Server Web Conferencing service

8057

TCP (TLS)

Used to listen for Persistent Shared Object Model (PSOM) connections from client.

Front End Servers

Lync Server Web Conferencing Compatibility service

8058

TCP (TLS)

Used to listen for Persistent Shared Object Model (PSOM) connections from the Live Meeting client and previous versions of Lync Server.

Front End Servers

Lync Server Audio/Video Conferencing service

5063

TCP

Used for incoming SIP requests for audio/video (A/V) conferencing.

Front End Servers

Lync Server Audio/Video Conferencing service

57501-65535

TCP/UDP

Media port range used for video conferencing.

Front End Servers

Lync Server Web Compatibility service

80

HTTP

Used for communication from Front End Servers to the web farm FQDNs (the URLs used by IIS web components) when HTTPS is not used.

Front End Servers

Lync Server Web Compatibility service

443

HTTPS

Used for communication from Front End Servers to the web farm FQDNs (the URLs used by IIS web components).

Front End Servers

Lync Server Web Compatibility service

8080

TCP and HTTP

Used by web components for external access.

Front End Servers

Web server component

4443

HTTPS

HTTPS (from Reverse Proxy) and HTTPS Front End inter-pool communications for Autodiscover sign-in.

Front End Servers

Web server component

8060

TCP (MTLS)

Front End Servers

Web server component

8061

TCP (MTLS)

Front End Servers

Mobility Services component

5086

TCP (MTLS)

SIP port used by Mobility Services internal processes

Front End Servers

Mobility Services component

5087

TCP (MTLS)

SIP port used by Mobility Services internal processes

Front End Servers

Mobility Services component

443

HTTPS

Front End Servers

Lync Server Conferencing Attendant service (dial-in conferencing)

5064

TCP

Used for incoming SIP requests for dial-in conferencing.

Front End Servers

Lync Server Conferencing Attendant service (dial-in conferencing)

5072

TCP

Used for incoming SIP requests for Attendant (dial in conferencing).

Front End Servers that also run a Collocated Mediation Server

Lync Server Mediation service

5070

TCP

Used by the Mediation Server for incoming requests from the Front End Server to the Mediation Server.

Front End Servers that also run a Collocated Mediation Server

Lync Server Mediation service

5067

TCP (TLS)

Used for incoming SIP requests from the PSTN gateway to the Mediation Server.

Front End Servers that also run a Collocated Mediation Server

Lync Server Mediation service

5068

TCP

Used for incoming SIP requests from the PSTN gateway to the Mediation Server.

Front End Servers that also run a Collocated Mediation Server

Lync Server Mediation service

5081

TCP

Used for outgoing SIP requests from the Mediation Server to the PSTN gateway.

Front End Servers that also run a Collocated Mediation Server

Lync Server Mediation service

5082

TCP (TLS)

Used for outgoing SIP requests from the Mediation Server to the PSTN gateway.

Front End Servers

Lync Server Application Sharing service

5065

TCP

Used for incoming SIP listening requests for application sharing.

Front End Servers

Lync Server Application Sharing service

49152-65535

TCP

Media port range used for application sharing.

Front End Servers

Lync Server Conferencing Announcement service

5073

TCP

Used for incoming SIP requests for the Lync Server Conferencing Announcement service (that is, for dial-in conferencing).

Front End Servers

Lync Server Call Park service

5075

TCP

Used for incoming SIP requests for the Call Park application.

Front End Servers

Lync Server Audio Test service

5076

TCP

Used for incoming SIP requests for the Audio Test service.

Front End Servers

Not applicable

5066

TCP

Used for outbound Enhanced 9-1-1 (E9-1-1) gateway.

Front End Servers

Lync Server Response Group service

5071

TCP

Used for incoming SIP requests for the Response Group application.

Front End Servers

Lync Server Response Group service

8404

TCP (MTLS)

Used for incoming SIP requests for the Response Group application.

Front End Servers

Lync Server Bandwidth Policy Service

5080

TCP

Used for call admission control by the Bandwidth Policy service for A/V Edge TURN traffic.

Front End Servers

Lync Server Bandwidth Policy Service

448

TCP

Used for call admission control by the Lync Server Bandwidth Policy Service.

Front End Servers where the Central Management store resides

Lync Server Master Replicator Agent service

445

TCP

Used to push configuration data from the Central Management store to servers running Lync Server.

All Servers

SQL Browser

1434

UDP

SQL Browser for local replicated copy of Central Management store data in local SQL Server instance

All internal servers

Various

49152-57500

TCP/UDP

Media port range used for audio conferencing on all internal servers. Used by all servers that terminate audio: Front End Servers (for Lync Server Conferencing Attendant service, Lync Server Conferencing Announcement service, and Lync Server Audio/Video Conferencing service), and Mediation Server.

Office Web Apps Servers

443

Used by Lync Server 2013 to connect to Office Web Apps Server.

Directors

Lync Server Front-End service

5060

TCP

Optionally used for static routes to trusted services, such as remote call control servers.

Directors

Lync Server Front-End service

444

HTTPS

TCP

Inter-server communication between Front End and Director. Additionally, client certificate publish (to Front End Servers) or validate if the client certificate has already been published.

Directors

Lync Server Web Compatibility service

80

TCP

Used for initial communication from Directors to the web farm FQDNs (the URLs used by IIS web components). In normal operation, will switch to HTTPS traffic, using port 443 and protocol type TCP.

Directors

Lync Server Web Compatibility service

443

HTTPS

Used for communication from Directors to the web farm FQDNs (the URLs used by IIS web components).

Directors

Lync Server Front-End service

5061

TCP

Used for internal communications between servers and for client connections.

Mediation Servers

Lync Server Mediation service

5070

TCP

Used by the Mediation Server for incoming requests from the Front End Server.

Mediation Servers

Lync Server Mediation service

5067

TCP (TLS)

Used for incoming SIP requests from the PSTN gateway.

Mediation Servers

Lync Server Mediation service

5068

TCP

Used for incoming SIP requests from the PSTN gateway.

Mediation Servers

Lync Server Mediation service

5070

TCP (MTLS)

Used for SIP requests from the Front End Servers.

Persistent Chat Front End Server

Persistent Chat SIP

5041

TCP (MTLS)

Persistent Chat Front End Server

Persistent Chat Windows Communication Foundation (WCF)

881

TCP (TLS) and TCP (MTLS)

Persistent Chat Front End Server

Persistent Chat File Transfer Service

443

TCP (TLS)

Note

Some remote call control scenarios require a TCP connection between the Front End Server or Director and the PBX. Although Lync Server no longer uses TCP port 5060, during remote call control deployment you create a trusted server configuration, which associates the RCC Line Server FQDN with the TCP port that the Front End Server or Director will use to connect to the PBX system. For details, see the CsTrustedApplicationComputer cmdlet in the Lync Server Management Shell documentation.

For your pools that use only hardware load balancing (not DNS load balancing), the following table shows the ports that need to open the hardware load balancers.

Hardware Load Balancer Ports if Using Only Hardware Load Balancing

Load Balancer Port Protocol

Front End Server load balancer

5061

TCP (TLS)

Front End Server load balancer

444

HTTPS

Front End Server load balancer

135

DCOM and remote procedure call (RPC)

Front End Server load balancer

80

HTTP

Front End Server load balancer

8080

TCP - Client and device retrieval of root certificate from Front End Server – clients and devices authenticated by NTLM

Front End Server load balancer

443

HTTPS

Front End Server load balancer

4443

HTTPS (from reverse proxy)

Front End Server load balancer

5072

TCP

Front End Server load balancer

5073

TCP

Front End Server load balancer

5075

TCP

Front End Server load balancer

5076

TCP

Front End Server load balancer

5071

TCP

Front End Server load balancer

5080

TCP

Front End Server load balancer

448

TCP

Mediation Server load balancer

5070

TCP

Front End Server load balancer (if the pool also runs Mediation Server)

5070

TCP

Director load balancer

443

HTTPS

Director load balancer

444

HTTPS

Director load balancer

5061

TCP

Director load balancer

4443

HTTPS (from reverse proxy)

Your Front End pools and Director pools that use DNS load balancing also must have a hardware load balancer deployed. The following table shows the ports that need to be open on these hardware load balancers.

Hardware Load Balancer Ports if Using DNS Load Balancing

Load Balancer Port Protocol

Front End Server load balancer

80

HTTP

Front End Server load balancer

443

HTTPS

Front End Server load balancer

8080

TCP - Client and device retrieval of root certificate from Front End Server – clients and devices authenticated by NTLM

Front End Server load balancer

4443

HTTPS (from reverse proxy)

Director load balancer

443

HTTPS

     

Director load balancer

4443

HTTPS (from reverse proxy)

Required Client Ports

Component Port Protocol Notes

Clients

67/68

DHCP

Used by Lync Server to find the Registrar FQDN (that is, if DNS SRV fails and manual settings are not configured).

Clients

443

TCP (TLS)

Used for client-to-server SIP traffic for external user access.

Clients

443

TCP (PSOM/TLS)

Used for external user access to web conferencing sessions.

Clients

443

TCP (STUN/MSTURN)

Used for external user access to A/V sessions and media (TCP)

Clients

3478

UDP (STUN/MSTURN)

Used for external user access to A/V sessions and media (UDP)

Clients

5061

TCP (MTLS)

Used for client-to-server SIP traffic for external user access.

Clients

6891-6901

TCP

Used for file transfer between Lync clients and previous clients (clients of Microsoft Office Communications Server 2007 R2, Microsoft Office Communications Server 2007, and Live Communications Server 2005).

Clients

1024-65535 *

TCP/UDP

Audio port range (minimum of 20 ports required)

Clients

1024-65535 *

TCP/UDP

Video port range (minimum of 20 ports required).

Clients

1024-65535 *

TCP

Peer-to-peer file transfer (for conferencing file transfer, clients use PSOM).

Clients

1024-65535 *

TCP

Application sharing.

Aastra 6721ip common area phone

Aastra 6725ip desk phone

HP 4110 IP Phone (common area phone)

HP 4120 IP Phone (desk phone)

Polycom CX500 IP common area phone

Polycom CX600 IP desk phone

Polycom CX700 IP desk phone

Polycom CX3000 IP conference phone

67/68

DHCP

Used by the listed devices to find the Lync Server certificate, provisioning FQDN, and Registrar FQDN.

* To configure specific ports for these media types, use the CsConferencingConfiguration cmdlet (ClientMediaPortRangeEnabled, ClientMediaPort, and ClientMediaPortRange parameters).

Note

The set programs for Lync clients automatically create the required operating-system firewall exceptions on the client computer.

Note

The ports that are used for external user access are required for any scenario in which the client must traverse the organization’s firewall (for example, any external communications or meetings hosted by other organizations).