Ports and Protocols for Internal Servers
Topic Last Modified: 2013-06-04
This section summarizes the ports and protocols used by servers, load balancers, and clients in a Microsoft Lync Server 2010 communications software deployment.
Important
Lync and Communicator clients when involved in a one to one communication, is often referred to as peer-to-peer. Technically, the two clients are communicating in a one to one conversation, with the Instant Messaging multipoint control unit (IMMCU) in the middle. The IMMCU is a component of Front End Server. Placing the IMMCU in the required communication workflow allows call detail recording and other features that the Front End Server enables. Communication is from a dynamic source port on the client to the Front End Server port TLS/TCP/5061 (assuming the use of the recommended transport layer security). By design, peer-to-peer communication (as well as multi-party IM) is possible only when Lync Server and the IMMCU is active and available.
Port and Protocol Details
Note
Windows Firewall must be running before you start the Lync Server 2010 services on a server, because that is when Lync Server opens the required ports in the firewall.
For details about firewall configuration for edge components, see Determining External A/V Firewall and Port Requirements.
The following table lists the ports that need to be open on each internal server role.
Required Server Ports (by Server Role)
| Server role | Service name | Port | Protocol | Notes |
|---|---|---|---|---|
Front End Servers |
Lync Server Front-End service |
5060 |
TCP |
Optionally used by Standard Edition servers and Front End Servers for static routes to trusted services, such as remote call control servers. |
Front End Servers |
Lync Server Front-End service |
5061 |
TCP (TLS) |
Used by Standard Edition servers and Front End pools for all internal SIP communications between servers (MTLS), for SIP communications between Server and Client (TLS) and for SIP communications between Front End Servers and Mediation Servers (MTLS). Also used for communications with Monitoring Server. |
Front End Servers |
Lync Server Front-End service |
444 |
HTTPS TCP |
Used for HTTPS communication between the Focus (the Lync Server component that manages conference state) and the individual servers. This port is also used for TCP communication between Front End Servers and Survivable Branch Appliances. Additionally, if a Director is present, client certificates are published and validated (that is, if already published). If no Director is present, the client updates and validates directly |
Front End Servers |
Lync Server Front-End service |
135 |
DCOM and remote procedure call (RPC) |
Used for DCOM based operations such as Moving Users, User Replicator Synchronization, and Address Book Synchronization. |
Front End Servers |
Lync Server IM Conferencing service |
5062 |
TCP |
Used for incoming SIP requests for instant messaging (IM) conferencing. |
Front End Servers |
Lync Server Web Conferencing service |
8057 |
TCP (TLS) |
Used to listen for Persistent Shared Object Model (PSOM) connections from client. |
Front End Servers |
Lync Server Web Conferencing Compatibility service |
8058 |
TCP (TLS) |
Used to listen for Persistent Shared Object Model (PSOM) connections from the Live Meeting client and previous versions of Communicator. |
Front End Servers |
Lync Server Audio/Video Conferencing service |
5063 |
TCP |
Used for incoming SIP requests for audio/video (A/V) conferencing. |
Front End Servers |
Lync Server Audio/Video Conferencing service |
57501-65535 |
TCP/UDP |
Media port range used for video conferencing. |
Front End Servers |
Lync Server Web Compatibility service |
80 |
HTTP |
Used for communication from Front End Servers to the web farm FQDNs (the URLs used by IIS web components) when HTTPS is not used. |
Front End Servers |
Lync Server Web Compatibility service |
443 |
HTTPS |
Used for communication from Front End Servers to the web farm FQDNs (the URLs used by IIS web components). |
Front End Servers |
Lync Server Conferencing Attendant service (dial-in conferencing) |
5064 |
TCP |
Used for incoming SIP requests for dial-in conferencing. |
Front End Servers |
Lync Server Conferencing Attendant service (dial-in conferencing) |
5072 |
TCP |
Used for incoming SIP requests for Microsoft Lync 2010 Attendant (dial in conferencing). |
Front End Servers that also run a Collocated Mediation Server |
Lync Server Mediation service |
5070 |
TCP |
Used by the Mediation Server for incoming requests from the Front End Server to the Mediation Server. |
Front End Servers that also run a Collocated Mediation Server |
Lync Server Mediation service |
5067 |
TCP (TLS) |
Used for incoming SIP requests from the PSTN gateway to the Mediation Server. |
Front End Servers that also run a Collocated Mediation Server |
Lync Server Mediation service |
5068 |
TCP |
Used for incoming SIP requests from the PSTN gateway to the Mediation Server. |
Front End Servers that also run a Collocated Mediation Server |
Lync Server Mediation service |
5081 |
TCP |
Used for outgoing SIP requests from the Mediation Server to the PSTN gateway. |
Front End Servers that also run a Collocated Mediation Server |
Lync Server Mediation service |
5082 |
TCP (TLS) |
Used for outgoing SIP requests from the Mediation Server to the PSTN gateway. |
Front End Servers |
Lync Server Application Sharing service |
5065 |
TCP |
Used for incoming SIP listening requests for application sharing. |
Front End Servers |
Lync Server Application Sharing service |
49152-65535 |
TCP |
Media port range used for application sharing. |
Front End Servers |
Lync Server Conferencing Announcement service |
5073 |
TCP |
Used for incoming SIP requests for the Lync Server Conferencing Announcement service (that is, for dial-in conferencing). |
Front End Servers |
Lync Server Call Park service |
5075 |
TCP |
Used for incoming SIP requests for the Call Park application. |
Front End Servers |
Lync Server Audio Test service |
5076 |
TCP |
Used for incoming SIP requests for the Audio Test service. |
Front End Servers |
Not applicable |
5066 |
TCP |
Used for outbound Enhanced 9-1-1 (E9-1-1) gateway. |
Front End Servers |
Lync Server Response Group service |
5071 |
TCP |
Used for incoming SIP requests for the Response Group application. |
Front End Servers |
Lync Server Response Group service |
8404 |
TCP (MTLS) |
Used for incoming SIP requests for the Response Group application. |
Front End Servers |
Lync Server Bandwidth Policy Service |
5080 |
TCP |
Used for call admission control by the Bandwidth Policy service for A/V Edge TURN traffic. |
Front End Servers |
Lync Server Bandwidth Policy Service |
448 |
TCP |
Used for call admission control by the Lync Server Bandwidth Policy Service. |
Front End Servers where the Central Management store resides |
Lync Server Master Replicator Agent service |
445 |
TCP |
Used to push configuration data from the Central Management store to servers running Lync Server. |
All Servers |
SQL Browser |
1434 |
UDP |
SQL Browser for local replicated copy of Central Management store data in local SQL Server instance |
All internal servers |
Various |
49152-57500 |
TCP/UDP |
Media port range used for audio conferencing on all internal servers. Used by all servers that terminate audio: Front End Servers (for Lync Server Conferencing Attendant service, Lync Server Conferencing Announcement service, and Lync Server Audio/Video Conferencing service), and Mediation Server. |
Directors |
Lync Server Front-End service |
5060 |
TCP |
Optionally used for static routes to trusted services, such as remote call control servers. |
Directors |
Lync Server Front-End service |
444 |
HTTPS TCP |
Inter-server communication between Front End and Director. Additionally, client certificate publish (to Front End Servers) or validate if the client certificate has already been published. |
Directors |
Lync Server Web Compatibility service |
80 |
TCP |
Used for initial communication from Directors to the web farm FQDNs (the URLs used by IIS web components). In normal operation, will switch to HTTPS traffic, using port 443 and protocol type TCP. |
Directors |
Lync Server Web Compatibility service |
443 |
HTTPS |
Used for communication from Directors to the web farm FQDNs (the URLs used by IIS web components). |
Directors |
Lync Server Front-End service |
5061 |
TCP |
Used for internal communications between servers and for client connections. |
Mediation Servers |
Lync Server Mediation service |
5070 |
TCP |
Used by the Mediation Server for incoming requests from the Front End Server. |
Mediation Servers |
Lync Server Mediation service |
5067 |
TCP (TLS) |
Used for incoming SIP requests from the PSTN gateway. |
Mediation Servers |
Lync Server Mediation service |
5068 |
TCP |
Used for incoming SIP requests from the PSTN gateway. |
Mediation Servers |
Lync Server Mediation service |
5070 |
TCP (MTLS) |
Used for SIP requests from the Front End Servers. |
Note
Some remote call control scenarios require a TCP connection between the Front End Server or Director and the PBX. Although Lync Server 2010 no longer uses TCP port 5060, during remote call control deployment you create a trusted server configuration, which associates the RCC Line Server FQDN with the TCP port that the Front End Server or Director will use to connect to the PBX system. For details, see the CsTrustedApplicationComputer cmdlet in the Lync Server Management Shell documentation.
For your pools that use only hardware load balancing (not DNS load balancing), the following table shows the ports that need to open the hardware load balancers.
Hardware Load Balancer Ports if Using Only Hardware Load Balancing
| Load Balancer | Port | Protocol |
|---|---|---|
Front End Server load balancer |
5061 |
TCP (TLS) |
Front End Server load balancer |
444 |
HTTPS |
Front End Server load balancer |
135 |
DCOM and remote procedure call (RPC) |
Front End Server load balancer |
80 |
HTTP |
Front End Server load balancer |
8080 |
TCP - Client and device retrieval of root certificate from Front End Server – clients and devices authenticated by NTLM |
Front End Server load balancer |
443 |
HTTPS |
Front End Server load balancer |
4443 |
HTTPS (from reverse proxy) |
Front End Server load balancer |
5072 |
TCP |
Front End Server load balancer |
5073 |
TCP |
Front End Server load balancer |
5075 |
TCP |
Front End Server load balancer |
5076 |
TCP |
Front End Server load balancer |
5071 |
TCP |
Front End Server load balancer |
5080 |
TCP |
Front End Server load balancer |
448 |
TCP |
Mediation Server load balancer |
5070 |
TCP |
Director load balancer |
443 |
HTTPS |
Director load balancer |
444 |
HTTPS |
Director load balancer |
5061 |
TCP |
Director load balancer |
4443 |
HTTPS (from reverse proxy) |
Your Front End pools and Director pools that use DNS load balancing also must have a hardware load balancer deployed. The following table shows the ports that need to be open on these hardware load balancers.
Hardware Load Balancer Ports if Using DNS Load Balancing
| Load Balancer | Port | Protocol |
|---|---|---|
Front End Server load balancer |
80 |
HTTP |
Front End Server load balancer |
443 |
HTTPS |
Front End Server load balancer |
8080 |
TCP - Client and device retrieval of root certificate from Front End Server – clients and devices authenticated by NTLM |
Front End Server load balancer |
4443 |
HTTPS (from reverse proxy) |
Director load balancer |
443 |
HTTPS |
Director load balancer |
444 |
HTTPS |
Director load balancer |
4443 |
HTTPS (from reverse proxy) |
Required Client Ports
| Component | Port | Protocol | Notes |
|---|---|---|---|
Clients |
67/68 |
DHCP |
Used by Lync Server 2010 to find the Registrar FQDN (that is, if DNS SRV fails and manual settings are not configured). |
Clients |
443 |
TCP (TLS) |
Used for client-to-server SIP traffic for external user access. |
Clients |
443 |
TCP (PSOM/TLS) |
Used for external user access to web conferencing sessions. |
Clients |
443 |
TCP (STUN/MSTURN) |
Used for external user access to A/V sessions and media (TCP) |
Clients |
3478 |
UDP (STUN/MSTURN) |
Used for external user access to A/V sessions and media (TCP) |
Clients |
5061 |
TCP (MTLS) |
Used for client-to-server SIP traffic for external user access. |
Clients |
6891-6901 |
TCP |
Used for file transfer between Lync 2010 clients and previous clients (clients of Microsoft Office Communications Server 2007 R2, Microsoft Office Communications Server 2007, and Live Communications Server 2005). |
Clients |
1024-65535 * |
TCP/UDP |
Audio port range (minimum of 20 ports required) |
Clients |
1024-65535 * |
TCP/UDP |
Video port range (minimum of 20 ports required). |
Clients |
1024-65535 * |
TCP |
Peer-to-peer file transfer (for conferencing file transfer, clients use PSOM). |
Clients |
1024-65535 * |
TCP |
Application sharing. |
Aastra 6721ip common area phone Aastra 6725ip desk phone HP 4110 IP Phone (common area phone) HP 4120 IP Phone (desk phone) Polycom CX500 IP common area phone Polycom CX600 IP desk phone Polycom CX700 IP desk phone Polycom CX3000 IP conference phone |
67/68 |
DHCP |
Used by the listed devices to find the Lync Server 2010 certificate, provisioning FQDN, and Registrar FQDN. |
* To configure specific ports for these media types, use the CsConferencingConfiguration cmdlet (ClientMediaPortRangeEnabled, ClientMediaPort, and ClientMediaPortRange parameters).
Note
The set programs for Lync Server clients automatically create the required operating-system firewall exceptions on the client computer.
Note
The ports that are used for external user access are required for any scenario in which the client must traverse the organization’s firewall (for example, any external communications or meetings hosted by other organizations).