Port summary – Single consolidated edge with private IP addresses using NAT in Lync Server 2013

Home » Lync 2010/2013 DNS » Port summary – Single consolidated edge with private IP addresses using NAT in Lync Server 2013
Lync 2010/2013 DNS, Lync 2013 Nenhum Comentário

The Lync Server 2013, Edge Server functionality described in this scenario architecture is very similar to what was implemented in Lync Server 2010. The most noticeable addition is the port 5269 over TCP entry for the extensible messaging and presence protocol (XMPP). Lync Server 2013 optionally deploys an XMPP proxy on the Edge Server or Edge pool and the XMPP gateway server on the Front End Server or Front End pool.

In addition to IPv4, the Edge Server now supports IPv6. For clarity, only IPv4 is used in the scenarios.

Network Perimeter for a Single Consolidated Edge Server with Private IP Addressing Using NAT

f8c144c5-e5fb-498a-823e-eb39f26b6847

We recommend that you open only the ports required to support the functionality for which you are providing external access.

For remote access to work for any edge service, it is mandatory that SIP traffic is allowed to flow bi-directionally as shown in the Inbound/Outbound edge traffic figure. Stated another way, the SIP messaging to and from the Access Edge service is involved in instant messaging (IM), presence, web conferencing, audio/video (A/V), and federation.

Firewall Summary for Single Consolidated Edge with Private IP Addresses using NAT: External Interface

Role/Protocol/TCP or UDP/Port Source IP address Destination IP address Notes
XMPP/TCP/5269 Any XMPP Proxy service (shares IP address with Access Edge service) XMPP Proxy service accepts traffic from XMPP contacts in defined XMPP federations
Access/HTTP/TCP/80 Edge Server Access Edge service Any Certificate revocation/CRL check and retrieval
Access/DNS/TCP/53 Edge Server Access Edge service Any DNS query over TCP
Access/DNS/UDP/53 Edge Server Access Edge service Any DNS query over UDP
Access/SIP(TLS)/TCP/443 Any Edge Server Access Edge service Client-to-server SIP traffic for external user access
Access/SIP(MTLS)/TCP/5061 Any Edge Server Access Edge service For federated and public IM connectivity using SIP
Access/SIP(MTLS)/TCP/5061 Edge Server Access Edge service Any For federated and public IM connectivity using SIP
Web Conferencing/PSOM(TLS)/TCP/443 Any Edge Server Web Conferencing Edge service Web Conferencing media
A/V/RTP/TCP/50,000-59,999 Edge Server A/V Edge service Any Required for federating with partners running Office Communications Server 2007, Office Communications Server 2007 R2, Lync Server 2010 and Lync Server 2013.
A/V/RTP/UDP/50,000-59,999 Edge Server A/V Edge service Any Required only for federation with partners running Office Communications Server 2007.
A/V/RTP/TCP/50,000-59,999 Any Edge Server A/V Edge service Required only for federation with partners running Office Communications Server 2007
A/V/RTP/UDP/50,000-59,999 Any Edge Server A/V Edge service Required only for federation with partners running Office Communications Server 2007
A/V/STUN,MSTURN/UDP/3478 Edge Server A/V Edge service Any 3478 outbound is used to determine the version of Edge Server that Lync Server is communicating with and also for media traffic from Edge Server-to-Edge Server. Required for federation with Lync Server 2010, Windows Live Messenger, and Office Communications Server 2007 R2, and also if multiple Edge pools are deployed within a company.
A/V/STUN,MSTURN/UDP/3478 Any Edge Server A/V Edge service STUN/TURN negotiation of candidates over UDP/3478
A/V/STUN,MSTURN/TCP/443 Any Edge Server A/V Edge service STUN/TURN negotiation of candidates over TCP/443
A/V/STUN,MSTURN/TCP/443 Edge Server A/V Edge service Any STUN/TURN negotiation of candidates over TCP/443

Firewall Summary for Single Consolidated Edge with Private IP Addresses Using NAT: Internal Interface

Protocol/TCP or UDP/Port Source IP address Destination IP address Comments
XMPP/MTLS/TCP/23456 Any (can be defined as Standard Edition server IP, Standard Edition server IP address, or pool IP address running the XMPP Gateway service) Edge Server internal interface Outbound XMPP traffic from XMPP Gateway service running on Front End Server or Front End pool
SIP/MTLS/TCP/5061 Any (can be defined as Director, Director pool IP address, Front End Server or Front End pool IP address) Edge Server internal interface Outbound SIP traffic (from Director, Director pool IP address, Front End Server or Front End pool IP address) to Edge Server internal interface
SIP/MTLS/TCP/5061 Edge Server internal interface Any (can be defined as Director, Director pool IP address, Front End Server or Front End pool IP address) Inbound SIP traffic (to Director, Director pool IP address, Front End Server or Front End pool IP address) from Edge Server internal interface
PSOM/MTLS/TCP/8057 Any (can be defined as Front End Server IP address, or each Front End Server IP address in a Front End pool) Edge Server internal interface Web conferencing traffic from Front End Server or each Front End Server if in a pool, to Edge Server internal interface
SIP/MTLS/TCP/5062 Any (can be defined as Front End Server IP address, or Front End pool IP address or any Survivable Branch Appliance or Survivable Branch Server using this Edge Server) Edge Server internal interface Authentication of A/V users (A/V authentication service) from Front End Server or Front End pool IP address or any Survivable Branch Appliance or Survivable Branch Server using this Edge Server
STUN/MSTURN/UDP/3478 Any Edge Server internal interface Preferred path for A/V media transfer between internal and external users, Survivable Branch Appliance or Survivable Branch Server
STUN/MSTURN/TCP/443 Any Edge Server internal interface Fallback path for A/V media transfer between internal and external users, Survivable Branch Appliance or Survivable Branch Server if UDP communication cannot be established, TCP is used for file transfer and desktop sharing
HTTPS/TCP/4443 Any (can be defined as the Front End Server IP address, or pool that holds the Central Management store) Edge Server internal interface Replication of changes from the Central Management store to the Edge Server
MTLS/TCP/50001 Any Edge Server internal interface Centralized Logging Service controller using Lync Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection
MTLS/TCP/50002 Any Edge Server internal interface Centralized Logging Service controller using Lync Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection
MTLS/TCP/50003 Any Edge Server internal interface Centralized Logging Service controller using Lync Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection

Role/Protocol/TCP or UDP/Port Source IP address Destination IP address Notes
Access/SIP(MTLS)/TCP/5061 Access Edge service public IP address Any For federated and public IM connectivity using SIP

Role/Protocol/TCP or UDP/Port Source IP address Destination IP address Notes
Access/SIP(MTLS)/TCP/5061 Public IM connectivity partners Edge Server Access Edge service For federated and public IM connectivity using SIP
Access/SIP(MTLS)/TCP/5061 Edge Server Access Edge service Public IM connectivity partners For federated and public IM connectivity using SIP
Access/SIP(TLS)/TCP/443 Clients Edge Server Access Edge service Client-to-server SIP traffic for external user access
A/V/RTP/TCP/50,000-59,999 Edge Server A/V Edge service Live Messenger clients Used for A/V sessions with Windows Live Messenger if public IM connectivity is configured.
A/V/STUN,MSTURN/UDP/3478 Edge Server A/V Edge service Live Messenger clients Required for public IM connectivity with Windows Live Messenger
A/V/STUN,MSTURN/UDP/3478 Live Messenger clients Edge Server A/V Edge service Required for public IM connectivity with Windows Live Messenger

Protocol/TCP or UDP/Port Source (IP address) Destination (IP address) Comments
XMPP/TCP/5269 Any Edge Server Access Edge service interface IP address Standard server-to-server communication port for XMPP. Allows communication to the Edge Server XMPP proxy from federated XMPP partners
XMPP/TCP/5269 Edge Server Access Edge service interface IP address Any Standard server-to-server communication port for XMPP. Allows communication from the Edge Server XMPP proxy to federated XMPP partners
XMPP/MTLS/TCP/23456 Any Each internal Edge Server Interface IP Internal XMPP traffic from the XMPP Gateway on the Front End Server or Front End pool to the Edge Server internal IP address or each Edge pool member’s internal IP address

LEAVE A COMMENT