Hi,

I currently have an single standard within our domain and it works fine.
I now want laptop users to be able to roam outside the network and still use Lync.
I will add an edge server for this and use a single IP address and split-brain DNS.

access - port 5061
web - port 444
av - port 443

I do not plan to federate with any 3rd parties.
what are the minimum inbound and outbound ports I need to configure, excluding the reverse proxy.

inbound ports with NAT to the edge server I think I should only need?

5061 (TCP)
444 (TCP)
443 (TCP)
3487 (UDP) 

I don't believe I need to open ports 50000 - 59999 as there is no federation going on?
Do any need to specify any outbound ports or will there always be an inbound session from the Lync client?

Thanks,

Steve

Hi,

you need RTP port range 50,000-59999 for Media flow. Else you won't be able to make calls when you connected from the Internet. The Federation port is 5061.

Please follow the Edge Planning tool to get a clear idea what needs to be done when you deploying the Edge. Else you may fall in to problems. and you have missed the Certificate part also.

http://www.microsoft.com/download/en/details.aspx?id=19711

Thamara.

 

• Proposed as answer by Thamara.WijesingheMicrosoft community contributor Wednesday, October 26, 2011 1:05 AM
• Marked as answer by Sean_XiaoMicrosoft community contributor, Moderator Thursday, October 27, 2011 8:19 AM
• Unmarked as answer by Sean_XiaoMicrosoft community contributor, Moderator Tuesday, November 08, 2011 9:37 AM

Hi,

you need RTP port range 50,000-59999 for Media flow. Else you won't be able to make calls when you connected from the Internet. The Federation port is 5061.

Please follow the Edge Planning tool to get a clear idea what needs to be done when you deploying the Edge. Else you may fall in to problems. and you have missed the Certificate part also.

http://www.microsoft.com/download/en/details.aspx?id=19711

Thamara.

 

• Proposed as answer by Thamara.WijesingheMicrosoft community contributor Wednesday, October 26, 2011 1:05 AM
• Marked as answer by Sean_XiaoMicrosoft community contributor, Moderator Thursday, October 27, 2011 8:19 AM
• Unmarked as answer by Sean_XiaoMicrosoft community contributor, Moderator Tuesday, November 08, 2011 9:37 AM

Hi,

you need RTP port range 50,000-59999 for Media flow. Else you won't be able to make calls when you connected from the Internet. The Federation port is 5061.

Please follow the Edge Planning tool to get a clear idea what needs to be done when you deploying the Edge. Else you may fall in to problems. and you have missed the Certificate part also.

http://www.microsoft.com/download/en/details.aspx?id=19711

Thamara.

 

• Proposed as answer by Thamara.WijesingheMicrosoft community contributor Wednesday, October 26, 2011 1:05 AM
• Marked as answer by Sean_XiaoMicrosoft community contributor, Moderator Thursday, October 27, 2011 8:19 AM
• Unmarked as answer by Sean_XiaoMicrosoft community contributor, Moderator Tuesday, November 08, 2011 9:37 AM

Thanks for the inforamtion.

I used the planning tool and was surpsied by the number of ports is listed, hence my original question.
So just to confirm I'm going to have to enable the following inbound ports?

5061 (TCP)
444 (TCP)
443 (TCP)
3487 (UDP)
50000 - 59999 (TCP & UDP)

Have I missed any?

Are there any ports that I need to also allow outbound or will there always be an inbound session that the edge server will use with the external lync client?

And yes I understand there will be other configuration such as Certificate but I need to submit a request to our firewall provide to get this part configured.

Thanks,

Steve 

There are some ports to be opened for Inbound and Outbound as well. You can check that in Planning tool Firewall report. Above mentioned set of ports will do. Just check the direction from where to where you need them to be opened from the Planning Tool.

Thamara.

Thanks for the inforamtion.

I used the planning tool and was surpsied by the number of ports is listed, hence my original question.
So just to confirm I'm going to have to enable the following inbound ports?

5061 (TCP)
444 (TCP)
443 (TCP)
3487 (UDP)
50000 - 59999 (TCP & UDP)

Have I missed any?

Are there any ports that I need to also allow outbound or will there always be an inbound session that the edge server will use with the external lync client?

And yes I understand there will be other configuration such as Certificate but I need to submit a request to our firewall provide to get this part configured.

Thanks,

Steve 

Hi Steve,

If you want to add an EDGE without federation, it means an external user will not see the presence, you may follow the http://technet.microsoft.com/en-us/library/gg425891.aspx.

But what is great with lync, is that you can use your legacy client to access external meetings without federation!

But for this, you still need to open all the ports you wrote (check it's 3478 and not 3487) from the lync client (users computers) to the external network. If you don't open these ports, the users will not be able to see application sharing or even audio/video during external companies meetings.

I will try to create a simple firewall ports schema to allow all meeting features for companies without federation, which is what almost every company want. And this is missing on technet...

You will still need to allow anonymous users conference, etc. To allow users from external companies to join.

I hope I was clear enough! :)

Cheers,

Karl

Steve, 

Your ports were correct in the first place (sort of, as KahSky pointed out STUN is 3478 not 3487)

5061 (TCP) - Federation (in theory I guess you could omit this, but I've always published it - you never know whether you want to federate down the track, so not sure what would happen)

444 (TCP) - Web Conferencing

443 (TCP) - A/V including media traversal

3478 (UDP) - STUN/TURN

You won't need the 50000-59999 range unless you want A/V with federated users.

http://technet.microsoft.com/en-us/library/gg425891.aspx

http://social.technet.microsoft.com/Forums/lync/en-US/71396ade-dfd5-44b5-aa59-caa011d1507f/5000059999-port-range

Hi Georg,

Actually you need the 50'000-59'999 range enven without federation for Audio/Video/Sharing.

This is what we discovered with Microsoft. So the TechNet guide saying "Required for federating with partners running Office Communications Server 2007, Office Communications Server 2007 R2, Lync Server 2010 and Lync Server 2013." is wrong, these ports are used anyway by Lync clients.

Regards,

Karl

Hi KahSky,

I am not sure I agree with that. I just tested it. Confirmed 50,000-59,999 was not open and I was able to make voice, video calls and share through the Edge without any issues.

I tried Edge to Edge, Edge to Internal, Edge to Mobile and I used a combination of Lync 2013-2013 and Lync 2010-2013 clients and they all worked?

OK, strange.

You have Federation activated?

If so, this port range is only needed without federation activated. My mistake... :-)

Karl

• Edited by KahSky 20 hours 12 minutes ago

No federation. Maybe that's it, good to double check though, had me second guessing there for a minute. :)

OK, strange.

You have Federation activated?

If so, this port range is only needed without federation activated. My mistake... :-)

Karl

• Edited by KahSky Friday, February 14, 2014 3:38 PM

OK, strange.

You have Federation activated?

If so, this port range is only needed without federation activated. My mistake... :-)

Karl

• Edited by KahSky Friday, February 14, 2014 3:38 PM

OK, strange.

You have Federation activated?

If so, this port range is only needed without federation activated. My mistake... :-)

Karl

• Edited by KahSky Friday, February 14, 2014 3:38 PM