Back

Lync Server 2010 Firewall Ports for Edge

April 2016 Update Migrate to Skype Cloud PBX for FreelandingfreeskypepbxdeploymentThe Lync Server 2010 Edge Server fun...

6 min read
Published on Jan 1, 2011
Lync Server 2010 Firewall Ports for Edge

April 2016 Update >> Migrate to Skype Cloud PBX for Free------------ The Lync Server 2010, Edge Server functionality described in this reference architecture is very similar to what was first introduced in Office Communications Server 2007 R2, with the following exceptions:

  • Port 8080 is used to route traffic from the reverse proxy internal interface to the pool virtual IP (VIP)
  • Port 4443 is used to route traffic from the reverse proxy internal interface to the pool VIP
  • Port 4443 is used to route traffic from the pool front end(s) to the Edge internal interface

There are several options for the 50,000 – 59,999 port ranges, but the following figure shows the common configuration for interoperability with previous versions of Office Communications Server. For details about the options for configuring this port range, see “A/V Edge Service Port Range (50,000 – 59,999) Requirements” in Determining External A/V Firewall and Port Requirements.

Enterprise perimeter network for single consolidated edge Enterprise perimeter network for single consolidated edge

Firewall Summary for Single/Scaled Consolidated Edge with DNS Load Balancing: External Interface

Protocol/Port

Used for

HTTP 80 (out)

Checking certificate revocation lists

DNS 53 (out)

External DNS queries

SIP/TLS/443 (in)

Client to server SIP traffic for remote user access

SIP/MTLS/5061 (in/out)

Federation and connectivity with a hosted Exchange service

PSOM/TLS/443 (in)

Remote user access to conferences for anonymous and federated users

RTP/TCP/50K range (in)

Media exchange (for details, see Determining External A/V Firewall and Port Requirements) and Windows Live Messenger if public IM connectivity is enabled Required for Office Communications Server 2007 R2 interoperability

RTP/TCP/50K range (out)

Media exchange (for details, see Determining External A/V Firewall and Port Requirements) Required for Office Communications Server 2007 R2 interoperability Required for Office Communications Server 2007 R2 desktop sharing and federation Required for Lync Server 2010 application sharing, file transfer, or A/V with Windows Live Messenger

RTP/UDP/50K range (in)

Media exchange (for details, see Determining External A/V Firewall and Port Requirements)

RTP/UDP/50K range (out)

Media exchange (for details, see Determining External A/V Firewall and Port Requirements) or A/V with Windows Live Messenger Required for Office Communications Server 2007 interoperability

STUN/MSTURN/UDP/3478 (in/out)

External user access to A/V sessions (UDP)

STUN/MSTURN/TCP/443 (in)

External user access to A/V sessions and media (TCP)

Firewall Details for Single/Scaled Consolidated Edge with DNS Load Balancing: Internal Interface

Protocol/PortUsed for
SIP/MTLS/5061 (in/out)SIP traffic
PSOM/MTLS/8057 (out)Web conferencing traffic from pool to Edge Server
SIP/MTLS/5062 (out)Authentication of A/V users (A/V authentication service)
STUN/MSTURN/UDP/3478 (out)Preferred path for media transfer between internal and external users (UDP)
STUN/MSTURN/TCP/443 (out)Alternate path for media transfer between internal and external users (TCP)
HTTPS 4443 (out)Pushing Central Management store updates to Edge Servers

When reading the preceding tables, (in) refers to traffic going from a less trusted network to a more trusted network, such as Internet-to-perimeter or perimeter-to-corporate). For example, traffic from the Internet to the Edge external interface or from the Edge internal interface to the next hop pool. (out) refers to traffic going from a more trusted network to a less trusted network, such as corporate-to-perimeter or perimeter-to-Internet). For example, traffic from a corporate pool to the Edge internal interface or from the Edge external interface to the Internet. And, (in/out) refers to traffic that is going both directions.

Inbound/Outbound edge traffic Inbound/Outbound edge traffic

We recommend that you open only the ports required to support the functionality for which you are providing external access. For remote access to work for any edge service, it is mandatory that SIP traffic is allowed to flow bidirectionally as shown in the Inbound/Outbound edge traffic figure. Stated another way, the Access Edge service is involved in instant messaging (IM), presence, web conferencing, and audio/video (A/V).

Firewall Details for Reverse Proxy Server: External Interface

Protocol/PortUse for
HTTP 80 (in)(Optional) Redirection to HTTPS if user accidentally enters https://<publishedSiteFQDN>
HTTPS 443 (in)Address book downloads, Address Book Web Query service, client updates, meeting content, device updates, group expansion, dial-in conferencing, and meetings.

Firewall Details for Reverse Proxy Server: Internal Interface

Protocol/PortUsed for
HTTPS 4443 (in)Traffic sent to 443 on the reverse proxy external interface is redirected to a pool on port 4443 from the reverse proxy internal interface so that the pool web services can distinguish it from internal web traffic
Note:
When reading the previous tables, (in) refers to traffic going from a less trusted network to a more trusted network, such as Internet-to-perimeter or perimeter-to-corporate). For example, traffic from Internet to the reverse proxy external interface or from the reverse proxy internal interface to a Standard Edition pool or a hardware load balancer VIP associated with a Front End pool.

External Ports Settings Required for Single Consolidated Edge Topology

Edge role

Source IP addressSource portDestination IP addressDestination portTransportApplicationNotes

Access

10.45.16.10AnyAny80TCPHTTP

Access

10.45.16.10AnyAny53UDPDNS

Access

AnyAny10.45.16.10443TCPSIP (TLS)Client-to-server SIP traffic for external user access

Access

AnyAny10.45.16.105061TCPSIP (MTLS)For federated and public IM connectivity using SIP

Access

10.45.16.10AnyAny5061TCPSIP (MTLS)For federated and public IM connectivity using SIP

Web Conferencing

AnyAny10.45.16.20443TCPPSOM (TLS)

A/V

10.45.16.3050,000 – 59,999AnyAnyTCPRTPRequired only for desktop sharing, or federation with partners running Office Communications Server 2007 R2. Also required for application sharing or file transfer with Lync Server 2010 federated users and A/V sessions with Windows Live Messenger.

A/V

10.45.16.3050,000 – 59,999AnyAnyUDPRTPRequired only for federation with partners still running Office Communications Server 2007.

A/V

AnyAny10.45.16.3050,000 – 59,999TCPRTPRequired only for federation with partners still running Office Communications Server 2007.

A/V

AnyAny10.45.16.3050,000 – 59,999UDPRTPRequired only for federation with partners still running Office Communications Server 2007.

A/V

10.45.16.303478Any3478UDPSTUN/MSTURN3478 outbound is used to determine the version of Edge Server that Lync Server 2010 is communicating with and also for media traffic from Edge Server to Edge Server. Required for federation with Lync Server 2010, Windows Live Messenger, and Office Communications Server 2007 R2, and also if multiple Edge pools are deployed within a company.

A/V

AnyAny10.45.16.303478UDPSTUN/MSTURN

A/V

AnyAny10.45.16.30443TCPSTUN/MSTURN

Reverse Proxy: N/A

AnyAny10.45.16.4080TCPHTTP(Optional) Can be used to redirect http traffic to https.

Reverse Proxy: N/A

AnyAny10.45.16.40443TCPHTTPS

Internal Ports Settings Required for Single Consolidated Edge Topology

Edge role

Source IP AddressSource PortDestination IP AddressDestination PortTransportApplicationNotes

Access

172.25.33.10Any192.168.10.90 192.168.10.915061TCPSIP (MTLS)Destination will be the next hop server(s). In the case of the reference architecture, it is the IP addresses of the two pool Front End Servers.

Access

192.168.10.90 192.168.10.91Any172.25.33.105061TCPSIP (MTLS)Source will be the next hop server(s). In the case of the reference architecture, it is the IP addresses of the two pool Front End Servers.

Access

192.168.10.90 192.168.10.91Any172.25.33.104443TCPHTTPSUsed by the replication agent for Central Management store replication, include all Front End Servers.

Web Conferencing

AnyAny172.25.33.108057TCPPSOM (MTLS)

A/V

192.168.10.90 192.168.10.91Any172.25.33.105062TCPSIP (MTLS)Include all Front End Servers using this particular A/V authentication service.

A/V

AnyAny172.25.33.103478UDPSTUN/MSTURN

A/V

AnyAny172.25.33.10443TCPSTUN/MSTURN

Reverse proxy: N/A

172.25.33.40Any192.168.10.1908080TCPHTTPS

Reverse proxy: N/A

172.25.33.40Any192.168.10.1904443TCPHTTPS

Read the whole article on TechNet @> Reference Architecture 1: Port Summary for Single Consolidated Edge Learn more about our Skype for Business (now Microsoft Teams) E5 PBX Services.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

Standard Form SF-XX: A Contractor’s Guide to FAR Compliance

Standard Form SF-XX in FAR Contracts: What Contractors Need to Know

Understand the role of Standard Form SF-XX in FAR contracts. Learn how to complete it, key compliance requirements, and why it matters for government contractors.

Aug 25, 2025
6 min read
Why Hire an MSP to Manage CUI Compliance

Why Hire an MSP to Manage CUI Compliance?

Discover how hiring an MSP to manage CUI compliance streamlines security, meets DFARS and NIST 800-171 requirements, and reduces internal IT burden.

Aug 23, 2025
9 min read
What is FAR CUI and How Does It Affect Contractors?

The FAR CUI: What It Means for Contractors and How to Stay Compliant

Learn about the FAR CUI, its security requirements, and how it impacts federal contractors. Understand the key compliance measures and steps to align with Federal Acquisition Regulation (FAR) guidelines.

Aug 22, 2025
8 min read
What Is Cloud Backup for Microsoft 365 and Azure?

What Is Cloud Backup for Microsoft 365 and Azure?

Learn what cloud backup means for Microsoft 365 and Azure, why native retention isn't enough, and how secure backups protect your critical data.

Aug 21, 2025
6 min read
What Are the Requirements for FAR CUI Compliance?

Understanding the Requirements for FAR CUI Compliance

Learn the key requirements for FAR CUI compliance, including security controls, NIST 800-171 guidelines, and who needs to comply with the Federal Acquisition Regulation (FAR).

Aug 20, 2025
6 min read
GCC High Migration Project Timeline & Phases

Timeline and Phases of a GCC High Migration Project

Discover the timeline and core phases of a successful GCC High migration project—from planning and validation to execution and post-migration governance.

Aug 15, 2025
7 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation