My Collection

This document is provided "as-is". Information and views expressed in this document, including URL and other Internet Web site references, may change without
notice. This document does not provide you with any legal rights to any intellectual property in any Microsoft product or product name. You may copy and use
this document for your internal, reference purposes. You may modify this document for your internal, reference purposes. 2013 Microsoft. All rights reserved.
Terms of Use (http://technet.microsoft.com/cc300389.aspx) | Trademarks (http://www.microsoft.com/library/toolbar/3.0/trademarks/en-us.mspx)

Table Of Contents
Chapter 1
Port Requirements
Ports and Protocols for Internal Servers
IPsec Exceptions
Port Summary - Single Consolidated Edge with Private IP Addresses Using NAT
Port Summary - Single Consolidated Edge with Public IP Addresses
Port Summary - Scaled Consolidated Edge, DNS Load Balancing with Private IP Addresses Using NAT
Port Summary - Scaled Consolidated Edge, DNS Load Balancing with Public IP Addresses
Port Summary - Scaled Consolidated Edge with Hardware Load Balancers
Port Summary - Reverse Proxy
Port Summary - SIP, XMPP Federation and Public Instant Messaging

Chapter 1

Port Requirements
Lync Server 2013

Topic Last Modified: 2013-03-27

Lync Server requires that specific ports on the firewall be open. Additionally, if Internet Protocol security (IPsec) is deployed in your organization, IPsec must be disabled
over the range of ports used for the delivery of audio, video, and panorama video.

In This Section
This section includes the following topics:

Ports and Protocols for Internal Servers

IPsec Exceptions
Port Summary - Single Consolidated Edge with Private IP Addresses Using NAT
Port Summary - Single Consolidated Edge with Public IP Addresses
Port Summary - Scaled Consolidated Edge, DNS Load Balancing with Private IP Addresses Using NAT
Port Summary - Scaled Consolidated Edge, DNS Load Balancing with Public IP Addresses
Port Summary - Scaled Consolidated Edge with Hardware Load Balancers
Port Summary - Reverse Proxy
Port Summary - SIP, XMPP Federation and Public Instant Messaging

2013 Microsoft. All rights reserved.

Ports and Protocols for Internal Servers

Lync Server 2013

Topic Last Modified: 2013-06-04

This section summarizes the ports and protocols used by servers, load balancers, and clients in a Lync Server deployment.
Important:
Lync and Communicator clients when involved in a one to one communication, is often referred to as peer-to-peer. Technically, the two clients are communicating in
a one to one conversation, with the Instant Messaging multipoint control unit (IMMCU) in the middle. The IMMCU is a component of Front End Server. Placing the
IMMCU in the required communication workflow allows call detail recording and other features that the Front End Server enables. Communication is from a dynamic
source port on the client to the Front End Server port TLS/TCP/5061 (assuming the use of the recommended transport layer security). By design, peer-to-peer
communication (as well as multi-party IM) is possible only when Lync Server and the IMMCU is active and available.

Port and Protocol Details

Note:
Windows Firewall must be running before you start the Lync Server services on a server, because that is when Lync Server opens the required ports in the firewall.
For details about firewall configuration for edge components, see Determine External A/V Firewall and Port Requirements.
The following table lists the ports that need to be open on each internal server role.

Required Server Ports (by Server Role)

Server role

Service name

Port

Protocol

Notes

All Servers

SQL Browser

1434

UDP

SQL Browser for the local replicated copy of the the Central Management Store database.

Front End Servers

Lync Server FrontEnd service

5060

TCP

Optionally used by Standard Edition servers and Front End Servers for static routes to trusted
services, such as remote call control servers.

Front End Servers

Lync Server FrontEnd service

5061

TCP (TLS)

Used by Standard Edition servers and Front End pools for all internal SIP communications
between servers (MTLS), for SIP communications between Server and Client (TLS) and for SIP
communications between Front End Servers and Mediation Servers (MTLS). Also used for
communications with Monitoring Server.

Front End Servers

Lync Server FrontEnd service

444

HTTPS
TCP

Used for HTTPS communication between the Focus (the Lync Server component that manages
conference state) and the individual servers.
This port is also used for TCP communication between Survivable Branch Appliances and Front
End Servers.

Front End Servers

Lync Server FrontEnd service

135

DCOM
and
remote
procedure
call (RPC)

Used for DCOM based operations such as Moving Users, User Replicator Synchronization, and
Address Book Synchronization.

Front End Servers

Lync Server IM
Conferencing
service

5062

TCP

Used for incoming SIP requests for instant messaging (IM) conferencing.

Front End Servers

Lync Server Web

Conferencing
service

8057

TCP (TLS)

Used to listen for Persistent Shared Object Model (PSOM) connections from client.

Front End Servers

Lync Server Web

Conferencing
Compatibility
service

8058

TCP (TLS)

Used to listen for Persistent Shared Object Model (PSOM) connections from the Live Meeting
client and previous versions of Lync Server.

Front End Servers

Lync Server
Audio/Video
Conferencing
service

5063

TCP

Used for incoming SIP requests for audio/video (A/V) conferencing.

Front End Servers

Lync Server
Audio/Video
Conferencing
service

5750165535

TCP/UDP

Media port range used for video conferencing.

Front End Servers

Lync Server Web

Compatibility
service

80

HTTP

Used for communication from Front End Servers to the web farm FQDNs (the URLs used by IIS
web components) when HTTPS is not used.

Front End Servers

Lync Server Web

Compatibility
service

443

HTTPS

Used for communication from Front End Servers to the web farm FQDNs (the URLs used by IIS
web components).

Front End Servers

Lync Server Web

Compatibility
service

8080

TCP and
HTTP

Used by web components for external access.

Front End Servers

Web server
component

4443

HTTPS

Front End Servers

Web server
component

8060

TCP
(MTLS)

Front End Servers

Web server
component

8061

TCP
(MTLS)

Front End Servers

Mobility Services
component

5086

TCP
(MTLS)

SIP port used by Mobility Services internal processes

Front End Servers

Mobility Services
component

5087

TCP
(MTLS)

SIP port used by Mobility Services internal processes

Front End Servers

Mobility Services
component

443

HTTPS

Front End Servers

Lync Server
Conferencing
Attendant service
(dial-in
conferencing)

5064

TCP

Used for incoming SIP requests for dial-in conferencing.

Front End Servers

Lync Server
Conferencing
Attendant service
(dial-in
conferencing)

5072

TCP

Used for incoming SIP requests for Attendant (dial in conferencing).

Front End Servers

that also run a
Collocated
Mediation Server

Lync Server
Mediation service

5070

TCP

Used by the Mediation Server for incoming requests from the Front End Server to the
Mediation Server.

Front End Servers

that also run a
Collocated
Mediation Server

Lync Server
Mediation service

5067

TCP (TLS)

Used for incoming SIP requests from the PSTN gateway to the Mediation Server.

Front End Servers

that also run a
Collocated
Mediation Server

Lync Server
Mediation service

5068

TCP

Used for incoming SIP requests from the PSTN gateway to the Mediation Server.

Front End Servers

that also run a
Collocated
Mediation Server

Lync Server
Mediation service

5081

TCP

Used for outgoing SIP requests from the Mediation Server to the PSTN gateway.

Front End Servers

that also run a
Collocated
Mediation Server

Lync Server
Mediation service

5082

TCP (TLS)

Used for outgoing SIP requests from the Mediation Server to the PSTN gateway.

Front End Servers

Lync Server
Application
Sharing service

5065

TCP

Used for incoming SIP listening requests for application sharing.

Front End Servers

Lync Server
Application
Sharing service

4915265535

TCP

Media port range used for application sharing.

Front End Servers

Lync Server
Conferencing
Announcement
service

5073

TCP

Used for incoming SIP requests for the Lync Server Conferencing Announcement service (that is,
for dial-in conferencing).

Front End Servers

Lync Server Call

Park service

5075

TCP

Used for incoming SIP requests for the Call Park application.

Front End Servers

Lync Server Audio

Test service

5076

TCP

Used for incoming SIP requests for the Audio Test service.

Front End Servers

Not applicable

5066

TCP

Used for outbound Enhanced 9-1-1 (E9-1-1) gateway.

Front End Servers

Lync Server
Response Group
service

5071

TCP

Used for incoming SIP requests for the Response Group application.

Front End Servers

Lync Server
Response Group
service

8404

TCP
(MTLS)

Used for incoming SIP requests for the Response Group application.

Front End Servers

Lync Server
Bandwidth Policy
Service

5080

TCP

Used for call admission control by the Bandwidth Policy service for A/V Edge TURN traffic.

Front End Servers

Lync Server
Bandwidth Policy
Service

448

TCP

Used for call admission control by the Lync Server Bandwidth Policy Service.

Front End Servers

where the Central
Management
store resides

Lync Server Master

Replicator Agent
service

445

TCP

Used to push configuration data from the Central Management store to servers running Lync
Server.

All Servers

SQL Browser

1434

UDP

SQL Browser for local replicated copy of Central Management store data in local SQL Server
instance

All internal servers

Various

4915257500

TCP/UDP

Media port range used for audio conferencing on all internal servers. Used by all servers that
terminate audio: Front End Servers (for Lync Server Conferencing Attendant service, Lync Server
Conferencing Announcement service, and Lync Server Audio/Video Conferencing service), and
Mediation Server.

Directors

Lync Server FrontEnd service

5060

TCP

Optionally used for static routes to trusted services, such as remote call control servers.

Directors

Lync Server FrontEnd service

444

HTTPS
TCP

Inter-server communication between Front End and Director. Additionally, client certificate
publish (to Front End Servers) or validate if the client certificate has already been published.

Directors

Lync Server Web

Compatibility
service

80

TCP

Used for initial communication from Directors to the web farm FQDNs (the URLs used by IIS
web components). In normal operation, will switch to HTTPS traffic, using port 443 and protocol
type TCP.

Directors

Lync Server Web

Compatibility
service

443

HTTPS

Used for communication from Directors to the web farm FQDNs (the URLs used by IIS web
components).

Directors

Lync Server FrontEnd service

5061

TCP

Used for internal communications between servers and for client connections.

Mediation Servers

Lync Server
Mediation service

5070

TCP

Used by the Mediation Server for incoming requests from the Front End Server.

Mediation Servers

Lync Server
Mediation service

5067

TCP (TLS)

Used for incoming SIP requests from the PSTN gateway.

Mediation Servers

Lync Server
Mediation service

5068

TCP

Used for incoming SIP requests from the PSTN gateway.

Mediation Servers

Lync Server
Mediation service

5070

TCP
(MTLS)

Used for SIP requests from the Front End Servers.

Persistent Chat
Front End Server

Persistent Chat SIP

5041

TCP
(MTLS)

Persistent Chat
Front End Server

Persistent Chat
Windows
Communication
Foundation (WCF)

881

TCP (TLS)
and TCP
(MTLS)

Persistent Chat
Front End Server

Persistent Chat File

Transfer Service

443

TCP (TLS)

Note:
Some remote call control scenarios require a TCP connection between the Front End Server or Director and the PBX. Although Lync Server no longer uses TCP
port 5060, during remote call control deployment you create a trusted server configuration, which associates the RCC Line Server FQDN with the TCP port that the
Front End Server or Director will use to connect to the PBX system. For details, see the CsTrustedApplicationComputer cmdlet in the Lync Server Management
Shell documentation.

For your pools that use only hardware load balancing (not DNS load balancing), the following table shows the ports that need to open the hardware load balancers.

Hardware Load Balancer Ports if Using Only Hardware Load Balancing

Load Balancer

Port

Protocol

Front End Server load balancer

5061

TCP (TLS)

Front End Server load balancer

444

HTTPS

Front End Server load balancer

135

DCOM and remote procedure call (RPC)

Front End Server load balancer

80

HTTP

Front End Server load balancer

8080

TCP - Client and device retrieval of root certificate from Front End Server clients and devices
authenticated by NTLM

Front End Server load balancer

443

HTTPS

Front End Server load balancer

4443

HTTPS (from reverse proxy)

Front End Server load balancer

5072

TCP

Front End Server load balancer

5073

TCP

Front End Server load balancer

5075

TCP

Front End Server load balancer

5076

TCP

Front End Server load balancer

5071

TCP

Front End Server load balancer

5080

TCP

Front End Server load balancer

448

TCP

Mediation Server load balancer

5070

TCP

Front End Server load balancer (if the pool also runs
Mediation Server)

5070

TCP

Director load balancer

443

HTTPS

Director load balancer

444

HTTPS

Director load balancer

5061

TCP

Director load balancer

4443

HTTPS (from reverse proxy)

Your Front End pools and Director pools that use DNS load balancing also must have a hardware load balancer deployed. The following table shows the ports that
need to be open on these hardware load balancers.

Hardware Load Balancer Ports if Using DNS Load Balancing

Load Balancer

Port

Protocol

Front End Server load balancer

80

HTTP

Front End Server load balancer

443

HTTPS

Front End Server load balancer

8080

TCP - Client and device retrieval of root certificate from Front End Server clients and devices authenticated by NTLM

Front End Server load balancer

4443

HTTPS (from reverse proxy)

Director load balancer

443

HTTPS

Director load balancer

444

HTTPS

Director load balancer

4443

HTTPS (from reverse proxy)

Required Client Ports

Component

Port

Protocol

Notes

Clients

67/68

DHCP

Used by Lync Server to find the Registrar FQDN (that is, if DNS SRV fails and manual settings are not
configured).

Clients

443

TCP (TLS)

Used for client-to-server SIP traffic for external user access.

Clients

443

TCP (PSOM/TLS)

Used for external user access to web conferencing sessions.

Clients

443

TCP
(STUN/MSTURN)

Used for external user access to A/V sessions and media (TCP)

Clients

3478

UDP
(STUN/MSTURN)

Used for external user access to A/V sessions and media (TCP)

Clients

5061

TCP (MTLS)

Used for client-to-server SIP traffic for external user access.

Clients

68916901

TCP

Used for file transfer between Lync clients and previous clients (clients of Microsoft Office Communications
Server 2007 R2, Microsoft Office Communications Server 2007, and Live Communications Server 2005).

Clients

102465535
*

TCP/UDP

Audio port range (minimum of 20 ports required)

Clients

102465535
*

TCP/UDP

Video port range (minimum of 20 ports required).

Clients

102465535
*

TCP

Peer-to-peer file transfer (for conferencing file transfer, clients use PSOM).

Clients

102465535
*

TCP

Application sharing.

Aastra 6721ip
common area phone
Aastra 6725ip desk
phone
HP 4110 IP Phone
(common area
phone)
HP 4120 IP Phone
(desk phone)
Polycom CX500 IP
common area phone
Polycom CX600 IP
desk phone
Polycom CX700 IP
desk phone
Polycom CX3000 IP
conference phone

67/68

DHCP

Used by the listed devices to find the Lync Server certificate, provisioning FQDN, and Registrar FQDN.

* To configure specific ports for these media types, use the CsConferencingConfiguration cmdlet (ClientMediaPortRangeEnabled, ClientMediaPort, and
ClientMediaPortRange parameters).
Note:
The set programs for Lync clients automatically create the required operating-system firewall exceptions on the client computer.
Note:
The ports that are used for external user access are required for any scenario in which the client must traverse the organizations firewall for example, any
external communications or meetings hosted by other organizations).

2013 Microsoft. All rights reserved.

IPsec Exceptions
Lync Server 2013

Topic Last Modified: 2012-06-27

For enterprise networks where Internet Protocol security (IPsec) (see IETF RFC 4301-4309) has been deployed, IPsec must be disabled over the range of ports used for
the delivery of audio, video, and panorama video. The recommendation is motivated by the need to avoid any delay in the allocation of media ports due to IPsec
negotiation.
The following table explains the recommended IPsec exception settings.

Recommended IPsec Exceptions

Rule name

Source IP

Destination IP

Protocol

Source port

Destination
port

Authentication
Requirement

A/V Edge Server Internal

Inbound

Any

A/V Edge Server Internal

UDP and
TCP

Any

Any

Do not
authenticate

A/V Edge Server

External Inbound

Any

A/V Edge Server External

UDP and
TCP

Any

Any

Do not
authenticate

A/V Edge Server Internal

Outbound

A/V Edge Server Internal

Any

UDP &
TCP

Any

Any

Do not
authenticate

A/V Edge Server

External Outbound

A/V Edge Server External

Any

UDP and
TCP

Any

Any

Do not
authenticate

Mediation Server
Inbound

Any

Mediation
Server(s)

UDP and
TCP

Any

Any

Do not
authenticate

Mediation Server
Outbound

Mediation
Server(s)

Any

UDP and
TCP

Any

Any

Do not
authenticate

Conferencing Attendant
Inbound

Any

Front End Server running

Conferencing Attendant

UDP and
TCP

Any

Any

Do not
authenticate

Conferencing Attendant
Outbound

Front End Server running

Conferencing Attendant

Any

UDP and
TCP

Any

Any

Do not
authenticate

A/V Conferencing
Inbound

Any

Front End Servers

UDP and
TCP

Any

Any

Do not
authenticate

A/V Conferencing
Outbound

Front End Servers

Any

UDP and
TCP

Any

Any

Do not
authenticate

Exchange Inbound

Any

Exchange Unified Messaging

UDP and
TCP

Any

Any

Do not
authenticate

Application Sharing
Servers Inbound

Any

Application Sharing Servers

TCP

Any

Any

Do not
authenticate

Application Sharing
Server Outbound

Application Sharing Servers

Any

TCP

Any

Any

Do not
authenticate

Exchange Outbound

Exchange Unified Messaging

Any

UDP and
TCP

Any

Any

Do not
authenticate

Clients

Any

Any

UDP

Specified media
port range

Any

Do not
authenticate

2013 Microsoft. All rights reserved.

Port Summary - Single Consolidated Edge with Private IP

Addresses Using NAT
Lync Server 2013

3 out of 4 rated this helpful

Topic Last Modified: 2013-04-03

The Lync Server 2013, Edge Server functionality described in this scenario architecture is very similar to what was implemented in Lync Server 2010. The most noticeable
addition is the port 5269 over TCP entry for the extensible messaging and presence protocol (XMPP). Lync Server 2013 optionally deploys an XMPP proxy on the Edge
Server or Edge pool and the XMPP gateway server on the Front End Server or Front End pool.
In addition to IPv4, the Edge Server now supports IPv6. For clarity, only IPv4 is used in the scenarios.

Port and Protocol Details

We recommend that you open only the ports required to support the functionality for which you are providing external access.
For remote access to work for any edge service, it is mandatory that SIP traffic is allowed to flow bi-directionally as shown in the Inbound/Outbound edge traffic
figure. Stated another way, the SIP messaging to and from the Access Edge service is involved in instant messaging (IM), presence, web conferencing, audio/video
(A/V), and federation.

Firewall Summary for Single Consolidated Edge with Private IP Addresses using NAT: External Interface
Role/Protocol/TCP or UDP/Port

Source IP
address

Destination IP
address

XMPP/TCP/5269

Any

XMPP Proxy
service (shares
IP address with
Access Edge
service)

XMPP Proxy service accepts traffic from XMPP contacts in defined XMPP federations

Access/HTTP/TCP/80

Edge
Server Access
Edge service

Any

Certificate revocation/CRL check and retrieval

Access/DNS/TCP/53

Edge

Any

DNS query over TCP

Notes

Server Access
Edge service
Access/DNS/UDP/53

Edge
Server Access
Edge service

Any

DNS query over UDP

Access/SIP(TLS)/TCP/443

Any

Edge
Server Access
Edge service

Client-to-server SIP traffic for external user access

Access/SIP(MTLS)/TCP/5061

Any

Edge
Server Access
Edge service

For federated and public IM connectivity using SIP

Access/SIP(MTLS)/TCP/5061

Edge
Server Access
Edge service

Any

For federated and public IM connectivity using SIP

Web
Conferencing/PSOM(TLS)/TCP/443

Any

Edge
Server Web
Conferencing
Edge service

Web Conferencing media

A/V/RTP/TCP/50,000-59,999

Edge
Server A/V
Edge service

Any

Required for federating with partners running Office Communications Server 2007, Office
Communications Server 2007 R2, Lync Server 2010 and Lync Server 2013.

A/V/RTP/UDP/50,000-59,999

Edge
Server A/V
Edge service

Any

Required only for federation with partners running Office Communications Server 2007.

A/V/RTP/TCP/50,000-59,999

Any

Edge
Server A/V
Edge service

Required only for federation with partners running Office Communications Server 2007

A/V/RTP/UDP/50,000-59,999

Any

Edge
Server A/V
Edge service

Required only for federation with partners running Office Communications Server 2007

A/V/STUN,MSTURN/UDP/3478

Edge
Server A/V
Edge service

Any

3478 outbound is used to determine the version of Edge Server that Lync Server is
communicating with and also for media traffic from Edge Server-to-Edge Server. Required
for federation with Lync Server 2010, Windows Live Messenger, and Office
Communications Server 2007 R2, and also if multiple Edge pools are deployed within a
company.

A/V/STUN,MSTURN/UDP/3478

Any

Edge
Server A/V
Edge service

STUN/TURN negotiation of candidates over UDP/3478

A/V/STUN,MSTURN/TCP/443

Any

Edge
Server A/V
Edge service

STUN/TURN negotiation of candidates over TCP/443

A/V/STUN,MSTURN/TCP/443

Edge Server
A/V Edge
service

Any

STUN/TURN negotiation of candidates over TCP/443

Firewall Summary for Single Consolidated Edge with Private IP Addresses Using NAT: Internal Interface
Protocol/TCP or
UDP/Port

Source IP address

Destination IP address

Comments

XMPP/MTLS/TCP/23456

Any (can be defined as Standard Edition

server IP, Standard Edition server IP
address, or pool IP address running the
XMPP Gateway service)

Edge Server internal

interface

Outbound XMPP traffic from XMPP Gateway service

running on Front End Server or Front End pool

SIP/MTLS/TCP/5061

Any (can be defined as Director, Director

pool IP address, Front End Server or Front
End pool IP address)

Edge Server internal

interface

Outbound SIP traffic (from Director, Director pool IP

address, Front End Server or Front End pool IP address)
to Edge Server internal interface

SIP/MTLS/TCP/5061

Edge Server internal interface

Any (can be defined as

Director, Director pool IP
address, Front End Server
or Front End pool IP
address)

Inbound SIP traffic (to Director, Director pool IP address,

Front End Server or Front End pool IP address) from
Edge Server internal interface

PSOM/MTLS/TCP/8057

Any (can be defined as Front End Server IP

address, or each Front End Server IP
address in a Front End pool)

Edge Server internal

interface

Web conferencing traffic from Front End Server or each

Front End Server if in a pool, to Edge Server internal
interface

SIP/MTLS/TCP/5062

Any (can be defined as Front End Server IP

address, or Front End pool IP address or
any Survivable Branch Appliance or
Survivable Branch Server using this Edge
Server)

Edge Server internal

interface

Authentication of A/V users (A/V authentication service)

from Front End Server or Front End pool IP address or
any Survivable Branch Appliance or Survivable Branch
Server using this Edge Server

STUN/MSTURN/UDP/3478

Any

Edge Server internal

interface

Preferred path for A/V media transfer between internal

and external users, Survivable Branch Appliance or
Survivable Branch Server

STUN/MSTURN/TCP/443

Any

Edge Server internal

interface

Fallback path for A/V media transfer between internal and

external users, Survivable Branch Appliance or Survivable
Branch Server if UDP communication cannot be
established, TCP is used for file transfer and desktop
sharing

HTTPS/TCP/4443

Any (can be defined as the Front End

Server IP address, or pool that holds the
Central Management store)

Edge Server internal

interface

Replication of changes from the Central Management

store to the Edge Server

MTLS/TCP/50001

Any

Edge Server internal

interface

Centralized Logging Service controller using Lync Server

Management Shell and Centralized Logging Service
cmdlets, ClsController command line (ClsController.exe)
or agent (ClsAgent.exe) commands and log collection

MTLS/TCP/50002

Any

Edge Server internal

interface

Centralized Logging Service controller using Lync Server

Management Shell and Centralized Logging Service
cmdlets, ClsController command line (ClsController.exe)
or agent (ClsAgent.exe) commands and log collection

MTLS/TCP/50003

Any

Edge Server internal

interface

Centralized Logging Service controller using Lync Server

Management Shell and Centralized Logging Service
cmdlets, ClsController command line (ClsController.exe)
or agent (ClsAgent.exe) commands and log collection

Firewall Summary for Federation

Role/Protocol/TCP or UDP/Port

Source IP address

Destination IP address

Notes

Access/SIP(MTLS)/TCP/5061

Access Edge service public IP address

Any

For federated and public IM connectivity using SIP

Firewall Summary Public Instant Messaging Connectivity

Role/Protocol/TCP or
UDP/Port

Source IP address

Destination IP address

Notes

Access/SIP(MTLS)/TCP/5061

Public IM connectivity
partners

Edge Server Access Edge

service

For federated and public IM connectivity using SIP

Access/SIP(MTLS)/TCP/5061

Edge Server Access Edge

service

Public IM connectivity
partners

For federated and public IM connectivity using SIP

Access/SIP(TLS)/TCP/443

Clients

Edge Server Access Edge

service

Client-to-server SIP traffic for external user access

A/V/RTP/TCP/50,000-59,999

Edge Server A/V Edge

service

Live Messenger clients

Used for A/V sessions with Windows Live Messenger if public IM

connectivity is configured.

A/V/STUN,MSTURN/UDP/3478

Edge Server A/V Edge

service

Live Messenger clients

Required for public IM connectivity with Windows Live Messenger

A/V/STUN,MSTURN/UDP/3478

Live Messenger clients

Edge Server A/V Edge

service

Required for public IM connectivity with Windows Live Messenger

Firewall Summary for Extensible Messaging and Presence Protocol

Protocol/TCP or
UDP/Port

Source (IP address)

XMPP/TCP/5269

Any

Edge Server Access

Edge service interface
IP address

Standard server-to-server communication port for XMPP. Allows communication

to the Edge Server XMPP proxy from federated XMPP partners

XMPP/TCP/5269

Edge Server Access

Edge service interface
IP address

Any

Standard server-to-server communication port for XMPP. Allows communication

from the Edge Server XMPP proxy to federated XMPP partners

XMPP/MTLS/TCP/23456

Any

Each internal Edge

Server Interface IP

Internal XMPP traffic from the XMPP Gateway on the Front End Server or Front
End pool to the Edge Server internal IP address or each Edge pool members
internal IP address

2013 Microsoft. All rights reserved.

Destination (IP
address)

Comments

Port Summary - Single Consolidated Edge with Public IP

Addresses
Lync Server 2013

Topic Last Modified: 2013-02-21

The Lync Server 2013, Edge Server functionality described in this scenario architecture is very similar to what was implemented in Lync Server 2010. The most noticeable
addition is the port 5269 over TCP entry for the extensible messaging and presence protocol (XMPP). Lync Server 2013 optionally deploys an XMPP proxy on the Edge
Server or Edge pool and the XMPP gateway server on the Front End Server or Front End pool. Planning information for the reverse proxy and federation are found in
Scenarios for Reverse Proxy and Scenarios for Federation, Public Instant Messaging Connectivity, and XMPP Federation sections, respectively.
In addition to IPv4, the Edge Server now supports IPv6. For clarity, only IPv4 is used in the scenarios.

Port and Protocol Details

We recommend that you open only the ports required to support the functionality for which you are providing external access.
For remote access to work for any edge service, it is mandatory that SIP traffic is allowed to flow bidirectionally as shown in the Inbound/Outbound edge traffic
figure. Stated another way, the SIP messaging to and from the Access Edge service is involved in instant messaging (IM), presence, web conferencing, audio/video
(A/V) and federation.

Firewall Summary for Single Consolidated Edge with Public IP Addresses: External Interface
Role/Protocol/TCP or UDP/Port

Source IP
address

Destination IP
address

XMPP/TCP/5269

Any

XMPP Proxy
service (shares
IP address with
Access Edge
service)

XMPP Proxy service accepts traffic from XMPP contacts in defined XMPP federations

Access/HTTP/TCP/80

Edge
Server Access
Edge service

Any

Certificate revocation/CRL check and retrieval

Notes

public IP
address
Access/DNS/TCP/53

Edge
Server Access
Edge service
public IP
address

Any

DNS query over TCP

Access/DNS/UDP/53

Edge
Server Access
Edge service
public IP
address

Any

DNS query over UDP

Access/SIP(TLS)/TCP/443

Any

Edge
Server Access
Edge service
public IP
address

Client-to-server SIP traffic for external user access

Access/SIP(MTLS)/TCP/5061

Any

Edge
Server Access
Edge service
public IP
address

For federated and public IM connectivity using SIP

Access/SIP(MTLS)/TCP/5061

Edge
Server Access
Edge service
public IP
address

Any

For federated and public IM connectivity using SIP

Web
Conferencing/PSOM(TLS)/TCP/443

Any

Edge
Server Web
Conferencing
Edge service
public IP
address

Web Conferencing media

A/V/RTP/TCP/50,000-59,999

Edge
Server Access
Edge service
public IP
address

Any

Required for federating with partners running Office Communications Server 2007, Office
Communications Server 2007 R2, Lync Server 2010 and Lync Server 2013.

A/V/RTP/UDP/50,000-59,999

Edge
Server A/V
Edge service
public IP
address

Any

Required only for federation with partners running Office Communications Server 2007

A/V/RTP/TCP/50,000-59,999

Any

Edge
Server A/V
Edge service
public IP
address

Required only for federation with partners running Office Communications Server 2007.

A/V/RTP/UDP/50,000-59,999

Any

Edge
Server A/V
Edge service
public IP
address

Required only for federation with partners running Office Communications Server 2007.

A/V/STUN,MSTURN/UDP/3478

Edge
Server A/V
Edge service
public IP
address

Any

3478 outbound is used to determine the version of Edge Server that Lync Server is
communicating with and also for media traffic from Edge Server-to-Edge Server. Required
for federation with Lync Server 2010, Windows Live Messenger, and Office
Communications Server 2007 R2, and also if multiple Edge pools are deployed within a
company.

A/V/STUN,MSTURN/UDP/3478

Any

Edge
Server A/V
Edge service
public IP
address

STUN/TURN negotiation of candidates over UDP/3478

A/V/STUN,MSTURN/TCP/443

Any

Edge
Server A/V
Edge service
public IP
address

STUN/TURN negotiation of candidates over TCP/443

A/V/STUN,MSTURN/TCP/443

Edge
Server A/V
Edge service
public IP
address

Any

STUN/TURN negotiation of candidates over TCP/443

Firewall Summary for Single Consolidated Edge with Public IP Addresses: Internal Interface
Protocol/TCP or
UDP/Port

Source IP address

Destination IP address

Comments

XMPP/MTLS/TCP/23456

Any (can be defined as Standard Edition

server IP, Standard Edition server IP
address, or pool IP address running the
XMPP Gateway service)

Edge Server internal

interface

Outbound XMPP traffic from XMPP Gateway service

running on Front End Server or Front End pool

SIP/MTLS/TCP/5061

Any (can be defined as Director, Director

pool IP address, Front End Server or Front
End pool IP address)

Edge Server IP, or pool

that holds the internal
interface

Outbound SIP traffic (from Director, Director pool IP

address, Front End Server or Front End pool IP address)
to Edge Server internal interface

SIP/MTLS/TCP/5061

Edge Server internal interface

Any (can be defined as

Director, Director pool IP
address, Front End
Server or Front End pool
address)

Inbound SIP traffic (to Director, Director pool IP address,

Front End Server or Front End pool IP address) from Edge
Server internal interface

PSOM/MTLS/TCP/8057

Any (can be defined as Front End Server IP

address, or each Front End Server IP
address in a Front End pool)

Edge Server internal

interface

Web conferencing traffic from Front End Server or each

Front End Server if in a pool, to Edge Server internal
interface

SIP/MTLS/TCP/5062

Any (can be defined as Front End Server IP

address, or Front End pool IP address or
any Survivable Branch Appliance or
Survivable Branch Server using this Edge
Server)

Edge Server internal

interface

Authentication of A/V users (A/V authentication service)

from Front End Server or Front End pool IP address or
any Survivable Branch Appliance or Survivable Branch
Server using this Edge Server

STUN/MSTURN/UDP/3478

Any

Edge Server internal

interface

Preferred path for A/V media transfer between internal

and external users, Survivable Branch Appliance or
Survivable Branch Server

STUN/MSTURN/TCP/443

Any

Edge Server internal

interface

Fallback path for A/V media transfer between internal and

external users, Survivable Branch Appliance or Survivable
Branch Server if UDP communication cannot be
established, TCP is used for file transfer and desktop
sharing

HTTPS/TCP/4443

Any (can be defined as the Front End

Server IP address, or pool that holds the
Central Management store)

Edge Server internal

interface

Replication of changes from the Central Management

store to the Edge Server

MTLS/TCP/50001

Any

Edge Server internal

interface

Centralized Logging Service controller using Lync Server

Management Shell and Centralized Logging Service
cmdlets, ClsController command line (ClsController.exe) or
agent (ClsAgent.exe) commands and log collection

MTLS/TCP/50002

Any

Edge Server internal

interface

Centralized Logging Service controller using Lync Server

Management Shell and Centralized Logging Service
cmdlets, ClsController command line (ClsController.exe) or
agent (ClsAgent.exe) commands and log collection

MTLS/TCP/50003

Any

Edge Server internal

interface

Centralized Logging Service controller using Lync Server

Management Shell and Centralized Logging Service
cmdlets, ClsController command line (ClsController.exe) or
agent (ClsAgent.exe) commands and log collection

Firewall Summary for Federation

Role/Protocol/TCP or UDP/Port

Source IP address

Destination IP address

Notes

Access/SIP(MTLS)/TCP/5061

Access Edge service public IP address

Any

For federated and public IM connectivity using SIP

Firewall Summary Public Instant Messaging Connectivity

Role/Protocol/TCP or
UDP/Port

Source IP address

Destination IP address

Notes

Access/SIP(MTLS)/TCP/5061

Public IM connectivity
partners

Edge Server Access Edge

service

For federated and public IM connectivity using SIP

Access/SIP(MTLS)/TCP/5061

Edge Server Access Edge

service

Public IM connectivity
partners

For federated and public IM connectivity using SIP

Access/SIP(TLS)/TCP/443

Clients

Edge Server Access Edge

service

Client-to-server SIP traffic for external user access

A/V/RTP/TCP/50,000-59,999

Edge Server A/V Edge

service

Live Messenger clients

Used for A/V sessions with Windows Live Messenger if public IM

connectivity is configured.

A/V/STUN,MSTURN/UDP/3478

Edge Server A/V Edge

service

Live Messenger clients

Required for public IM connectivity with Windows Live Messenger

A/V/STUN,MSTURN/UDP/3478

Live Messenger clients

Edge Server A/V Edge

service

Required for public IM connectivity with Windows Live Messenger

Firewall Summary for Extensible Messaging and Presence Protocol

Protocol/TCP or
UDP/Port

Source (IP address)

XMPP/TCP/5269

Any

Edge Server Access

Edge service interface
IP address

Standard server-to-server communication port for XMPP. Allows communication

to the Edge Server XMPP proxy from federated XMPP partners

XMPP/TCP/5269

Edge Server Access

Edge service interface
IP address

Any

Standard server-to-server communication port for XMPP. Allows communication

from the Edge Server XMPP proxy to federated XMPP partners

XMPP/MTLS/TCP/23456

Any

Each internal Edge

Server Interface IP

Internal XMPP traffic from the XMPP Gateway on the Front End Server or Front
End pool to the Edge Server internal IP address or each Edge pool members
internal IP address

2013 Microsoft. All rights reserved.

Destination (IP
address)

Comments

Port Summary - Scaled Consolidated Edge, DNS Load

Balancing with Private IP Addresses Using NAT
Lync Server 2013

This topic has not yet been rated

Topic Last Modified: 2012-12-04

The Lync Server 2013, Edge Server functionality described in this scenario architecture is very similar to what was implemented in Lync Server 2010. The most noticeable
addition is the port 5269 over TCP entry for the extensible messaging and presence protocol (XMPP). Lync Server 2013 optionally deploys an XMPP proxy on the Edge
Server or Edge pool and the XMPP gateway server on the Front End Server or Front End pool.
In addition to IPv4, the Edge Server now supports IPv6. For clarity, only IPv4 is used in the scenarios.

Port and Protocol Details

It is recommended that you open only the ports required to support the functionality for which you are providing external access.
For remote access to work for any edge service, it is mandatory that SIP traffic is allowed to flow bi-directionally as shown in the Inbound/Outbound edge traffic
figure. Stated another way, the SIP messaging to and from the Access Edge service is involved in instant messaging (IM), presence, web conferencing, audio/video
(A/V) and federation.

Firewall Summary for Scaled Consolidated Edge, DNS Load Balancing with Private IP Addresses Using NAT: External
Interface Node 1 and Node 2 Example
Role/Protocol/TCP or UDP/Port

Source IP
address

Destination
IP address

XMPP/TCP/5269

Any

XMPP Proxy
service (shares
IP address
with Access
Edge service)

XMPP Proxy service accepts traffic from XMPP contacts in defined XMPP federations

XMPP/TCP/5269

XMPP Proxy
service (shares
IP address
with Access
Edge service)

Any

XMPP Proxy service sends traffic to XMPP contacts in defined XMPP federations

Access/HTTP/TCP/80

Edge
Server Access
Edge service

Any

Certificate revocation/CRL check and retrieval

Access/DNS/TCP/53

Edge
Server Access
Edge service

Any

DNS query over TCP

Access/DNS/UDP/53

Edge
Server Access
Edge service

Any

DNS query over UDP

Access/SIP(TLS)/TCP/443

Any

Edge
Server Access
Edge service

Client-to-server SIP traffic for external user access

Access/SIP(MTLS)/TCP/5061

Any

Edge Server
Access Edge
service

For federated and public IM connectivity using SIP

Access/SIP(MTLS)/TCP/5061

Edge
Server Access
Edge service

Any

For federated and public IM connectivity using SIP

Web
Conferencing/PSOM(TLS)/TCP/443

Any

Edge
Server Web
Conferencing
Edge service

Web Conferencing media

A/V/RTP/TCP/50,000-59,999

Edge
Server A/V
Edge service

Any

Required for federating with partners running Office Communications Server 2007, Office
Communications Server 2007 R2, Lync Server 2010 and Lync Server 2013.

A/V/RTP/UDP/50,000-59,999

Edge
Server A/V
Edge service

Any

Required only for federation with partners running Office Communications Server 2007.

A/V/RTP/TCP/50,000-59,999

Any

Edge
Server A/V
Edge service

Required only for federation with partners running Office Communications Server 2007

A/V/RTP/UDP/50,000-59,999

Any

Edge
Server A/V
Edge service

Required only for federation with partners running Office Communications Server 2007

A/V/STUN,MSTURN/UDP/3478

Edge
Server A/V
Edge service

Any

3478 outbound is used to determine the version of Edge Server that Lync Server is
communicating with and also for media traffic from Edge Server-to-Edge Server.
Required for federation with Lync Server 2010, Windows Live Messenger, and Office
Communications Server 2007 R2, and also if multiple Edge pools are deployed within a
company.

A/V/STUN,MSTURN/UDP/3478

Any

Edge
Server A/V
Edge service

STUN/TURN negotiation of candidates over UDP/3478

A/V/STUN,MSTURN/TCP/443

Any

Edge
Server A/V
Edge service

STUN/TURN negotiation of candidates over TCP/443

A/V/STUN,MSTURN/TCP/443

Edge Server
A/V Edge

Any

STUN/TURN negotiation of candidates over TCP/443

Notes

service

Firewall Summary for Scaled Consolidated Edge, DNS Load Balancing with Private IP Addresses Using NAT: Internal
Interface Node 1 and Node 2 Example
Protocol/TCP or
UDP/Port

Source IP address

Destination IP address

Comments

XMPP/MTLS/TCP/23456

Any (can be defined as Front End Server

address, or Front End pool IP address
running the XMPP Gateway service)

Edge Server internal

interface IP address

Outbound XMPP traffic from XMPP Gateway service

running on Front End Server or Front End pool

SIP/MTLS/TCP/5061

Any (can be defined as Director, Director

pool IP address, Front End Server or Front
End pool IP address)

Edge Server internal

interface

Outbound SIP traffic (from Director, Director pool IP

address, Front End Server or Front End pool IP address)
to Edge Server internal interface

SIP/MTLS/TCP/5061

Edge Server internal interface

Any (can be defined as

Director, Director pool IP
address, Front End Server
or Front End pool IP
address)

Inbound SIP traffic (to Director, Director pool IP address,

Front End Server or Front End pool IP address) from
Edge Server internal interface

PSOM/MTLS/TCP/8057

Any (can be defined as Front End Server IP

address, or each Front End Server IP
address in a Front End pool)

Edge Server internal

interface

Web conferencing traffic from Front End Server or each

Front End Server if in a pool, to Edge Server internal
interface

SIP/MTLS/TCP/5062

Any (can be defined as Front End Server IP

address, or Front End pool IP address or
any Survivable Branch Appliance or
Survivable Branch Server using this Edge
Server)

Edge Server internal

interface

Authentication of A/V users (A/V authentication service)

from Front End Server or Front End pool IP address or
any Survivable Branch Appliance or Survivable Branch
Server using this Edge Server

STUN/MSTURN/UDP/3478

Any

Edge Server internal

interface

Preferred path for A/V media transfer between internal

and external users, Survivable Branch Appliance or
Survivable Branch Server

STUN/MSTURN/TCP/443

Any

Edge Server internal

interface

Fallback path for A/V media transfer between internal and

external users, Survivable Branch Appliance or Survivable
Branch Server if UDP communication cannot be
established, TCP is used for file transfer and desktop
sharing

HTTPS/TCP/4443

Any (can be defined as the Front End

Server IP address, or pool that holds the
Central Management store)

Edge Server internal

interface

Replication of changes from the Central Management

store to the Edge Server

MTLS/TCP/50001

Any

Edge Server internal

interface

Centralized Logging Service controller using Lync Server

Management Shell and Centralized Logging Service
cmdlets, ClsController command line (ClsController.exe)
or agent (ClsAgent.exe) commands and log collection

MTLS/TCP/50002

Any

Edge Server internal

interface

Centralized Logging Service controller using Lync Server

Management Shell and Centralized Logging Service
cmdlets, ClsController command line (ClsController.exe)
or agent (ClsAgent.exe) commands and log collection

MTLS/TCP/50003

Any

Edge Server internal

interface

Centralized Logging Service controller using Lync Server

Management Shell and Centralized Logging Service
cmdlets, ClsController command line (ClsController.exe)
or agent (ClsAgent.exe) commands and log collection

Firewall Summary for Federation

Role/Protocol/TCP or UDP/Port

Source IP address

Destination IP address

Notes

Access/SIP(MTLS)/TCP/5061

Access Edge service public IP address

Any

For federated and public IM connectivity using SIP

Firewall Summary Public Instant Messaging Connectivity

Role/Protocol/TCP or
UDP/Port

Source IP address

Destination IP address

Notes

Access/SIP(MTLS)/TCP/5061

Public IM connectivity
partners

Edge Server Access Edge

service

For federated and public IM connectivity using SIP

Access/SIP(MTLS)/TCP/5061

Edge Server Access Edge

service

Public IM connectivity
partners

For federated and public IM connectivity using SIP

Access/SIP(TLS)/TCP/443

Clients

Edge Server Access Edge

service

Client-to-server SIP traffic for external user access

A/V/RTP/TCP/50,000-59,999

Edge Server A/V Edge

service

Live Messenger clients

Used for A/V sessions with Windows Live Messenger if public IM

connectivity is configured.

A/V/STUN,MSTURN/UDP/3478

Edge Server A/V Edge

service

Live Messenger clients

Required for public IM connectivity with Windows Live Messenger

A/V/STUN,MSTURN/UDP/3478

Live Messenger clients

Edge Server A/V Edge

service

Required for public IM connectivity with Windows Live Messenger

Firewall Summary for Extensible Messaging and Presence Protocol

Protocol/TCP or
UDP/Port

Source (IP address)

XMPP/TCP/5269

Any

Edge Server Access

Edge service interface
IP address

Standard server-to-server communication port for XMPP. Allows communication

to the Edge Server XMPP proxy from federated XMPP partners

XMPP/TCP/5269

Edge Server Access

Edge service interface
IP address

Any

Standard server-to-server communication port for XMPP. Allows communication

from the Edge Server XMPP proxy to federated XMPP partners

XMPP/MTLS/TCP/23456

Any

Each internal Edge

Server interface IP

Internal XMPP traffic from the XMPP Gateway on the Front End Server or Front
End pool to the Edge Server internal IP address or each Edge pool members
internal IP address

2013 Microsoft. All rights reserved.

Destination (IP
address)

Comments

Port Summary - Scaled Consolidated Edge, DNS Load

Balancing with Public IP Addresses
Lync Server 2013

1 out of 3 rated this helpful

Topic Last Modified: 2013-04-03

The Lync Server 2013, Edge Server functionality described in this scenario architecture is very similar to what was implemented in Lync Server 2010. The most noticeable
addition is the port 5269 over TCP entry for the extensible messaging and presence protocol (XMPP). Lync Server 2013 optionally deploys an XMPP proxy on the Edge
Server or Edge pool and the XMPP gateway server on the Front End Server or Front End pool.
In addition to IPv4, the Edge Server now supports IPv6. For clarity, only IPv4 is used in the scenarios.

Port and Protocol Details

It is recommended that you open only the ports required to support the functionality for which you are providing external access.
For remote access to work for any edge service, it is mandatory that SIP traffic is allowed to flow bi-directionally as shown in the Inbound/Outbound edge traffic
figure. Stated another way, the SIP messaging to and from the Access Edge service is involved in instant messaging (IM), presence, web conferencing, audio/video
(A/V) and federation.

Firewall Summary for Scaled Consolidated Edge, DNS Load Balancing with Public IP Addresses: External Interface Node 1
and Node 2 (Example)
Role/Protocol/TCP or
UDP/Port

Source IP
address

Destination IP
address

XMPP/TCP/5269

Any

XMPP Proxy
service (shares
IP address with
Access Edge
service)

XMPP Proxy service accepts traffic from XMPP contacts in defined XMPP federations

Access/HTTP/TCP/80

Edge
Server Access
Edge service
public IP
address

Any

Certificate revocation/CRL check and retrieval

Access/DNS/TCP/53

Edge
Server Access
Edge service
public IP
address

Any

DNS query over TCP

Access/DNS/UDP/53

Edge
Server Access
Edge service
public IP
address

Any

DNS query over UDP

Access/SIP(TLS)/TCP/443

Any

Edge
Server Access
Edge service
public IP
address

Client-to-server SIP traffic for external user access

Access/SIP(MTLS)/TCP/5061

Any

Edge
Server Access
Edge service
public IP
address

For federated and public IM connectivity using SIP

Access/SIP(MTLS)/TCP/5061

Edge
Server Access
Edge service
public IP
address

Any

For federated and public IM connectivity using SIP

Web
Conferencing/PSOM(TLS)TCP/443

Any

Edge
Server Web
Conferencing
Edge service
public IP
address

Web Conferencing media

A/V/RTP/TCP/50,000-59,999

Edge
Server A/V
Edge service
public IP
address

Any

Required for federating with partners running Office Communications Server 2007, Office
Communications Server 2007 R2, Lync Server 2010 and Lync Server 2013.

A/V/RTP/UDP/50,000-59,999

Edge
Server A/V
Edge service
public IP
address

Any

Required only for federation with partners running Office Communications Server 2007.

A/V/RTP/TCP/50,000-59,999

Any

Edge
Server A/V
Edge service
public IP
address

Required only for federation with partners running Office Communications Server 2007

A/V/RTP/UDP/50,000-59,999

Any

Edge
Server A/V
Edge service
public IP
address

Required only for federation with partners running Office Communications Server 2007

A/V/STUN,MSTURN/UDP/3478

Edge

Any

3478 outbound is used to determine the version of Edge Server that Lync Server is

Notes

Server A/V
Edge service
public IP
address

communicating with and also for media traffic from Edge Server-to-Edge Server. Required
for federation with Lync Server 2010, Windows Live Messenger, and Office Communications
Server 2007 R2, and also if multiple Edge pools are deployed within a company.

A/V/STUN,MSTURN/UDP/3478

Any

Edge
Server A/V
Edge service
public IP
address

STUN/TURN negotiation of candidates over UDP/3478

A/V/STUN,MSTURN/TCP/443

Any

Edge
Server A/V
Edge service
public IP
address

STUN/TURN negotiation of candidates over TCP/443

A/V/STUN,MSTURN/TCP/443

Edge Server
A/V Edge
service

Any

STUN/TURN negotiation of candidates over TCP/443

Firewall Summary for Scaled Consolidated Edge, DNS Load Balancing with Public IP Addresses: Internal Interface Node 1
and Node 2 (Example)
Protocol/TCP or
UDP/Port

Source IP address

Destination IP address

Comments

XMPP/MTLS/TCP/23456

Any (can be defined as Front End Server

address, or Front End pool IP address
running the XMPP Gateway service)

Edge Server internal

interface

Outbound XMPP traffic from XMPP Gateway service

running on Front End Server or Front End pool

SIP/MTLS/TCP/5061

Any (can be defined as Director, Director

pool IP address, Front End Server or Front
End pool IP address)

Edge Server internal

interface

Outbound SIP traffic (from Director, Director pool IP

address, Front End Server or Front End pool IP address)
to Edge Server internal interface

SIP/MTLS/TCP/5061

Edge Server internal interface

Any (can be defined as

Director, Director pool IP
address, Front End Server
or Front End pool IP
address)

Inbound SIP traffic (to Director, Director pool IP address,

Front End Server or Front End pool IP address) from
Edge Server internal interface

PSOM/MTLS/TCP/8057

Any (can be defined as Front End Server IP

address, or each Front End Server IP
address in a Front End pool)

Edge Server internal

interface

Web conferencing traffic from Front End Server or each

Front End Server if in a pool, to Edge Server internal
interface

SIP/MTLS/TCP/5062

Any (can be defined as Front End Server IP

address, or Front End pool IP address or
any Survivable Branch Appliance or
Survivable Branch Server using this Edge
Server)

Edge Server internal

interface

Authentication of A/V users (A/V authentication service)

from Front End Server or Front End pool IP address or
any Survivable Branch Appliance or Survivable Branch
Server using this Edge Server

STUN/MSTURN/UDP/3478

Any

Edge Server internal

interface

Preferred path for A/V media transfer between internal

and external users, Survivable Branch Appliance or
Survivable Branch Server

STUN/MSTURN/TCP/443

Any

Edge Server internal

interface

Fallback path for A/V media transfer between internal and

external users, Survivable Branch Appliance or Survivable
Branch Server if UDP communication cannot be
established, TCP is used for file transfer and desktop
sharing

HTTPS/TCP/4443

Any (can be defined as the Front End

Server IP address, or pool that holds the
Central Management store)

Edge Server internal

interface

Replication of changes from the Central Management

store to the Edge Server

MTLS/TCP/50001

Any

Edge Server internal

interface

Centralized Logging Service controller using Lync Server

Management Shell and Centralized Logging Service
cmdlets, ClsController command line (ClsController.exe)
or agent (ClsAgent.exe) commands and log collection

MTLS/TCP/50002

Any

Edge Server internal

interface

Centralized Logging Service controller using Lync Server

Management Shell and Centralized Logging Service
cmdlets, ClsController command line (ClsController.exe)
or agent (ClsAgent.exe) commands and log collection

MTLS/TCP/50003

Any

Edge Server internal

interface

Centralized Logging Service controller using Lync Server

Management Shell and Centralized Logging Service
cmdlets, ClsController command line (ClsController.exe)
or agent (ClsAgent.exe) commands and log collection

Firewall Summary for Federation

Role/Protocol/TCP or UDP/Port

Source IP address

Destination IP address

Notes

Access/SIP(MTLS)/TCP/5061

Access Edge service public IP address

Any

For federated and public IM connectivity using SIP

Firewall Summary Public Instant Messaging Connectivity

Role/Protocol/TCP or
UDP/Port

Source IP address

Destination IP address

Notes

Access/SIP(MTLS)/TCP/5061

Public IM connectivity
partners

Edge Server Access Edge

service

For federated and public IM connectivity using SIP

Access/SIP(MTLS)/TCP/5061

Edge Server Access Edge

service

Public IM connectivity
partners

For federated and public IM connectivity using SIP

Access/SIP(TLS)/TCP/443

Clients

Edge Server Access Edge

service

Client-to-server SIP traffic for external user access

A/V/RTP/TCP/50,000-59,999

Edge Server A/V Edge

service

Live Messenger clients

Used for A/V sessions with Windows Live Messenger if public IM

connectivity is configured.

A/V/STUN,MSTURN/UDP/3478

Edge Server A/V Edge

service

Live Messenger clients

Required for public IM connectivity with Windows Live Messenger

A/V/STUN,MSTURN/UDP/3478

Live Messenger clients

Edge Server A/V Edge

service

Required for public IM connectivity with Windows Live Messenger

Firewall Summary for Extensible Messaging and Presence Protocol

Protocol/TCP or
UDP/Port

Source (IP address)

XMPP/TCP/5269

Any

Edge Server Access

Edge service interface
IP address

Standard server-to-server communication port for XMPP. Allows communication

to the Edge Server XMPP proxy from federated XMPP partners

XMPP/TCP/5269

Edge Server Access

Edge service interface
IP address

Any

Standard server-to-server communication port for XMPP. Allows communication

from the Edge Server XMPP proxy to federated XMPP partners

XMPP/MTLS/TCP/23456

Any

Each internal Edge

Server Interface IP

Internal XMPP traffic from the XMPP Gateway on the Front End Server or Front
End pool to the Edge Server internal IP address or each Edge pool members
internal IP address

2013 Microsoft. All rights reserved.

Destination (IP
address)

Comments

Port Summary - Scaled Consolidated Edge with Hardware

Load Balancers
Lync Server 2013

1 out of 3 rated this helpful

Topic Last Modified: 2012-12-04

The Lync Server 2013, Edge Server functionality described in this scenario architecture is very similar to what was implemented in Lync Server 2010. The most noticeable
addition is the port 5269 over TCP entry for the extensible messaging and presence protocol (XMPP). Lync Server 2013 optionally deploys an XMPP proxy on the Edge
Server or Edge pool and the XMPP gateway server on the Front End Server or Front End pool.
In addition to IPv4, the Edge Server now supports IPv6. For clarity, only IPv4 is used in the scenarios.

Port and Protocol Details

It is recommended that you open only the ports required to support the functionality for which you are providing external access.
For remote access to work for any edge service, it is mandatory that SIP traffic is allowed to flow bi-directionally as shown in the Inbound/Outbound edge traffic
figure. Stated another way, the SIP messaging to and from the Access Edge service is involved in instant messaging (IM), presence, web conferencing, audio/video
(A/V) and federation.

Firewall Summary for Scaled Consolidated Edge, Hardware Load Balanced: External Interface Node 1 and Node 2
(Example)
Role/Protocol/TCP or
UDP/Port

Source IP
address

Destination
IP address

Notes

Access/HTTP/TCP/80

Edge
Server Access
Edge service
public IP
address

Any

Certificate revocation/CRL check and retrieval

Access/DNS/TCP/53

Edge
Server Access
Edge service
public IP
address

Any

DNS query over TCP

Access/DNS/UDP/53

Edge
Server Access
Edge service
public IP
address

Any

DNS query over UDP

A/V/RTP/TCP/50,000-59,999

Edge
Server A/V
Edge service
IP address

Any

Required for federating with partners running Office Communications Server 2007, Office
Communications Server 2007 R2, Lync Server 2010 and Lync Server 2013.

A/V/RTP/UDP/50,000-59,999

Edge
Server A/V
Edge service
public IP
address

Any

Required only for federation with partners running Office Communications Server 2007.

A/V/RTP/TCP/50,000-59,999

Any

Edge
Server A/V
Edge
service
public IP
address

Required only for federation with partners running Office Communications Server 2007

A/V/RTP/UDP/50,000-59,999

Any

Edge
Server A/V
Edge
service
public IP
address

Required only for federation with partners running Office Communications Server 2007

A/V/STUN,MSTURN/UDP/3478

Edge
Server A/V
Edge service
public IP
address

Any

3478 outbound is used to determine the version of Edge Server that Lync Server is
communicating with and also for media traffic from Edge Server-to-Edge Server. Required for
federation with Lync Server 2010, Windows Live Messenger, and Office Communications Server
2007 R2, and also if multiple Edge pools are deployed within a company.

A/V/STUN,MSTURN/UDP/3478

Any

Edge
Server A/V
Edge
service
public IP
address

STUN/TURN negotiation of candidates over UDP/3478

A/V/STUN,MSTURN/TCP/443

Any

Edge
Server A/V
Edge
service
public IP
address

STUN/TURN negotiation of candidates over TCP/443

A/V/STUN,MSTURN/TCP/443

Edge
Server A/V
Edge service
public IP
address

Any

STUN/TURN negotiation of candidates over TCP/443

Firewall Summary for Scaled Consolidated Edge, Hardware Load Balanced: Internal Interface Node 1 and Node 2
Role/Protocol/TCP or
UDP/Port

Source IP address

Destination
IP address

Notes

XMPP/MTLS/TCP/23456

Any (can be defined as Front End Server

Edge Server

Outbound XMPP traffic from XMPP Gateway service running on Front End

address, or Front End pool virtual IP

address running the XMPP Gateway
service)

internal
interface

Server or Front End pool

HTTPS/TCP/4443

Any (can be defined as the Front End

Server server IP or pool that holds the
Central Management store)

Edge Server
Internal
interface

Replication of changes from the Central Management store to the Edge

Server

PSOM/MTLS/TCP/8057

Any (can be defined as Director IP, Front

End Server IP or Pool virtual IP)

Edge Server
Internal
interface

Web conferencing traffic from Internal deployment to Internal Edge

Server interface

STUN/MSTURN/UDP/3478

Any (can be defined as Director IP, Front

End Server IP or Pool virtual IP)

Edge Server
Internal
interface

Preferred path for A/V media transfer between internal and external
users, Survivable Branch Appliance or Survivable Branch Server

STUN/MSTURN/TCP/443

Any (can be defined as Director IP, Front

End Server IP or Pool virtual IP)

Edge Server
Internal
interface

Fallback path for A/V media transfer between internal and external users,
Survivable Branch Appliance or Survivable Branch Server if UDP
communication cannot be established, TCP is used for file transfer and
desktop sharing

MTLS/TCP/50001

Any

Edge Server
internal
interface

Centralized Logging Service controller using Lync Server Management

Shell and Centralized Logging Service cmdlets, ClsController command
line (ClsController.exe) or agent (ClsAgent.exe) commands and log
collection

MTLS/TCP/50002

Any

Edge Server
internal
interface

Centralized Logging Service controller using Lync Server Management

Shell and Centralized Logging Service cmdlets, ClsController command
line (ClsController.exe) or agent (ClsAgent.exe) commands and log
collection

MTLS/TCP/50003

Any

Edge Server
internal
interface

Centralized Logging Service controller using Lync Server Management

Shell and Centralized Logging Service cmdlets, ClsController command
line (ClsController.exe) or agent (ClsAgent.exe) commands and log
collection

Hardware load balancers have specific requirements when deployed to provide availability and load balancing for Lync Server. The requirements are defined in the
following figure and tables. Third party vendors may use different terminology for the requirements defined here. It will be necessary to map the requirements of
Lync Server to the features and configuration options provided by your hardware load balancer vendor.
When configuring hardware load balancers, consider the following requirements:

Source Network Address Translation (SNAT) can be configured on the hardware load balancer (HLB) for Access Edge service and Web Conferencing Edge
service
SNAT cannot be configured on the A/V Edge service the A/V Edge service must respond with the real server address, not the HLB virtual IP VIP, for simple
traversal of UDP over NAT (STUN)/traversal using relay NAT (TURN)/federation TURN (FTURN) to work properly
Public IP addresses are used on each server interface and on the VIPs of the HLB, and your public IP address requirements are N+1, where there is a public IP
address for each real server interface and one for each HLB VIP. Where you have 2 Edge servers in the pool, this results in 6 public IP addresses, where 3 are
used for the HLB VIPs, and one for each Edge server interface (a total of six for the servers)
For the Access Edge service and Web Conferencing Edge service, (and using NAT on the HLB) the client contacts the VIP, the VIP changes the source IP
address from the client to its own IP address. The server interface addresses the return address to the VIP, the VIP changes the source address from the
server interface IP address and sends the packet to the client
For the A/V Edge service, the VIP must NOT change the source IP address, and the real server address is returned to the client directly you cannot configure
NAT on the HLB for AV traffic
For AV, the external firewall will retain the real server public IP address for all packets
Once established, client to A/V Edge service communication is to the real server, not the HLB
Internal edge to internal servers and clients must be routed, and persistent routes are set for all internal networks that host servers or clients
The HLB Access Edge service VIP will act as the default gateway for each Edge server interface

External Port Settings Required for Scaled Consolidated Edge, Hardware Load Balanced: External Interface Virtual IPs
Role/Protocol/TCP or UDP/Port

Source IP address

Destination IP address

Notes

XMPP/TCP/5269

Any

XMPP Proxy service (shares IP

address with Access Edge service)

XMPP Proxy service accepts traffic from XMPP

contacts in defined XMPP federations

XMPP/TCP/5269

XMPP Proxy service (shares IP

address with Access Edge service)

Any

XMPP Proxy service sends traffic to XMPP

contacts in defined XMPP federations

Access/SIP(TLS)/TCP/443

Any

Access Edge service public VIP

address

Client-to-server SIP traffic for external user

access

Access/SIP(MTLS)/TCP/5061

Any

Access Edge service public VIP

address

SIP signaling, federated and public IM

connectivity using SIP

Access/SIP(MTLS)/TCP/5061

Access Edge service public VIP

address

Federated partner

SIP signaling, federated and public IM

connectivity using SIP

Web
Conferencing/PSOM(TLS)/TCP/443

Any

Edge Server Web Conferencing

Edge service public VIP address

Web Conferencing media

A/V/STUN,MSTURN/UDP/3478

Any

Edge Server A/V Edge service

public VIP address

STUN/TURN negotiation of candidates over

UDP/3478

A/V/STUN,MSTURN/TCP/443

Any

Edge Server A/V Edge service

public VIP address

STUN/TURN negotiation of candidates over

TCP/443

Firewall Summary for Scaled Consolidated Edge, Hardware Load Balanced: Internal Interface Virtual IPs
Role/Protocol/TCP or
UDP/Port

Source IP address

Destination IP address

Notes

Access/SIP(MTLS)/TCP/5061

Any (can be defined as Director, Director

pool virtual IP address, Front End Server or
Front End pool virtual IP address)

Edge Server Internal VIP

interface

Outbound SIP traffic (from Director, Director pool

virtual IP address, Front End Server or Front End
pool virtual IP address)to Internal Edge VIP

Access/SIP(MTLS)/TCP/5061

Edge Server Internal VIP interface

Any (can be defined as

Director, Director pool virtual
IP address, Front End Server
or Front End pool virtual IP
address)

Inbound SIP traffic (to Director, Director pool

virtual IP address, Front End Server or Front End
pool virtual IP address) from Edge Server internal
interface

SIP/MTLS/TCP/5062

Any (can be defined as Front End Server IP

address, or Front End pool IP address or
any Survivable Branch Appliance or
Survivable Branch Server using this Edge
Server)

Edge Server Internal VIP

interface

Authentication of A/V users (A/V authentication

service) from Front End Server or Front End pool IP
address or any Survivable Branch Appliance or
Survivable Branch Server using this Edge Server

STUN/MSTURN/UDP/3478

Any

Edge Server Internal VIP

interface

Preferred path for A/V media transfer between

internal and external users

STUN/MSTURN/TCP/443

Any

Edge Server Internal VIP

interface

Fallback path for A/V media transfer between

internal and external users if UDP communication
cannot be established, TCP is used for file transfer
and desktop sharing

STUN/MSTURN/TCP/443

Edge Server Internal VIP interface

Any

Fallback path for A/V media transfer between

internal and external users if UDP communication
cannot be established, TCP is used for file transfer
and desktop sharing

2013 Microsoft. All rights reserved.

Port Summary - Reverse Proxy

Lync Server 2013

Topic Last Modified: 2013-02-15

The reverse proxy has minimal requirements for firewall and port/protocol.

External firewall requirements are the HTTPS/TCP/443 and the optional HTTP/TCP/80. HTTPS is used for SSL and TLS secure communications through the reverse
proxy. HTTP is used if you choose to allow access to the Autodiscover Service when modifying certificates might prove difficult or not cost justified.
Clients expect to contact the Office Web Apps Server on HTTPS. The Office Web Apps Server expects communication from internal clients on HTTPS/TCP/443. The
recommended configuration is to allow HTTPS/TCP/443 from the reverse proxy to the Office Web Apps Server.
Port 8080 is used to route traffic from the reverse proxy internal interface to the Front End Server, Front End pool virtual IP (VIP) or the optional Director or
Director pool VIP. Port TCP 8080 is required for mobile devices running Lync to locate the Autodiscover Service in situations where modifying the external web
service publishing rule certificate is undesirable (for example, if you have a large number of SIP domains). If you choose to acquire new certificates with the
necessary SAN entries, the port TCP 8080 is not needed and is optional.
Port 4443 is used for traffic from the reverse proxy internal interface to the Front End Server, Front End pool virtual IP (VIP) or the optional Director or Director
pool VIP

Caution:
Do not confuse the 4443 over TCP from the reverse proxy to the internal deployment for the port 4443 over TCP traffic from the Standard Edition server or
the Front End pool that manages the Central Management store role.

Port and Protocol Details

Firewall Details for Reverse Proxy Server: External Interface
Protocol/TCP
or UDP/Port

Source
IP
Address

HTTP/TCP/80

HTTPS/TCP/443

Destination
IP Address

Notes

Any

Reverse
proxy
listener

(Optional) Redirection to HTTPS if user enters http://<publishedSiteFQDN>.

Also required if using Office Web Apps for conferencing and the Autodiscover Service for mobile devices running
Lync in situations where the organization does not want to modify the external web service publishing rule certificate.

Any

Reverse
proxy
listener

Address book downloads, Address Book Web Query service, Autodiscover, client updates, meeting content, device
updates, group expansion, Office Web Apps for conferencing, dial-in conferencing, and meetings.

Firewall Details for Reverse Proxy Server: Internal Interface

Protocol/TCP
or UDP/Port

Source IP
Address

HTTP/TCP/8080

HTTPS/TCP/4443

Destination IP Address

Notes

Internal
reverse
proxy
interface

Front End Server, Front

End pool, Director,
Director pool

Required if using the Autodiscover Service for mobile devices running Lync in situations where the
organization does not want to modify the external web service publishing rule certificate.
Traffic sent to port 80 on the reverse proxy external interface is redirected to a pool on port 8080
from the reverse proxy internal interface so that the pool Web Services can distinguish it from
internal web traffic.

Internal
reverse

Front End Server, Front

End pool, Director,

Traffic sent to port 443 on the reverse proxy external interface is redirected to a pool on port
4443 from the reverse proxy internal interface so that the pool web services can distinguish it from

HTTPS/TCP/443

proxy
interface

Director pool

Internal
reverse
proxy
interface

Office Web Apps for

conferencing

2013 Microsoft. All rights reserved.

internal web traffic.

Port Summary - SIP, XMPP Federation and Public Instant

Messaging
Lync Server 2013

This topic has not yet been rated

Topic Last Modified: 2013-03-15

Port, protocol and firewall requirements for federation with Microsoft Lync Server 2013, Lync Server 2010 and Office Communications Server are similar to those for the
deployed Edge Server. Clients initiate communication with the Access Edge service over TLS/SIP/TCP 443. Federated partners however, will initiate communications to
the Access Edge service over MTLS/SIP/TCP 5061.
To configure your firewall for ports and protocols necessary to support public instant messaging connectivity, first note that SIP/MTLS/TCP 5061 is bidirectional to
account for the ability of contacts in the public IM provider to contact Lync clients, or for Lync to contact public IM contacts.
Windows Live Messenger can participate in audio/video communications with Lync clients. This accounts for the very similar firewall port and protocol configuration that
you would typically have on the firewall to support Lync clients as external users.
Important:
More than ever, Lync is a powerful tool for connecting across organizations and with individuals around the world. Federation with Windows Live Messenger
requires no additional user/device licenses beyond the Lync Standard Client Access License (CAL). Skype federation will be added to this list, enabling Lync users to
reach hundreds of millions of people with IM and voice.
Federation with Messenger client contacts will officially end on March 15, 2013, except for mainland China. Skype will become the federation client for federated
users who previously used Messenger.
The ports and protocols defined for the extensible messaging and presence protocol (XMPP) proxy deployed on the Edge Server allow communications from the
XMPP federated partner to the Edge Server, and also allows communication from your Edge Server to the XMPP federated partner. A rule is also defined on the
internal-facing firewall from the Front End Server or Front End pool to the Edge Server or Edge pool.

Firewall Summary - SIP Federation

Role/Protocol/TCP or UDP/Port

Source IP address

Destination IP address

Notes

Access/SIP(MTLS)/TCP/5061

Access Edge service public IP address

Any

For federated and public IM connectivity using SIP

Firewall Summary Public Instant Messaging Connectivity

Role/Protocol/TCP or
UDP/Port

Source IP address

Destination IP address

Notes

Access/SIP(MTLS)/TCP/5061

Public IM connectivity
partners

Edge Server Access

interface

For federated and public IM connectivity that use SIP.

Access/SIP(MTLS)/TCP/5061

Edge Server Access

interface

Public IM connectivity
partners

For federated and public IM connectivity that use SIP.

Access/SIP(TLS)/TCP/443

Clients

Edge Server Access

interface

Client-to-server SIP traffic for external user access.

A/V/RTP/TCP/50,000-59,999

Edge Server Access

interface

Live Messenger clients

Used for A/V sessions with Windows Live Messenger if public IM

connectivity is configured.

A/V/STUN,MSTURN/UDP/3478

Edge Server Access

interface

Live Messenger clients

Required for public IM connectivity with Windows Live Messenger.

A/V/STUN,MSTURN/UDP/3478

Live Messenger clients

Edge Server Access

interface

Required for public IM connectivity with Windows Live Messenger.

Firewall Summary - Extensible Messaging and Presence Protocol (XMPP)

Protocol/TCP or
UDP/Port

Source (IP address)

XMPP/TCP/5269

Any

Destination (IP
address)

Comments

Access Edge service

interface IP address

Standard server-to-server communication port for XMPP. Allows communication to the

Edge Server XMPP proxy from federated XMPP partners

XMPP/TCP/5269

Access Edge service

interface IP address

Any

Standard server-to-server communication port for XMPP. Allows communication from

the Edge Server XMPP proxy to federated XMPP partners

XMPP/MTLS/23456

Any

Internal Edge Server

Interface IP

Internal XMPP traffic from the XMPP Gateway on the Front End Server or Front End
pool to the Edge Server

See Also
Concepts
Scenarios for External User Access
Determine External A/V Firewall and Port Requirements

Other Resources
Manage XMPP Federated Partners for Your Organization

2013 Microsoft. All rights reserved.