Reference Architecture 3: Port Summary for Scaled Consolidated Edge (Hardware Load Balanced)
Topic Last Modified: 2012-11-02
The Lync Server 2010 Edge Server functionality described in this reference architecture is very similar to what was first introduced in Office Communications Server 2007 R2, with the following exceptions:
Port 8080 is optional and can be used by mobile devices running Lync to locate the Autodiscover Service in situations where modifying the external web service publishing rule certificate is undesirable (for example, if you have a large number of SIP domains).
Port 4443 is used to route traffic from the reverse proxy internal interface to the pool virtual IP (VIP).
Port 4443 is used to route traffic from the pool Front End Server(s) to the Edge internal interface.
There are several options for the 50,000 – 59,999 port ranges but the Scaled Consolidated Edge Topology (Hardware Load Balanced) figure in Reference Architecture 3: Scaled Consolidated Edge (Hardware Load Balanced) shows the common configuration for interoperability with previous versions of Office Communications Server. For details about the options for configuring this port range, see the section in Determining External A/V Firewall and Port Requirements.
Enterprise perimeter network for scaled consolidated edge with hardware load balancing
.jpg "Scaled Consolidated Edge HLB Perimeter Network")
When reading the previous tables, (in) refers to traffic going from a less trusted network to a more trusted network, such as Internet-to-perimeter or perimeter-to-corporate). For example, traffic from the Internet to the edge external interface or from the edge internal interface to the next hop pool. (out) refers to traffic going from a more trusted network to a less trusted network, such as corporate-to-perimeter or perimeter-to-Internet). For example, traffic from a corporate pool to the edge internal interface or from the edge external interface to the Internet. And, (in/out) refers to traffic that is going both directions.
Inbound/Outbound edge traffic
.jpg "Edge Inbound/Outbound diagram")
We recommend that you only open the ports required to support the functionality for which you are providing external access.
For remote access to work for any edge service, it is mandatory that SIP traffic is allowed to flow bi-directionally as shown in the Scaled Consolidated Edge Topology (Hardware Load Balanced) figure. Stated another way, the Access Edge service is involved in instant messaging (IM), presence, web conferencing, and audio/video (A/V).
Firewall Summary for Scaled Consolidated Edge with Hardware Load Balancing: External Interface
| Protocol/port | Used for |
|---|---|
HTTP 80 (out) |
Downloading certificate revocation lists |
DNS 53 (out) |
External DNS queries |
SIP/TLS/443 (in) |
Client to server SIP traffic for remote user access (open to Access Edge external VIP only, not individual Edge pool servers) |
SIP/MTLS/5061 (in) |
Federation and connectivity with a hosted Exchange service. Open to Access Edge external VIP only (not individual Edge pool servers). |
PSOM/TLS/443 (in) |
Remote user access to web conferences for anonymous and federated users. Open to Web Conferencing Edge external VIP only (not individual Edge pool servers) |
RTP/TCP/50K range (in) |
Media exchange (for details, see Determining External A/V Firewall and Port Requirements) Required for Office Communications Server 2007 interoperability |
RTP/TCP/50K range (out) |
Media exchange (for details, see Determining External A/V Firewall and Port Requirements) Required for Office Communications Server 2007 interoperability Required for Office Communications Server 2007 R2 desktop sharing and federation Required for Lync Server 2010 application sharing and file transfer. A/V with Windows Live Messenger Note If UDP 3478 is blocked because of perimeter firewall requirements or client side restrictions on UDP 3478, the 50k port range will be used over UDP 3478 |
RTP/UDP/50K range (in) |
Media exchange (for details, see Determining External A/V Firewall and Port Requirements) Required for Office Communications Server 2007 interoperability |
RTP/UDP/50K range (out) |
Media exchange (for details, see Determining External A/V Firewall and Port Requirements) Required for Office Communications Server 2007 interoperability |
STUN/MSTURN/UDP/3478 (in/out) |
External user access to A/V sessions (UDP) (open to A/V Edge external VIP and individual Edge Servers) |
STUN/MSTURN/TCP/443 (in) |
External user access to A/V sessions and media (TCP) (open to A/V Edge external VIP and individual Edge Servers) |
Firewall Summary for Scaled Consolidated Edge with Hardware Load Balancing: Internal Interface
| Protocol/port | Used for |
|---|---|
SIP/MTLS/5061 (in/out) |
SIP traffic. Open to Edge internal VIP and individual Edge pool servers. |
PSOM/MTLS/8057 (out) |
Web conferencing traffic from pool-to-Edge (open to individual Edge Servers only) |
SIP/MTLS/5062 (out) |
Authentication of A/V users (that is, A/V authentication service) (open to Edge internal VIP and individual Edge Servers) |
STUN/MSTURN/UDP/3478 (out) |
Preferred path for media transfer between internal and external users (UDP) (open to Edge internal VIP and individual Edge Servers) |
STUN/MSTURN/TCP/443 (out) |
Alternate path for media transfer between internal and external users (TCP) (open to Edge internal VIP and individual Edge Servers) |
HTTPS 4443 (out) |
Pushing CMS database updates to Edge nodes (open to individual Edge Servers only) |
Firewall Details for Reverse Proxy Server: External Interface
| Protocol/port | Use for |
|---|---|
HTTP 80 (in) |
(Optional) Redirection to HTTPS if user accidentally enters http://<publishedSiteFQDN>. Also required if using the Autodiscover Service for mobile devices running Lync in situations where the organization does not want to modify certificate on the external web service publishing rule. |
HTTPS 443 (in) |
Address book downloads, address book Web query service, client updates, meeting content, device updates, group expansion, dial-in conferencing and conferences. |
Firewall Details for Reverse Proxy Server: Internal Interface
| Protocol/port | Used for |
|---|---|
HTTP 8080 (in) |
Required if using the Autodiscover Service for mobile devices running Lync in situations where customer does not want to modify the external web service publishing rule certificate. Traffic sent to port 80 on the reverse proxy external interface is redirected to a pool on port 8080 from the reverse proxy internal interface so that the pool Web Services can distinguish it from internal web traffic. |
HTTPS 4443 (in) |
Traffic sent to port 443 on the reverse proxy external interface is redirected to a pool on port 4443 from the reverse proxy internal interface so that the pool Web Services can distinguish it from internal web traffic. |
Note
When reading the previous tables, (in) refers to traffic going from a less trusted network to a more trusted network, such as Internet-to-perimeter or perimeter-to-corporate. For example, traffic from Internet to the reverse proxy external interface or from the reverse proxy internal interface to a Standard Edition pool or a hardware load balancer VIP associated with an Enterprise Edition pool.
External Port Settings Required for Scaled Consolidated Edge Topology (Hardware Load Balanced): External Interface Virtual IPs
| Edge role | Source IP address | Source port | Destination IP address | Destination port | Transport | Application | Notes |
|---|---|---|---|---|---|---|---|
Access |
Any |
Any |
131.107.155.110 |
443 |
TCP |
SIP (TLS) |
Client to server SIP traffic for external user access |
Access |
Any |
Any |
131.107.155.110 |
5061 |
TCP |
SIP (MTLS) |
For federated and public IM connectivity using SIP (inbound) |
Web Conferencing |
Any |
Any |
131.107.155.120 |
443 |
TCP |
PSOM (TLS) |
|
A/V |
Any |
Any |
131.107.155.130 |
3478 |
UDP |
STUN/MSTURN |
|
A/V |
Any |
Any |
131.107.155.130 |
443 |
TCP |
STUN/MSTURN |
External Port Settings Required for Scaled Consolidated Edge Topology (Hardware Load Balanced): External Interface Node 1
| Edge role | Source IP address | Source port | Destination IP address | Destination port | Transport | Application | Notes |
|---|---|---|---|---|---|---|---|
Access |
131.107.155.10 |
Any |
Any |
80 |
TCP |
HTTP |
|
Access |
131.107.155.10 |
Any |
Any |
53 |
UDP |
DNS |
|
Access |
131.107.155.10 |
Any |
Any |
5061 |
TCP |
SIP (MTLS) |
For federated and public IM connectivity using SIP (outbound) |
A/V |
131.107.155.30 |
50,000 – 59,999 |
Any |
Any |
TCP |
RTP |
Required only for desktop sharing with partners running Office Communications Server 2007 R2. Also required for application sharing or file transfer with Lync Server 2010 federated users and A/V sessions with Windows Live Messenger. |
A/V |
131.107.155.30 |
50,000 – 59,999 |
Any |
Any |
UDP |
RTP |
Required only for federation with partners running Office Communications Server 2007. |
A/V |
Any |
Any |
131.107.155.30 |
50,000 – 59,999 |
TCP |
RTP |
Required only for federation with partners running Office Communications Server 2007. |
A/V |
Any |
Any |
131.107.155.30 |
50,000 – 59,999 |
UDP |
RTP |
Required only for federation with partners running Office Communications Server 2007. |
A/V |
131.107.155.30 |
Any |
Any |
3478 |
UDP |
STUN/MSTURN |
3478 outbound is used to determine the version of Edge Server Lync Server 2010 is communicating with and also for media traffic from Edge Server-to-Edge Server. Required for federation with Lync Server 2010, Windows Live Messenger, and Office Communications Server 2007 R2, and also if multiple Edge pools are deployed within a company. |
A/V |
Any |
Any |
131.107.155.30 |
3478 |
UDP |
STUN/MSTURN |
|
A/V |
Any |
Any |
131.107.155.30 |
443 |
TCP |
STUN/MSTURN |
External Port Settings Required for Scaled Consolidated Edge Topology (Hardware Load Balanced): External Interface Node 2
| Edge role | Source IP address | Source port | Destination IP address | Destination port | Transport | Application | Notes |
|---|---|---|---|---|---|---|---|
Access |
131.107.155.11 |
Any |
Any |
80 |
TCP |
HTTP |
|
Access |
131.107.155.11 |
Any |
Any |
53 |
UDP |
DNS |
|
Access |
131.107.155.11 |
Any |
Any |
5061 |
TCP |
SIP (MTLS) |
For federated and public IM connectivity using SIP (outbound) |
A/V |
131.107.155.31 |
50,000 – 59,999 |
Any |
Any |
TCP |
RTP |
Required only for desktop sharing with partners running Office Communications Server 2007 R2. Also required for application sharing or file transfer with Lync Server 2010 federated users and A/V sessions with Windows Live Messenger. |
A/V |
131.107.155.31 |
50,000 – 59,999 |
Any |
Any |
UDP |
RTP |
Required only for federation with partners running Office Communications Server 2007. |
A/V |
Any |
Any |
131.107.155.31 |
50,000 – 59,999 |
TCP |
RTP |
Required only for federation with partners running Office Communications Server 2007. |
A/V |
Any |
Any |
131.107.155.31 |
50,000 – 59,999 |
UDP |
RTP |
Required only for federation with partners running Office Communications Server 2007. |
A/V |
131.107.155.31 |
Any |
Any |
3478 |
UDP |
STUN/MSTURN |
3478 outbound is used to determine the version of Edge server Lync Server 2010 is communicating with and also for media traffic from Edge server to Edge server. Required for federation with Lync Server 2010, Windows Live Messenger, and Office Communications Server 2007 R2, and also if multiple Edge pools are deployed within a company. |
A/V |
Any |
Any |
131.107.155.31 |
3478 |
UDP |
STUN/MSTURN |
|
A/V |
Any |
Any |
131.107.155.31 |
443 |
TCP |
STUN/MSTURN |
External Port Settings Required for Scaled Consolidated Edge Topology (Hardware Load Balanced): Reverse Proxy
| Edge role | Source IP address | Source port | Destination IP address | Destination port | Transport | Application | Notes |
|---|---|---|---|---|---|---|---|
Not applicable |
Any |
Any |
10.45.16.40 |
80 |
TCP |
SIP (TLS) |
(Optional) Use to redirect http traffic to https. Also required if using the Autodiscover Service for mobile devices running Lync in situations where the organization does not want to modify certificate on the external web service publishing rule. |
Not applicable |
Any |
Any |
10.45.16.40 |
443 |
TCP |
HTTPS |
Internal Firewall Port Settings Required for Scaled Consolidated Edge Topology (Hardware Load Balanced): Internal Interface Virtual IPs
| Edge role | Source IP address | Source port | Destination IP address | Destination port | Transport | Application | Notes |
|---|---|---|---|---|---|---|---|
Access |
192.168.10.90 192.168.10.91 |
Any |
172.25.33.110 |
5061 |
TCP |
SIP (MTLS) |
|
A/V |
Any |
Any |
172.25.33.110 |
5062 |
TCP |
SIP (MTLS) |
Include all Front End Servers and any Survivable Branch Appliances or Survivable Branch Servers using this particular A/V authentication service. |
A/V |
Any |
Any |
172.25.33.110 |
3478 |
UDP |
STUN/MSTURN |
|
A/V |
Any |
Any |
172.25.33.110 |
443 |
TCP |
STUN/MSTURN |
Internal Firewall Port Settings Required for Scaled Consolidated Edge Topology (Hardware Load Balanced): Internal Interface Node 1
| Edge role | Source IP address | Source port | Destination IP address | Destination port | Transport | Application | Notes |
|---|---|---|---|---|---|---|---|
Access |
172.25.33.10 |
Any |
192.168.10.90 192.168.10.91 |
5061 |
TCP |
SIP (MTLS) |
Destination will be the next hop server(s). In the case of the reference architecture, it is the IP addresses of the two pool Front End Servers. |
Access |
192.168.10.90 192.168.10.91 |
Any |
172.25.33.10 |
4443 |
TCP |
HTTPS |
Used for Central Management store replication, include all Front End Servers. |
Web Conferencing |
Any |
Any |
172.25.33.10 |
8057 |
TCP |
PSOM (MTLS) |
|
A/V |
192.168.10.90 192.168.10.91 |
Any |
172.25.33.10 |
5062 |
TCP |
SIP(MTLS) |
Media Relay Authentication |
A/V |
Any |
Any |
172.25.33.10 |
3478 |
UDP |
STUN/MSTURN |
|
A/V |
Any |
Any |
172.25.33.10 |
443 |
TCP |
STUN/MSTURN |
Internal Firewall Port Settings Required for Scaled Consolidated Edge Topology (Hardware Load Balanced): Internal Interface Node 2
| Edge role | Source IP address | Source port | Destination IP address | Destination port | Transport | Application | Notes |
|---|---|---|---|---|---|---|---|
Access |
172.25.33.11 |
Any |
192.168.10.90 192.168.10.91 |
5061 |
TCP |
SIP (MTLS) |
Destination will be the next hop server(s). In the case of the reference architecture, it is the IP addresses of the two pool Front End Servers. |
Access |
192.168.10.90 192.168.10.91 |
Any |
172.25.33.11 |
4443 |
TCP |
HTTPS |
Used for Central Management store replication, include all Front End Servers. |
Web Conferencing |
Any |
Any |
172.25.33.11 |
8057 |
TCP |
PSOM (MTLS) |
|
A/V |
192.168.10.90 192.168.10.91 |
Any |
172.25.33.11 |
5062 |
TCP |
SIP(MTLS) |
Media Relay Authentication |
A/V |
Any |
Any |
172.25.33.11 |
3478 |
UDP |
STUN/MSTURN |
|
A/V |
Any |
Any |
172.25.33.11 |
443 |
TCP |
STUN/MSTURN |
Internal Firewall Port Settings Required for Scaled Consolidated Edge Topology (Hardware Load Balanced): Reverse Proxy
| Edge role | Source IP address | Source port | Destination IP address | Destination port | Transport | Application | Notes |
|---|---|---|---|---|---|---|---|
Not applicable |
172.25.33.40 |
Any |
192.168.10.190 |
8080 |
TCP |
HTTPS |
(Optional) Required if using the Autodiscover Service for mobile devices running Lync in situations where the organization does not want to modify certificate on the external web service publishing rule. |
Not applicable |
172.25.33.40 |
Any |
192.168.10.190 |
4443 |
TCP |
HTTPS |