End of Life Products and Features - DNS and Firewall Requirements for Express for Lync 2.0
DNS Requirements
Microsoft Lync Server 2013 relies heavily on DNS in order for its operation. You must add the following DNS records to both your internal and external DNS servers,in order for your Lync clients, and Lync servers, to be able to communicate with eachother. It is important to note that if you are not using external access (Edge and Reverse Proxy), you are not required to create the DNS records in your external DNS server.
Note: This information was taken from the Lync 2013 Protocal poster which is attached below.
Port Requirements
In order for the smooth operation of Microsoft Lync, you may need to open required ports on each of the server roles. While the Lync topology builder and deployment wizard are supposed to handle the firewall entries, manual operation may be required if you change from defaults (i.e. use 5065 instead of 5062 for the access edge component of the edge server). Please see the chart below for all the default port requirements for Lync Server 2013.
Note: Each of the tables were taken from the appropriate technet articles:
Edge Server: http://technet.microsoft.com/en-us/library/jj204756.aspx
Internal Servers:http://technet.microsoft.com/en-us/library/gg398833.aspx
Lync Server 2013 - Internal Servers
The table below lists all the ports and protocols used by all the internal servers that work with Lync Server 2013. The first column specifies which server is responsible for the port or the protocol in question.
Server role | Service name | Port | Protocol | Notes |
|---|---|---|---|---|
All Servers | SQL Browser | 1434 | UDP | SQL Browser for the local replicated copy of the the Central Management Store database. |
Front End Servers | Lync Server Front-End service | 5060 | TCP | Optionally used by Standard Edition servers and Front End Servers for static routes to trusted services, such as remote call control servers. |
Front End Servers | Lync Server Front-End service | 5061 | TCP (TLS) | Used by Standard Edition servers and Front End pools for all internal SIP communications between servers (MTLS), for SIP communications between Server and Client (TLS) and for SIP communications between Front End Servers and Mediation Servers (MTLS). Also used for communications with Monitoring Server. |
Front End Servers | Lync Server Front-End service | 444 | HTTPS TCP | Used for HTTPS communication between the Focus (the Lync Server component that manages conference state) and the individual servers. This port is also used for TCP communication between Survivable Branch Appliances and Front End Servers. |
Front End Servers | Lync Server Front-End service | 135 | DCOM and remote procedure call (RPC) | Used for DCOM based operations such as Moving Users, User Replicator Synchronization, and Address Book Synchronization. |
Front End Servers | Lync Server IM Conferencing service | 5062 | TCP | Used for incoming SIP requests for instant messaging (IM) conferencing. |
Front End Servers | Lync Server Web Conferencing service | 8057 | TCP (TLS) | Used to listen for Persistent Shared Object Model (PSOM) connections from client. |
Front End Servers | Lync Server Web Conferencing Compatibility service | 8058 | TCP (TLS) | Used to listen for Persistent Shared Object Model (PSOM) connections from the Live Meeting client and previous versions of Lync Server. |
Front End Servers | Lync Server Audio/Video Conferencing service | 5063 | TCP | Used for incoming SIP requests for audio/video (A/V) conferencing. |
Front End Servers | Lync Server Audio/Video Conferencing service | 57501-65535 | TCP/UDP | Media port range used for video conferencing. |
Front End Servers | Lync Server Web Compatibility service | 80 | HTTP | Used for communication from Front End Servers to the web farm FQDNs (the URLs used by IIS web components) when HTTPS is not used. |
Front End Servers | Lync Server Web Compatibility service | 443 | HTTPS | Used for communication from Front End Servers to the web farm FQDNs (the URLs used by IIS web components). |
Front End Servers | Lync Server Web Compatibility service | 8080 | TCP and HTTP | Used by web components for external access. |
Front End Servers | Web server component | 4443 | HTTPS |
|
Front End Servers | Web server component | 8060 | TCP (MTLS) |
|
Front End Servers | Web server component | 8061 | TCP (MTLS) |
|
Front End Servers | Mobility Services component | 5086 | TCP (MTLS) | SIP port used by Mobility Services internal processes |
Front End Servers | Mobility Services component | 5087 | TCP (MTLS) | SIP port used by Mobility Services internal processes |
Front End Servers | Mobility Services component | 443 | HTTPS |
|
Front End Servers | Lync Server Conferencing Attendant service (dial-in conferencing) | 5064 | TCP | Used for incoming SIP requests for dial-in conferencing. |
Front End Servers | Lync Server Conferencing Attendant service (dial-in conferencing) | 5072 | TCP | Used for incoming SIP requests for Attendant (dial in conferencing). |
Front End Servers that also run a Collocated Mediation Server | Lync Server Mediation service | 5070 | TCP | Used by the Mediation Server for incoming requests from the Front End Server to the Mediation Server. |
Front End Servers that also run a Collocated Mediation Server | Lync Server Mediation service | 5067 | TCP (TLS) | Used for incoming SIP requests from the PSTN gateway to the Mediation Server. |
Front End Servers that also run a Collocated Mediation Server | Lync Server Mediation service | 5068 | TCP | Used for incoming SIP requests from the PSTN gateway to the Mediation Server. |
Front End Servers that also run a Collocated Mediation Server | Lync Server Mediation service | 5081 | TCP | Used for outgoing SIP requests from the Mediation Server to the PSTN gateway. |
Front End Servers that also run a Collocated Mediation Server | Lync Server Mediation service | 5082 | TCP (TLS) | Used for outgoing SIP requests from the Mediation Server to the PSTN gateway. |
Front End Servers | Lync Server Application Sharing service | 5065 | TCP | Used for incoming SIP listening requests for application sharing. |
Front End Servers | Lync Server Application Sharing service | 49152-65535 | TCP | Media port range used for application sharing. |
Front End Servers | Lync Server Conferencing Announcement service | 5073 | TCP | Used for incoming SIP requests for the Lync Server Conferencing Announcement service (that is, for dial-in conferencing). |
Front End Servers | Lync Server Call Park service | 5075 | TCP | Used for incoming SIP requests for the Call Park application. |
Front End Servers | Lync Server Audio Test service | 5076 | TCP | Used for incoming SIP requests for the Audio Test service. |
Front End Servers | Not applicable | 5066 | TCP | Used for outbound Enhanced 9-1-1 (E9-1-1) gateway. |
Front End Servers | Lync Server Response Group service | 5071 | TCP | Used for incoming SIP requests for the Response Group application. |
Front End Servers | Lync Server Response Group service | 8404 | TCP (MTLS) | Used for incoming SIP requests for the Response Group application. |
Front End Servers | Lync Server Bandwidth Policy Service | 5080 | TCP | Used for call admission control by the Bandwidth Policy service for A/V Edge TURN traffic. |
Front End Servers | Lync Server Bandwidth Policy Service | 448 | TCP | Used for call admission control by the Lync Server Bandwidth Policy Service. |
Front End Servers where the Central Management store resides | Lync Server Master Replicator Agent service | 445 | TCP | Used to push configuration data from the Central Management store to servers running Lync Server. |
All Servers | SQL Browser | 1434 | UDP | SQL Browser for local replicated copy of Central Management store data in local SQL Server instance |
All internal servers | Various | 49152-57500 | TCP/UDP | Media port range used for audio conferencing on all internal servers. Used by all servers that terminate audio: Front End Servers (for Lync Server Conferencing Attendant service, Lync Server Conferencing Announcement service, and Lync Server Audio/Video Conferencing service), and Mediation Server. |
Mediation Servers | Lync Server Mediation service | 5070 | TCP | Used by the Mediation Server for incoming requests from the Front End Server. |
Mediation Servers | Lync Server Mediation service | 5067 | TCP (TLS) | Used for incoming SIP requests from the PSTN gateway. |
Mediation Servers | Lync Server Mediation service | 5068 | TCP | Used for incoming SIP requests from the PSTN gateway. |
Mediation Servers | Lync Server Mediation service | 5070 | TCP (MTLS) | Used for SIP requests from the Front End Servers. |
Persistent Chat Front End Server | Persistent Chat SIP | 5041 | TCP (MTLS) |
|
Persistent Chat Front End Server | Persistent Chat Windows Communication Foundation (WCF) | 881 | TCP (TLS) and TCP (MTLS) |
|
Persistent Chat Front End Server | Persistent Chat File Transfer Service | 443 | TCP (TLS) |
|
Lync Server 2013 - Edge Server
The Edge server requires the following ports opened in order for smooth operation. There is a list for both the internal and external interfaces:
Internal Interface
Protocol/TCP or UDP/Port | Source IP address | Destination IP address | Comments |
|---|---|---|---|
XMPP/MTLS/TCP/23456 | Any (can be defined as Standard Edition server IP, Standard Edition server IP address, or pool IP address running the XMPP Gateway service) | Edge Server internal interface | Outbound XMPP traffic from XMPP Gateway service running on Front End Server or Front End pool |
SIP/MTLS/TCP/5061 | Any (can be defined as Director, Director pool IP address, Front End Server or Front End pool IP address) | Edge Server IP, or pool that holds the internal interface | Outbound SIP traffic (from Director, Director pool IP address, Front End Server or Front End pool IP address) to Edge Server internal interface |
SIP/MTLS/TCP/5061 | Edge Server internal interface | Any (can be defined as Director, Director pool IP address, Front End Server or Front End pool address) | Inbound SIP traffic (to Director, Director pool IP address, Front End Server or Front End pool IP address) from Edge Server internal interface |
PSOM/MTLS/TCP/8057 | Any (can be defined as Front End Server IP address, or each Front End Server IP address in a Front End pool) | Edge Server internal interface | Web conferencing traffic from Front End Server or each Front End Server if in a pool, to Edge Server internal interface |
SIP/MTLS/TCP/5062 | Any (can be defined as Front End Server IP address, or Front End pool IP address or any Survivable Branch Appliance or Survivable Branch Server using this Edge Server) | Edge Server internal interface | Authentication of A/V users (A/V authentication service) from Front End Server or Front End pool IP address or any Survivable Branch Appliance or Survivable Branch Server using this Edge Server |
STUN/MSTURN/UDP/3478 | Any | Edge Server internal interface | Preferred path for A/V media transfer between internal and external users, Survivable Branch Appliance or Survivable Branch Server |
STUN/MSTURN/TCP/443 | Any | Edge Server internal interface | Fallback path for A/V media transfer between internal and external users, Survivable Branch Appliance or Survivable Branch Server if UDP communication cannot be established, TCP is used for file transfer and desktop sharing |
HTTPS/TCP/4443 | Any (can be defined as the Front End Server IP address, or pool that holds the Central Management store) | Edge Server internal interface | Replication of changes from the Central Management store to the Edge Server |
MTLS/TCP/50001 | Any | Edge Server internal interface | Centralized Logging Service controller using Lync Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection |
MTLS/TCP/50002 | Any | Edge Server internal interface | Centralized Logging Service controller using Lync Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection |
MTLS/TCP/50003 | Any | Edge Server internal interface | Centralized Logging Service controller using Lync Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection |
External Interface
Role/Protocol/TCP or UDP/Port | Source IP address | Destination IP address | Notes |
|---|---|---|---|
XMPP/TCP/5269 | Any | XMPP Proxy service (shares IP address with Access Edge service) | XMPP Proxy service accepts traffic from XMPP contacts in defined XMPP federations |
Access/HTTP/TCP/80 | Edge Server Access Edge service public IP address | Any | Certificate revocation/CRL check and retrieval |
Access/DNS/TCP/53 | Edge Server Access Edge service public IP address | Any | DNS query over TCP |
Access/DNS/UDP/53 | Edge Server Access Edge service public IP address | Any | DNS query over UDP |
Access/SIP(TLS)/TCP/443 | Any | Edge Server Access Edge service public IP address | Client-to-server SIP traffic for external user access |
Access/SIP(MTLS)/TCP/5061 | Any | Edge Server Access Edge service public IP address | For federated and public IM connectivity using SIP |
Access/SIP(MTLS)/TCP/5061 | Edge Server Access Edge service public IP address | Any | For federated and public IM connectivity using SIP |
Web Conferencing/PSOM(TLS)/TCP/443 | Any | Edge Server Web Conferencing Edge service public IP address | Web Conferencing media |
A/V/RTP/TCP/50,000-59,999 | Edge Server Access Edge service public IP address | Any | Required for federating with partners running Office Communications Server 2007, Office Communications Server 2007 R2, Lync Server 2010 and Lync Server 2013. |
A/V/RTP/UDP/50,000-59,999 | Edge Server A/V Edge service public IP address | Any | Required only for federation with partners running Office Communications Server 2007 |
A/V/RTP/TCP/50,000-59,999 | Any | Edge Server A/V Edge service public IP address | Required only for federation with partners running Office Communications Server 2007. |
A/V/RTP/UDP/50,000-59,999 | Any | Edge Server A/V Edge service public IP address | Required only for federation with partners running Office Communications Server 2007. |
A/V/STUN,MSTURN/UDP/3478 | Edge Server A/V Edge service public IP address | Any | 3478 outbound is used to determine the version of Edge Server that Lync Server is communicating with and also for media traffic from Edge Server-to-Edge Server. Required for federation with Lync Server 2010, Windows Live Messenger, and Office Communications Server 2007 R2, and also if multiple Edge pools are deployed within a company. |
A/V/STUN,MSTURN/UDP/3478 | Any | Edge Server A/V Edge service public IP address | STUN/TURN negotiation of candidates over UDP/3478 |
A/V/STUN,MSTURN/TCP/443 | Any | Edge Server A/V Edge service public IP address | STUN/TURN negotiation of candidates over TCP/443 |
A/V/STUN,MSTURN/TCP/443 | Edge Server A/V Edge service public IP address | Any | STUN/TURN negotiation of candidates over TCP/443 |
Reverse Proxy Server
Protocol/TCP or UDP/Port | Server Role | Comments |
TCP/8080 | Reverse Proxy Server (External) | Listening Port for Web Based Traffic. Translates to port 80 in ARR Module |
TCP/4443 | Reverse Proxy Server (External) | Listening Port for Web Based HTTPS traffic. Translates to port 443 in ARR Module |
TCP/80 | Reverse Proxy Server (Internal) | Listening Port for Web Based Traffic. Forwards to port 80 on Front End Server |
TCP/443 | Reverse Proxy Server (Internal) | Listening Port for Web Based SSL Traffic. Forwards to port 443 on Front End Server |
Miscellaneous Servers
Protocol/TCP or UDP/Port | Server Role | Comments |
TCP/5068 | Front End Server | Mediation Server listening port for the Front End Server. Used for Enterprise Voice |
TCP/5081 | TDM Gateway/Session Border Controller | Listening Port on the Session Border Controller or the TDM Gateway. Used for Enterprise Voice |