locked
SfB Online Ports Question RRS feed

  • Question

  • Hi Guys, 

    I'm by no means an SfB admin so please bear with me...

    I'm a network engineer within my organisation and we are experience issues with media comm's (calls, video and presentation sharing) between SfB online clients separated by an internal firewall. 

    What I am seeing is traffic being dropped at the internal firewall when a media session is established between the two SfB online clients. The ports that I am seeing being dropped are TCP/UDP 500XX.

    We also within our organisation have an SfB onprem environment. Within this environment we have specified specifically which ports are utilised for media comm's (calls, video and presentation sharing) using the SfB shell. However, having done some reading, it does not seem obvious how we would specify specific port utilisation for SfB online clients for client to client media communications as no such SfB online cmdlet seems to exist. 

    Get-CsConferencingConfiguration - would be used in an onprem environment to highlight the utilised ports although there does not appear to be such a command in the Online implementation. 

    As i say, I'm not a SfB admin, however having done some reading I understand (I believe this is correct?) that SfB clients historically require ports TCP / UDP 50000-59999 open between the client and the SfB online server infrastructure. However, I believe that this is no longer a requirement so long as ports UDP 3478-3481 + TCP 443 are open between the client and the online servers (outbound only I assume). If those ports are not open, communications will fall back to TCP / UDP 50000-59999 between client and server. 

    A few questions... 

    1. The SfB clients are attempting to communicate internally directly with one another during media sessions over the 500XX ports. Is there a way to customise this in an online implement as there is in onprem? 

    2. Is the direct communication between the two SfB clients over the 500XX ports by design? What ports to do SfB online clients utilise for voice / audio / presentation? Is it the TCP / UDP 50000-59999 range or is this solely for SfB online client to online server communication?  When I have enabled access between these two clients over ports TCP / UDP 50000-59999 through the internal firewall - everything works although such a broad range of ports being available through the firewall is not desirable. 

    Apologies, as is evident I have no real understanding as to how the mechanics of SfB functions at a granular level.

    Any assistance is greatly appreciated. 




    M Tipler

    Tuesday, March 13, 2018 12:58 PM

Answers

  • Apologies for the wait upon this...

    This is the conclusion / response that I (eventually) got from Microsoft RE media ports for SfB client <-> SfB client communication...

    The ports used by Skype for Business Online clients:

    Min Media Port: 50.000 (TCP/UDP), Max Media Port: 50.059 (TCP/UDP)

    The ports for audio are from 50.000 – 50.019

    The ports for video are from 50.020 – 50.039

    The ports for Application Sharing and File Transfer are from 50.040 – 50.059

    Hope this helps somebody somewhere... 


    M Tipler

    • Marked as answer by Mattyt123321 Friday, April 6, 2018 10:08 AM
    Friday, April 6, 2018 10:07 AM

All replies

  • Hello Mattyt,

    Please check if this helps

    Ans1.Discussion about 50xxx ports range is in regarding to reaching Skype for business online server, excluding the respective scenario's - depending on where the two end points are located. Below points will anwer your question directly
    https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/Simplified-port-requirements-for-Skype-for-Business-Online/ba-p/77094
    - So which ports are required for clients?
    - Why are these ports not required anymore?

    Ans2.

    - Yes , unless both the Clients are sitting behind firewalls, as explained Why are these ports in certain scenario (Considering not having Express route)
    - For Voice Audio and presentation we need TCP 443, UDP 3478-3481 and 50,000-59,000 TCP and UDP as stated optional. When these ports are used it doesnt blindly access any ports in this range, its based on the Candidates (Combination of protocols and Ports in SDP - session description protocol) communicated between the clients it sends a request to access these ports for that respective channel (TTL) only based on requirement. These ports are not listening all the time, when these ports are accessed are defined to be used by specific IP and Protocol mentioned in the SDP only.
    - you can configure QoS via Group Policy which would be only applicable for your network and would need to strip the DSCP marking when sending Traffic outside of your network. ). This wil vary when you have an express route configured - which can extend the DSCP marking to cloud

    http://tomtalks.uk/2015/12/skype-business-online-quality-service-dscp-markings/

    • Proposed as answer by Alice-Wang Wednesday, March 14, 2018 2:29 AM
    Tuesday, March 13, 2018 4:30 PM
  • Hi Mattyt123321,

    According to my research, for SFB online,  the required ports are like following:
    TCP 80, 443
    UDP 3478, 3479, 3480, 3481

    I will share a document about the ports for SFB online

    Please refer to
    https://adam-hand.com/2013/11/07/lync-online-for-office-365-firewall-requirements/

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link

    I couldn’t find a method to customize the ports for SFB online, you could also try to post in SFB online forum, there are more experts will help you with this issue
    https://answers.microsoft.com/en-us/msoffice?auth=1


    Best Regards,
    Alice Wang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Wednesday, March 14, 2018 3:12 AM
  • Thank you guys. I'm going to review the articles provided and then make some changes to our environment. I'll be sure to update this post with my findings. 

    Thank you again! 


    M Tipler

    Wednesday, March 14, 2018 11:08 AM
  • Hi,

    OK, if the reply is helpful to you, please mark it as an answer, it will help others who has similar issue.


    Best Regards,
    Alice Wang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Thursday, March 15, 2018 1:37 AM
  • Hey guys,

    I can confirm that those ports are already open to SfB online infrastructure upon our edge firewall. However, I'm starting to suspect that our shoddy Proxy-Server might be the cause of the problem as I'm not seeing traffic to those UDP ports actually hit the edge FW! 

    I'm thinking the proxy is dropping the UDP traffic and that could be causing the clients to utilise the 500XX in the communication between them (perhaps)? Does that sounds feasible to you guys?

    Matt


    M Tipler

    Thursday, March 15, 2018 3:15 PM
  • Hello Matty,

    When two Skype clients are having an audio call media doesn't go to the Server , it flows between the Two client end point directly , but if their is a firewall between the two subnets where clients are located then you need to make sure you have these internal ports open for client to talk to each other as per the below article

    https://technet.microsoft.com/en-us/library/gg398833.aspx

    (Required Client Ports)

    Clients

    1024-65535 *

    TCP/UDP

    Audio port range (minimum of 20 ports required)

    Clients

    1024-65535 *

    TCP/UDP

    Video port range (minimum of 20 ports required).

    https://technet.microsoft.com/en-us/library/2008.07.ocs.aspx = Old very much valid

    • Proposed as answer by Alice-Wang Monday, March 19, 2018 7:48 AM
    Friday, March 16, 2018 2:47 PM
  • I am follow up this case, are there any update about this issue?

    Best Regards,
    Alice Wang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Proposed as answer by Alice-Wang Monday, March 19, 2018 8:20 AM
    Monday, March 19, 2018 7:49 AM
  • Hi Prashant,

    Thank you for your response. 

    (Required Client Ports)

    Clients

    1024-65535 *

    TCP/UDP

    Audio port range (minimum of 20 ports required)

    Clients

    1024-65535 *

    TCP/UDP

    Video port range (minimum of 20 ports required).

    So if there is no way to define (for SfB online users) the 20 ports required, are we supposed to open 1024-65535 TCP/UDP? Surely not? 

    Regards.


    M Tipler

    Monday, March 19, 2018 8:52 AM
  • Yes we can make the QoS for the LAN network but same wont be applicable to Traffic which goes out of our Local Network unless we have Express route configuration

    https://blogs.perficient.com/microsoft/2014/12/configuring-quality-of-service-for-lync-online/

    https://blogs.technet.microsoft.com/skypehybridguy/2016/07/23/validate-qos-for-skype-for-business-online/

    Additional to the network devices (manufacturer specific) which needs to be configured based on requirement for QoS.

    Monday, March 19, 2018 7:19 PM
  • Hi Prashant,

    I appreciate your response, but I'm not trying to configure QoS.

    I'm trying to understand how to define the ports that are utilised for media communications between two SfB online clients. You earlier listed these ports... 

    (Required Client Ports)

    Clients

    1024-65535 *

    TCP/UDP

    Audio port range (minimum of 20 ports required)

    Clients

    1024-65535 *

    TCP/UDP

    Video port range (minimum of 20 ports required).

    This port range is too broad. I need to be able to customize this down to 20 ports, as you can do within an SfB onprem environment. Due to the sensitive nature of data handled by the organisation for which I work (PII), all firewall access rules have to be as "tight" as possible. Opening communications 1024-65535 TCP / UDP between user networks, across the wider network is not acceptable. 

    I've opened a ticket with Microsoft. I'll update this post with the conclusion of the ticket. 

    I appreciate your help and that of Alice. 


    M Tipler

    Tuesday, March 20, 2018 9:30 AM
  • Thanks for the update, please update once you speak to Support - interested to know their answer

    Which would be Cleintmediaportrangeenabled configuration for set-csconferencingconfiguration which is a service side configuration. Mostly this might be available in a dedicated scenario or their is some provision made in a shared pool

    • Proposed as answer by Alice-Wang Monday, April 2, 2018 11:47 AM
    • Unproposed as answer by Mattyt123321 Friday, April 6, 2018 10:08 AM
    Tuesday, March 20, 2018 2:14 PM
  • Apologies for the wait upon this...

    This is the conclusion / response that I (eventually) got from Microsoft RE media ports for SfB client <-> SfB client communication...

    The ports used by Skype for Business Online clients:

    Min Media Port: 50.000 (TCP/UDP), Max Media Port: 50.059 (TCP/UDP)

    The ports for audio are from 50.000 – 50.019

    The ports for video are from 50.020 – 50.039

    The ports for Application Sharing and File Transfer are from 50.040 – 50.059

    Hope this helps somebody somewhere... 


    M Tipler

    • Marked as answer by Mattyt123321 Friday, April 6, 2018 10:08 AM
    Friday, April 6, 2018 10:07 AM