locked
Skype for Business to Skype Federation using customized ports RRS feed

  • Question

  • The company I am working with do not allow using the same firewall ports for Skype to S4B federation as published in 

    https://technet.microsoft.com/en-us/library/mt346415.aspx#PortFirewallPlan

    What are the considerations I can check if they plan to use customized ports on the firewall?


    Hyacinth

    Monday, July 25, 2016 9:22 AM

Answers

  • Hi

    Yes you can use custom ports if you want for federation, although not recommended. Outbound though you will need to allow 5061 because thats the way most other federate.

    You can use any port, as long as it doesn't conflict with others. You set this within topology builder when defining your edge setup. Just make sure the SRV record for sipfederationtls._tcp.domain.com is set to the port that you have chosen. 

    However, an important point is that most people deploy outbound firewall rules to specific destination ports from their edge servers. So inbound federation to you may fail because you are using non-standard ports. For instance assume i want to federate with you. I allow only 443, 53, 5061, 3478 and 50K outbound to the internet from my edge servers. I will be able to discover your SRV record and determine federation should happen on Port e.g 8000. However, I will not be able to establish a connection to that port because my own firewall policy does not permit this.

    For this reason, I would highly recommend using the proper federation port. If you choose not to, or prevented from doing so the only way you will get federation in most cases would be to ask the federating partner to add your custom federation settings to their SIP federated partner configurations where they can define server FQDN and port. 

    thanks


    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    Monday, July 25, 2016 1:04 PM

All replies

  • Hi

    Yes you can use custom ports if you want for federation, although not recommended. Outbound though you will need to allow 5061 because thats the way most other federate.

    You can use any port, as long as it doesn't conflict with others. You set this within topology builder when defining your edge setup. Just make sure the SRV record for sipfederationtls._tcp.domain.com is set to the port that you have chosen. 

    However, an important point is that most people deploy outbound firewall rules to specific destination ports from their edge servers. So inbound federation to you may fail because you are using non-standard ports. For instance assume i want to federate with you. I allow only 443, 53, 5061, 3478 and 50K outbound to the internet from my edge servers. I will be able to discover your SRV record and determine federation should happen on Port e.g 8000. However, I will not be able to establish a connection to that port because my own firewall policy does not permit this.

    For this reason, I would highly recommend using the proper federation port. If you choose not to, or prevented from doing so the only way you will get federation in most cases would be to ask the federating partner to add your custom federation settings to their SIP federated partner configurations where they can define server FQDN and port. 

    thanks


    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    Monday, July 25, 2016 1:04 PM
  • Yes you can use customized ports but your partner should open inside to outside communication on the same port which you have opened to make a SIP session for the same. at the same time those ports should not conflict with any other applications.

    And dont change the federation port as it will give trouble and you endup troubleshooting the issues.

    You would't be able to change Lync federation port from 5061. If federation is must , better to find out another ISP.

    https://social.technet.microsoft.com/Forums/lync/en-US/14e15c0d-1c28-4a30-991a-c2415a23917c/changing-the-sip-port-of-5061-in-a-single-ip-scenario?forum=ocsplanningdeployment



    Regards, Rajukb | MCSE (Communication ), MCSA (o365) ,Certified "Lync server 2013 depth support engineer"| This posting is providedwith no warranties and confers no rights. If my reply answers your question please mark as answer/helpful if its helpful.



    Monday, July 25, 2016 1:40 PM
  • Hi Hyacinth E,

    Agree with others, for the federation between SFB and skype you could customize the ports.

    As a supplement, the process of SFB and Skype federation as following:

    1.Configure Federation and PIC.

    2.Configure at least one policy to support federated user access.

    3.Configure the Skype PIC provider setting.

    For more information, please refer to

    https://technet.microsoft.com/en-us/library/dn705313.aspx

    Best regards,

    Alice Wang


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Alice Wang
    TechNet Community Support

    • Proposed as answer by Liinus Tuesday, July 26, 2016 10:43 AM
    Tuesday, July 26, 2016 5:14 AM
  • Agree to all Contributors suggestion. federation port is hard-coded ,You wouldn't be able to change Lync federation port from 5061.If partner organization does not allow these custom ports on their external firewall , respective Lync feature may not work.


    Linus || Please mark posts as answers/helpful if it answers your question.

    Tuesday, July 26, 2016 10:46 AM