locked
RTP ports for A/V Edge RRS feed

  • Question

  • We are running Skype for Business 2015 with the latest CU applied. We have configured the firewalls that lead to the Edge environment in the DMZ according to the Microsoft guidelines, specifically the RTP ports for the A/V Edge (TCP/UDP 50000 thru 59999).

    We have been finding that when an externally registered client makes a call to our Cisco environment or the PSTN, that the RTP is sometimes established in the normal ephemeral port range of 1024 thru 65545, which is fully supported by all SfB clients, but gets discarded by the firewall.

    Does anyone know why Microsoft would have us put in that firewall rule and then allow the clients to utilize ports outside of that range? Are we supposed to infer that we should restrict the clients on the Front End to match those ports, even though it is not stated as such in any Microsoft documentation?

    Thank you

    Tuesday, August 9, 2016 2:58 PM

Answers

  • 50-59999 ports are for Federation with other OCS/Lync/Skype servers from the Edge, it's not referring to general RTP.

    https://technet.microsoft.com/en-us/library/gg425891(v=ocs.15).aspx

    Traffic from an external client won't be using these ports, they'll typically be using STUN/TURN on TCP/443 or UDP/3478 to the AV Edge, from there it would use a different set of ports.


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Tuesday, August 9, 2016 3:28 PM

All replies

  • 50-59999 ports are for Federation with other OCS/Lync/Skype servers from the Edge, it's not referring to general RTP.

    https://technet.microsoft.com/en-us/library/gg425891(v=ocs.15).aspx

    Traffic from an external client won't be using these ports, they'll typically be using STUN/TURN on TCP/443 or UDP/3478 to the AV Edge, from there it would use a different set of ports.


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Tuesday, August 9, 2016 3:28 PM
  • Yes, I see that now. I will need to have our firewall settings amended to allow for TCP/UDP Any instead of what is currently configured.

    If we did have a federated partner, how would we set up the firewall to allow the 50k ports to just those endpoints while allowing normal TCP/UDP traffic to endpoints?

    Tuesday, August 9, 2016 5:02 PM
  • I'm a bit confused on the other side, you say to Cisco or the PSTN.  What is the source and destination of the packets you're seeing?  Are they coming from the mediation server, or direct from the edge or client?

    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Tuesday, August 9, 2016 5:54 PM
  • The Cisco is the gateway for the SfB 2015 environment. Any call from a device registered on the Edge to a Cisco phone, the media from the Cisco phone is nailed up on the Mediation service of one of the FE servers on within the specified port range. The media from the FE to the Edge is being created outside of the 50000 thru 59999 range allowed on the firewall.
    Wednesday, August 10, 2016 2:44 PM
  • There should be high range media ports from the Edge to the FE?  That's odd, from the Mediation to the Cisco, I can see media hitting outside of that range depending on configuration: https://technet.microsoft.com/en-us/library/jj204872(v=ocs.15).aspx


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Wednesday, August 10, 2016 3:27 PM