External User Behind Firewall can't Join Meeting - Ports 50000-59999 Blocked RRS feed

  • Question

  • My Environment:

    • Skype for Business 2015 Enterprise On-Prem / March 2018 CU
    • 3 FE + 2 Edge

    The problem:

    I am having trouble with users at one of our sister companies joining media (Audio/Video/Desktop) in Skype meetings.

    Their firewall will not allow ports 50,000 - 59,999. Only 80/443 are allowed. Their network team can see the traffic on 50k ports being blocked.

    These remote users are using the Skype for Business Web App plug-in

    From Snooper logs, it appears that connections via via 443 aren't being offered. I have a number of users conducting external meetings with other companies. TestConnectivity looks good. Does anyone have an idea why Skype doesn't seem to be using Port 443 for media.

    Here's the candidates offered from my Edge server tracing logs

    a=candidate:1 1 UDP 2130706431 10.x.x.x 30462 typ host
    a=candidate:1 2 UDP 2130705918 10.x.x.x 30463 typ host
    a=candidate:2 1 TCP-PASS 174456319 198.x.x.x 58163 typ relay raddr 211.x.x.x rport 36477
    a=candidate:2 2 TCP-PASS 174455806 198.x.x.x 58163 typ relay raddr 211.x.x.x rport 36477
    a=candidate:3 1 TCP-ACT 174849023 198.x.x.x 58163 typ relay raddr 211.x.x.x rport 36477
    a=candidate:3 2 TCP-ACT 174848510 198.x.x.x 58163 typ relay raddr 211.x.x.x rport 36477
    a=candidate:4 1 TCP-ACT 1684797951 211.x.x.x 36477 typ srflx raddr 10.x.x.x rport 33053
    a=candidate:4 2 TCP-ACT 1684797438 211.x.x.x 36477 typ srflx raddr 10.x.x.x rport 33053
    a=candidate:5 1 UDP 1694496767 211.x.x.x 1025 typ srflx raddr 10.x.x.x rport 30462
    a=candidate:5 2 UDP 1694496254 211.x.x.x 1026 typ srflx raddr 10.x.x.x rport 30463

    I'm not sure what I'm missing here. These remote users should be able to connect to media via 443, right? Is there a config flag I missed somewhere that will allow this?

    Will Perry

    Friday, November 16, 2018 5:48 PM

All replies

  • Hi Will,

    This document may help


    in particular:

    the 50,000-59,999 port range used for media traversal.

    It is important to understand that this port range is only opened on the external A/V Edge interface, not the internal interface. All internal Lync clients and servers will tunnel media directly to either 3478 (UDP) or 443 (TCP). This many-to-one model is possible because of the deployment requirement that Network Address Translation (NAT) is not allowed between the internal Edge interface and any internal subnets hosting clients and servers. Thus every inbound connection to either 443 or 3478 would contain a unique IP address and source port.  Whereas on the external side of the Edge server the remote hosts could be behind NAT or multiple federated Edge servers could be attempting to open connections from the same source port.  In OCS R2 the ability to tunnel external media connections was added but this is only for UDP media and not TCP, thus is is still recommended to allow inbound connections form the Internet to this entire port range for both UDP and TCP traffic.

    • Proposed as answer by K_S_C Monday, November 19, 2018 8:43 AM
    Monday, November 19, 2018 8:43 AM
  • Hi,

    Agree with KSC. You could also refer to this official article on the port summary introduced for Edge server.

    Kind regards,

    Calvin Liu

    Please remember to mark the reply as an answer if you find it is helpful. It will assist others who has similar issue. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Proposed as answer by Calvin-Liu Monday, December 17, 2018 6:01 AM
    Monday, November 19, 2018 9:48 AM
  • This is something that has caused me a bit of confusion from the start. According to the excerpt you clipped above (and other documentation), the 50k (50,000-59,999) ports are only used to communicate with OCS 2007 clients/partners but those ports are being used for connections to SFB2015 web clients as well. I would have to go back into my logs but I think I have also seen 50k ports used when doing A/V with federated partners. I have yet to see any documentation on these ports being used outside of OCS2007 clients but they are definitely in use in my environment.

    Is the web client used by on-premises SFB2015 using the OCS2007 client engine? 

    I recently came across the option to enable MeetingUxUseCdn in CsWebServicesConfiguration. Would this direct the remote users to a more updated client that might be able to work around the blocked 50k ports? The remote partners I am trying to connect with have stated they are able to participate in meetings with another partner that is using SFB Online and I am thinking the difference may be the web client they are using.

    Will Perry

    Tuesday, November 20, 2018 11:25 PM