none
Lync 2013 Client Still Tries to connect to Lync Edge on Ports 50000-59999

    Question

  • Hey Guys,

    I was under the assumption that I needed to configure the firewall to allow UDP/TCP ports 50000-59999 inbound to the Edge Server ONLY if I wanted my Lync Install to federate with partners using OCS 2007 (as the MS url details) http://technet.microsoft.com/en-us/library/gg425891.aspx:

    A/V/RTP/TCP/50,000-59,999

    Any

    Edge Server A/V Edge service

    Required only for federation with partners running Office Communications Server 2007

    A/V/RTP/UDP/50,000-59,999

    Any

    Edge Server A/V Edge service

    Required only for federation with partners running Office Communications Server 2007

    However, today I decided to analyze the TMG 2010 Logs in more details when making and receiving a video call to an external user (not federated though), and found that the external Lync 2013 desktop client tried to hit the TMG 2010 server using the ports in the 50000-59999 range, and therefore ending with TMG denying the requests...

    Log Time	        Client IP	Destination IP	Destination Port	Protocol		Action			Rule
    10/31/2013 20:27	CLIENT-EXT-IP	TMG-EXTERNAL-IP	52044	Unidentified IP Traffic (UDP:52044)	Denied Connection	Default rule
    10/31/2013 20:27	CLIENT-EXT-IP	TMG-EXTERNAL-IP	52044	Unidentified IP Traffic (UDP:52044)	Denied Connection	Default rule
    10/31/2013 20:27	CLIENT-EXT-IP	TMG-EXTERNAL-IP	59096	Unidentified IP Traffic (TCP:59096)	Denied Connection	Default rule
    10/31/2013 20:27	CLIENT-EXT-IP	TMG-EXTERNAL-IP	52044	Unidentified IP Traffic (UDP:52044)	Denied Connection	Default rule
    10/31/2013 20:27	CLIENT-EXT-IP	TMG-EXTERNAL-IP	59096	Unidentified IP Traffic (TCP:59096)	Denied Connection	Default rule
    10/31/2013 20:27	CLIENT-EXT-IP	TMG-EXTERNAL-IP	52044	Unidentified IP Traffic (UDP:52044)	Denied Connection	Default rule
    10/31/2013 20:27	CLIENT-EXT-IP	TMG-EXTERNAL-IP	52044	Unidentified IP Traffic (UDP:52044)	Denied Connection	Default rule
    10/31/2013 20:27	CLIENT-EXT-IP	TMG-EXTERNAL-IP	52044	Unidentified IP Traffic (UDP:52044)	Denied Connection	Default rule
    10/31/2013 20:27	CLIENT-EXT-IP	TMG-EXTERNAL-IP	52044	Unidentified IP Traffic (UDP:52044)	Denied Connection	Default rule
    10/31/2013 20:27	CLIENT-EXT-IP	TMG-EXTERNAL-IP	52044	Unidentified IP Traffic (UDP:52044)	Denied Connection	Default rule
    10/31/2013 20:27	CLIENT-EXT-IP	TMG-EXTERNAL-IP	59917	Unidentified IP Traffic (UDP:59917)	Denied Connection	Default rule
    10/31/2013 20:27	CLIENT-EXT-IP	TMG-EXTERNAL-IP	59917	Unidentified IP Traffic (UDP:59917)	Denied Connection	Default rule
    10/31/2013 20:27	CLIENT-EXT-IP	TMG-EXTERNAL-IP	59917	Unidentified IP Traffic (UDP:59917)	Denied Connection	Default rule
    10/31/2013 20:27	CLIENT-EXT-IP	TMG-EXTERNAL-IP	50981	Unidentified IP Traffic (TCP:50981)	Denied Connection	Default rule
    10/31/2013 20:27	CLIENT-EXT-IP	TMG-EXTERNAL-IP	59917	Unidentified IP Traffic (UDP:59917)	Denied Connection	Default rule
    10/31/2013 20:27	CLIENT-EXT-IP	TMG-EXTERNAL-IP	59917	Unidentified IP Traffic (UDP:59917)	Denied Connection	Default rule
    10/31/2013 20:27	CLIENT-EXT-IP	TMG-EXTERNAL-IP	59917	Unidentified IP Traffic (UDP:59917)	Denied Connection	Default rule
    10/31/2013 20:27	CLIENT-EXT-IP	TMG-EXTERNAL-IP	59917	Unidentified IP Traffic (UDP:59917)	Denied Connection	Default rule
    

    Can someone explain why a Lync 2013 Client is trying to access the Edge Server through the port range 50000-59999 if the documentation states it is only used for federation with OCS?

    I didn't have issues with the video calls, but I would like to know why is this happening.

    Thank you!

    Friday, November 01, 2013 3:01 AM

Answers

  • Microsoft should be beaten for this documentation and several in the Lync community has begged them to change this. It should read "minimum required" not recommended. The client will ALWAYS try to connect over the 50k port range. If it fails to do this, than it will fail back to the 443/3478 ports.

    That said, I would recommend that you open up the ports because the edge server will function better if you do. If you have multiple edge servers and use NAT, not opening up the 50k range will cause severe issues in your deployment.  Additionally, if you have more than one edge location (i.e. multi-location edge deployment) than not opening the 50k range can cause all sorts of issues cause unnecessary edge to edge traffic. 

    You can watch this video:

    http://channel9.msdn.com/Events/TechEd/NorthAmerica/2012/EXL412 (jump to the one hour, five minute mark if you want to cut to the chase) but Bryan Nyce does a fantastic job of explaining the 50k port range and how edge servers work!

    Thanks,

    Richard


    Richard Brynteson, Avtex, Lync MCM, Blog - http://masteringlync.com

    • Marked as answer by Carlos IT Friday, November 01, 2013 4:20 AM
    Friday, November 01, 2013 3:47 AM
  • First, there isn't really a need to restrict down this port range. As the video covers (I think it does if memory serves) the way the 50k port range is used is most likely a lot more secure than any other services you have. So here are my reasons why it doesn't matter if it's 2k or 10k of open ports:

    1. The service that is listening to this request is exactly the same service that you opened up port 443/3478 to.  So having 'more' open ports doesn't make you inherently less secure. If I wanted to 'attack' the AV Edge Service, I would go after 443/3478.
    2. The 10k port range isn't actually listening the entire time.  Instead, they are created as needed.  When I make a call through the edge, I will allocate the necessary ports I need based on connectivity checks.  After 10 second, whatever ports were no used are closed.  The ports selected are random within the range defined.  Therefore, you could make the argument that a larger range for fewer people is good because the attack angle is smaller because you have to guess what ports will be used.
    3. The ports when opened are IP restricted.  So just because I open up port :53467 doesn't mean anyone can connect to it.  Only the source IP that was defined in original request (or the IP found during later reflexive checks) will be added.

    Now, if you wanted to restrict down the list.  2 ports per person isn't enough.  If you look at the SDP of an edge to internal call, you will see anywhere from 2 to maybe 16 (it really depends) IP:Ports allocated.  This is because of how ICE/STUN/TURN works on the edge (and why MS's implementation is so damn cool) on how it discovers additional ways to connect to clients.  The video does a pretty good job of explaining how server and peer reflexive ports are established.  So if you were looking for a safe number I would say 20 ports per person.  But again, I don't think it's necessary.

    Thanks,

    Richard


    Richard Brynteson, Avtex, Lync MCM, Blog - http://masteringlync.com

    • Marked as answer by Carlos IT Friday, November 01, 2013 5:24 PM
    Friday, November 01, 2013 1:05 PM
  • It will create rules automatically when you install the product.

    Thanks,

    RIchard


    Richard Brynteson, Avtex, Lync MCM, Blog - http://masteringlync.com

    • Marked as answer by Carlos IT Friday, November 01, 2013 7:41 PM
    Friday, November 01, 2013 5:33 PM

All replies

  • Microsoft should be beaten for this documentation and several in the Lync community has begged them to change this. It should read "minimum required" not recommended. The client will ALWAYS try to connect over the 50k port range. If it fails to do this, than it will fail back to the 443/3478 ports.

    That said, I would recommend that you open up the ports because the edge server will function better if you do. If you have multiple edge servers and use NAT, not opening up the 50k range will cause severe issues in your deployment.  Additionally, if you have more than one edge location (i.e. multi-location edge deployment) than not opening the 50k range can cause all sorts of issues cause unnecessary edge to edge traffic. 

    You can watch this video:

    http://channel9.msdn.com/Events/TechEd/NorthAmerica/2012/EXL412 (jump to the one hour, five minute mark if you want to cut to the chase) but Bryan Nyce does a fantastic job of explaining the 50k port range and how edge servers work!

    Thanks,

    Richard


    Richard Brynteson, Avtex, Lync MCM, Blog - http://masteringlync.com

    • Marked as answer by Carlos IT Friday, November 01, 2013 4:20 AM
    Friday, November 01, 2013 3:47 AM
  • Hi Richard,

    Thanks for the explanation. Now if I have around 50 users that could use audio/video through the edge server, how many ports should I restrict the edge server to use (through this command):

    Set-CsEdgeServer -Identity: <FQDN of Edge Server (Single Edge) or FQDN of Edge Pool> -MediaCommunicationPortStart <beginning of port range, default 50000> -MediaCommunicationPortCount <number of ports, default 10000>

    If possible, I wanted to get a count per user.. Like the following scenarios:

    - If 2 external users connect to a video call with desktop sharing, how many of the 50k ports are used?

    - Is this different If the 2 users connect through a conference call (https://meet.domain.com/)?

    - If 5 external users are sharing video/audio and one of them is sharing his desktop, how many ports in the 50k range are used?

    - If I configure the Edge Server to use a more restricted number of ports, will the external Lync Clients try to connect in the 50k-59999 range? Or would they try to connect only through the range I configured on the Edge Server?

    Thanks again!   And forgive if these answers are already covered on the video you sent. I haven't watched that yet.. but I'll start in a few mins.

    Carlos

    Friday, November 01, 2013 4:26 AM
  • First, there isn't really a need to restrict down this port range. As the video covers (I think it does if memory serves) the way the 50k port range is used is most likely a lot more secure than any other services you have. So here are my reasons why it doesn't matter if it's 2k or 10k of open ports:

    1. The service that is listening to this request is exactly the same service that you opened up port 443/3478 to.  So having 'more' open ports doesn't make you inherently less secure. If I wanted to 'attack' the AV Edge Service, I would go after 443/3478.
    2. The 10k port range isn't actually listening the entire time.  Instead, they are created as needed.  When I make a call through the edge, I will allocate the necessary ports I need based on connectivity checks.  After 10 second, whatever ports were no used are closed.  The ports selected are random within the range defined.  Therefore, you could make the argument that a larger range for fewer people is good because the attack angle is smaller because you have to guess what ports will be used.
    3. The ports when opened are IP restricted.  So just because I open up port :53467 doesn't mean anyone can connect to it.  Only the source IP that was defined in original request (or the IP found during later reflexive checks) will be added.

    Now, if you wanted to restrict down the list.  2 ports per person isn't enough.  If you look at the SDP of an edge to internal call, you will see anywhere from 2 to maybe 16 (it really depends) IP:Ports allocated.  This is because of how ICE/STUN/TURN works on the edge (and why MS's implementation is so damn cool) on how it discovers additional ways to connect to clients.  The video does a pretty good job of explaining how server and peer reflexive ports are established.  So if you were looking for a safe number I would say 20 ports per person.  But again, I don't think it's necessary.

    Thanks,

    Richard


    Richard Brynteson, Avtex, Lync MCM, Blog - http://masteringlync.com

    • Marked as answer by Carlos IT Friday, November 01, 2013 5:24 PM
    Friday, November 01, 2013 1:05 PM
  • Thanks Richard,  I watched part of the video and with your explanation, now I feel more clear on what to do.  Now, how does the dynamic opening and closing of the ports integrate with the Edge Server Windows Firewall? 

    Do I need to create an inbond rule to allow the 50k range for TCP/UDP for the external interface (Public Network) on the Windows Firewall, or Lync handles opening/closing the ports on the background (even if there's no rule defined in Windows Firewall to allow that traffic)?

    Friday, November 01, 2013 5:24 PM
  • It will create rules automatically when you install the product.

    Thanks,

    RIchard


    Richard Brynteson, Avtex, Lync MCM, Blog - http://masteringlync.com

    • Marked as answer by Carlos IT Friday, November 01, 2013 7:41 PM
    Friday, November 01, 2013 5:33 PM
  • thank you for taking the time to explain some of this.  This discourse was very valuable.

    I too, noticed that I was having trouble with some edge to edge A/V calls ...  I am working to get the bi-directional 50000 range opened on my edge servers to optimize traffic.  no doubt it can do nothing but help.

    I also used the info re: security of the large range to send to the network group to rationalize the request.  It's good to be able to explain it to them concisely.  

    Friday, July 24, 2015 2:05 PM