Edge server firewall ports in Hybrid configuration RRS feed

  • Question

  • HI All.

    There seems to be no clear documentation or workloads for a hybrid firewall configuration. For example the access edge service 443 port is only inbound in a normal deployment - does this now also need to be outbound 443? Same goes for webconf , which is inbound only. Then if your firewall can't do *.lync com desitations then you need the ip addresses for *.lync .com, which can also not be found anywhere in the TechNet articles. I feel MS let us down on this one. Also the onprem desktops - which ports do they need to be open as I assume it will be the same as towards the frontend I the user is home in the cloud. Anyone that did a hybrid setup - can you please share?

    Sunday, January 31, 2016 6:34 AM


All replies

  • Morning,

    I've configured numerous hybrid deployments without issue. The port requirements are clearly outlined here;

    https://technet.microsoft.com/en-us/library/jj205403.aspx under the 'ports and protocols section'.

    Regarding your second query about determining the IP address if your firewalls don't support wildcard name configurations;

    Please visit this link; https://support.office.com/en-gb/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-GB&ad=GB#BKMK_LYO

    Find the Skype for Business section, and at the bottom of that section is a collapsed menu titled Skype for Business IP ranges. Expand this menu to see a full list of addresses.

    Hope that helps some.

    Kind regards

    Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems or queries.

    • Edited by Ben Donaldson Sunday, January 31, 2016 9:46 AM
    • Marked as answer by danielategan Tuesday, February 9, 2016 1:08 PM
    Sunday, January 31, 2016 9:45 AM
  • HI Ben

    Many thanks for that tip on the dropdown link - I did not see that.

    I did see the 1st link, but it only mentions the edge onprem server for port 5061. So does that mean the rest of the ports are for the onprem desktop clients network?

    At the moment I have setup a hybrid but only the cloud user can see the onprem user's presence and initiate an IM and the onprem user can IM back. The onprem user can't see the cloud user's presence at all and can then obviously not initiate an IM.

    I can move the onprem user to the cloud and back without issues and both is setup for closed federation as well.

    So hopefully the fw rules will sort that out.

    Then I have another issue : We had about 15 users enabled in the cloud before the hybrid (all synced up from onprem AD), but if I want to move them form the cloud to onprem and I run the command below it keeps failing telling me that I shoud use the move-csuser command instead. If I just enable the user onprem you can't add the hostingproviderproxyfqdn at all, so i'm a bit stuck there as well,

    -Identity "username"
    -SipAddress "sip: username@contoso.com"
    -HostingProviderProxyFqdn "sipfed.online.lync.com"

    Will appreciate it if you can elaborate on this for me as well please?



    Sunday, January 31, 2016 12:58 PM
  • Hi Ben

    Just to follow on from my post above : https://technet.microsoft.com/en-us/library/jj205403.aspx?f=255&MSPPError=-2147217396

    TCP 443

    Open inbound

    • Active Directory Federation Services (federation server role)

      For more information, see Directory Integration Tools.

    • Active Directory Federation Services (proxy server role) either on-premises or in Azure.

    • Microsoft Online Services Portal

    • My Company Portal

    • Outlook Web App

    • Client (communication between Skype for Business Online and your on-premises deployment.

    TCP 80 and 443

    Open inbound

    • Microsoft Online Services Directory Synchronization Tool

    TCP 5061

    Open inbound/outbound on the Edge Server

    PSOM/TLS 443

    Open inbound/outbound for data sharing sessions - will this be to the desktop client network?

    STUN/TCP 443

    Open inbound/outbound for audio, video, application sharing sessions -will this be to the desktop client network?

    STUN/UDP 3478

    Open inbound/outbound for audio and video sessions -will this be to the desktop client network?

    RTP/TCP 50000-59999

    Open outbound for audio and video sessions -will this be to the desktop client network?

    It short of contradict this url https://support.office.com/en-gb/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-GB&ad=GB#BKMK_LYO   where it seems to be only outbound connections from the client and not as the 1st url suggestion both ways for all the ports?

    Sunday, January 31, 2016 1:25 PM
  • Good morning,

    The table is poorly worded - The rest of the ports listed are also for the Edge server external interface, it's just poorly worded.

    Regarding your one way IM issue - a hybrid setup is nothing more than federation. It would be useful to know if you experience the same problems with another federated company. This would let you know if you have a problem with the hybrid config or federation in general.

    Kind regards

    Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems or queries.

    Monday, February 1, 2016 10:13 AM
  • Hi Ben

    Many thanks for the reply. So there are no ports required then for the desktop network then I assume?

    I only have an issue between a onprem user and one that is hosted in the cloud. I can IM to all other federated users while using the onprem user or the user home in the cloud. From the cloud I can IM the onprem user and see the user presence and then the onprem user can reply back. But the onprem user can't see the presence or

    initiate a IM to the cloud homed user.

    So federation works fine to other federated users. Just want to mention that is is also a closed federation setup and both the cloud and onprem have partner discovery set as False.

    I just don't have the outbound rules on the access edge and webconf rules for 443 setup yet, that I will hopefully know tomorrow. But all the other ports are already setup as that is how it should be anyway for the AV service and 5061 ports on the access edge service.

    Also my command that did not, worked today when you need to enable the onprem user before you move the user from the cloud to onprem, the account I tried was disabled/not present in AD and all the other users worked just fine.

    Many thanks again for you reply - looking forward to your reply on my answer above.

    Monday, February 1, 2016 3:56 PM
  • Hi danielategan,

    Please check if you can resolve "sipfed.online.lync.com" on your Edge Server.


    Best regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, February 2, 2016 12:57 PM
  • HI All,

    Just an update. My Hybrid is working just fine. My problem in the end was that the default sip domain is also being used on the Lync2010 pool for remote call control in a static route. Fortunately I have other sip domains and their presence is working just fine. So once the Lync 2010 pool is being decommissioned and the static route removed then presence will work for the default sip domain.

    Thanks for all the advise.

    Tuesday, February 9, 2016 1:08 PM