The below tables lists all of the required ports to be configured in server to server and server to server communication required to be configured in strict ports Infrastructure (we added after each section title notification about its validation in live environment, we will make our best to validate the configuration of all of the sections):
Edge Server Ports requirements:
Table 1 External Firewall Ports Settings Required for Consolidated Edge Topology
Edge Role
Source IP Address
Source Port
Destination IP Address
Destination Port
Transport
Application
Notes
Access
Access External IP
Any
80
TCP
HTTP
Optional and Not required
53
UDP
DNS
Internet Clients
443
SIP (TLS)
Client to server SIP traffic for external user access
Although clients will connect on 443 or 5061, LM clients will connect to 443 only so if you configured access on port 5061 you will need to configure LM clients staticly.
5061
SIP (MTLS)
For federated and public IM connectivity using SIP
Web Conferencing
WebConf External IP
PSOM (TLS)
A/V
A/V External IP
50,000 - 59,999
RTP
Required only for desktop sharing and/or federation with partners running Office Communications Server 2007 or Office Communications Server 2007 R2.
Please not that you don't need that ports range if you will not use Video/Desktop Sharing with federated partners
Required only for federation with partners still running Office Communications Server 2007
Required only for federation with partners still running Office Communications Server 2007.
3478
STUN/MSTURN
for scaled consolidated Edge Deployment use the above table and open only required ports for each Edge.
Table 2 Internal Firewall Ports Settings Required for Consolidated Edge Topology:
Edge Internal IP
Front End Pool VIP
Destination will be the Next Hop server(s). In the case of the using Multiple FEs this will be the VIP, if single FE this will be the FE Server (either ENT or STD Edition)
Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB
8057
PSOM (MTLS)
5062
Include all front end servers using this particular A/V authentication service.
Media Ports Range + 3478
in peer to peer A/Conference, the media is Exchanged peer to peer, in case 1 internal Client and 1 External Client then Internal Client connects to Edge Internal Interface and this is relayed to the External Client, Reference
for Media ports configuration refer to the end of this wiki
Media Ports Range + 443
in peer to peer A/Vconference, the media is Exchanged peer to peer, in case 1 internal Client and 1 External Client then Internal Client connects to Edge Internal Interface and this is relayed to the External Client, Reference.
Keep in mind that you can configure either 3478 or 443 not both.
and for scaled deployment open those ports for the VIP.
Mediation Server:
Mediation FE Side IP
Mediation GW Side IP
5060/5061
Gateway IP
60000-64000
RTCP/SRTP
Clients IP
SIP/MTLS
MRAS
5062.5064,5069,5071,5072,5073,5074
for Telephony configuration and Voice VLANs (Cisco or Avaya support), you will need to open media ports range (if configured) between Internal IP Clients Range and Phones Range, if not configured you will need to open ports range 1024 to 65535 for media exchange.
Exchange 2007/2010/2010 SP1 Server (The Configuration has been validated in live environment) :
Internal Clients IP Range
60000-64000 (or Media port Range if configured
Exchange UM server IP
5061,5065,5066
Table 3 Firewall Ports Settings Required for Servers VLAN and Clients VLAN (The Configuration has been validated in live environment):
Internal Clients
SIP
Used for incoming SIP listening requests for IM conferencing.
5063
Used for incoming SIP listening requests for audio/video (A/V) conferencing.
5064
Used for incoming SIP listening requests for telephony conferencing.
5065
Used for incoming SIP listening requests for application sharing.
5071
Used for incoming SIP listening requests for Response Group Service.
5072
Used for incoming SIP listening requests for Conferencing Attendant.
5073
Used for incoming SIP listening requests for Conferencing Announcement Service.
5074
TLS
Used for incoming SIP listening requests for Outside Voice Control.
PSOM
Conference Data/Metadata
STUN/TCP
SRTP/RTCP
1024-65535
49152 to 65535
TCP/UDP
RDP/RTCP
This range is used for media exchange, if you configured media port range then you don't need that range and need the media range only, for more information about media ports range refer to the end of this wiki.
6891-6901
Port range used by Live Meeting for file transfer.
STUN
keep in mind in A/V media exchange and in presence of HLB the connection has to be maintained on the server directly meaning the connection or shall we say media does not traverse HLB. also in CWA desktop sharing session scenario where limited ports is applied either you deploy EDGE server in order to CWA utilize internal Edge interface for Media Exchange otherwise you have to open default media range You can change the default media ports using pool settings, this affects A/V Conferencing and all application performing media exchange , keep in mind you have to maintain minimum 128 ports
in OCS 2007 R2, you can configure clients to use specific range of media ports to exchange media between clients and servers, to configure OCS media ports range refer to the below articles
http://blogs.technet.com/b/drrez/archive/2010/09/27/limit-media-ports-in-office-communications-server-2007-r2-devices.aspx
http://technet.microsoft.com/en-us/library/bb964029(office.12).aspx Note: Please keep in mind that port media range is only for peer to peer calls/communications, in conferencing scenario port media range doesn't apply. if you don't configure media port range, clients will communicate using the edge server.
in summary you need at least 20 ports to be configured using the min/max ports configuration which will be used by the clients for media exchange.
Discussion Items - Depending on how people want to use the wiki, I am creating this section for topics people want to discuss or clarify if they choose not to edit the content itself.
Lync Server 2010
The same content for Lync Server 2010 is here - http://social.technet.microsoft.com/wiki/contents/articles/lync-server-2010-firewall-port-settings.aspx