OCS 2007 R2 Firewall Port Settings

The below tables lists all of the required ports to be configured in server to server and server to server communication required to be configured in strict ports Infrastructure (we added after each section title notification about its validation in live environment, we will make our best to validate the configuration of all of the sections):

Edge Server Ports requirements:

Table 1 External Firewall Ports Settings Required for Consolidated Edge Topology

Edge Role	Source IP Address	Source Port	Destination IP Address	Destination Port	Transport	Application	Notes
Access	Access External IP	Any	Any	80	TCP	HTTP	Optional and Not required
Access	Access External IP	Any	Any	53	UDP	DNS	Optional and Not required
Access	Internet Clients	Any	Access External IP	443	TCP	SIP (TLS)	Client to server SIP traffic for external user access Although clients will connect on 443 or 5061, LM clients will connect to 443 only so if you configured access on port 5061 you will need to configure LM clients staticly.
Access	Internet Clients	Any	Access External IP	5061	TCP	SIP (MTLS)	For federated and public IM connectivity using SIP
Access	Internet Clients	Any	Any	5061	TCP	SIP (MTLS)	For federated and public IM connectivity using SIP
Web Conferencing	Internet Clients	Any	WebConf External IP	443	TCP	PSOM (TLS)
A/V	A/V External IP	50,000 - 59,999	Any	Any	TCP	RTP	Required only for desktop sharing and/or federation with partners running Office Communications Server 2007 or Office Communications Server 2007 R2. Please not that you don't need that ports range if you will not use Video/Desktop Sharing with federated partners
A/V	A/V External IP	50,000 - 59,999	Any	Any	UDP	RTP	Required only for federation with partners still running Office Communications Server 2007
A/V	Any	Any	A/V External IP	50,000 - 59,999	TCP	RTP	Required only for federation with partners still running Office Communications Server 2007.
A/V	Internet Clients	Any	A/V External IP	3478	UDP	STUN/MSTURN
A/V	Internet Clients	Any	A/V External IP	443	TCP	STUN/MSTURN

for scaled consolidated Edge Deployment use the above table and open only required ports for each Edge.

Table 2 Internal Firewall Ports Settings Required for Consolidated Edge Topology:

Edge Role	Source IP Address	Source Port	Destination IP Address	Destination Port	Transport	Application	Notes
Access	Edge Internal IP	Any	Front End Pool VIP	5061	TCP	SIP (MTLS)	Destination will be the Next Hop server(s). In the case of the using Multiple FEs this will be the VIP, if single FE this will be the FE Server (either ENT or STD Edition)
Access	Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB	Any	Edge Internal IP	5061	TCP	SIP (MTLS)
Web Conferencing	Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB	Any	Edge Internal IP	8057	TCP	PSOM (MTLS)
A/V	Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB	Any	Edge Internal IP	5062	TCP	SIP (MTLS)	Include all front end servers using this particular A/V authentication service.
A/V	Any	Media Ports Range + 3478	Edge Internal IP	Media Ports Range + 3478	UDP	STUN/MSTURN	in peer to peer A/Conference, the media is Exchanged peer to peer, in case 1 internal Client and 1 External Client then Internal Client connects to Edge Internal Interface and this is relayed to the External Client, Reference for Media ports configuration refer to the end of this wiki
A/V	Any	Media Ports Range + 443	Edge Internal IP	Media Ports Range + 443	TCP	STUN/MSTURN	in peer to peer A/Vconference, the media is Exchanged peer to peer, in case 1 internal Client and 1 External Client then Internal Client connects to Edge Internal Interface and this is relayed to the External Client, Reference. for Media ports configuration refer to the end of this wiki Keep in mind that you can configure either 3478 or 443 not both.

and for scaled deployment open those ports for the VIP.

Mediation Server:

Source IP Address	Source Port	Destination IP Address	Destination Port	Transport	Application	Notes
Mediation FE Side IP	5061	Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB	5061	TCP	SIP (MTLS)	This is 2 Way rule communcation is flowing from FE to mediation for outbound calls and from mediation to FE in inbound calls.
Mediation GW Side IP	5060/5061	Gateway IP	5060/5061	TCP	SIP (MTLS)
Mediation GW Side IP	60000-64000	Gateway IP	60000-64000	TCP	RTCP/SRTP
Mediation FE Side IP	60000-64000	Clients IP	60000-64000	TCP	RTCP/SRTP
Mediation FE Side IP	5062	Edge Internal IP	5062	SIP/MTLS	MRAS
Mediation FE Side IP	Any	Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB	5062.5064,5069,5071,5072,5073,5074	TCP		This is to support RGS, telephony conferencing, QoE Agent, CAS and OVCS

for Telephony configuration and Voice VLANs (Cisco or Avaya support), you will need to open media ports range (if configured) between Internal IP Clients Range and Phones Range, if not configured you will need to open ports range 1024 to 65535 for media exchange.

Exchange 2007/2010/2010 SP1 Server (The Configuration has been validated in live environment) :

Source IP Address	Source Port	Destination IP Address	Destination Port	Transport	Application	Notes
Internal Clients IP Range	60000-64000 (or Media port Range if configured	Exchange UM server IP	5061,5065,5066	TCP	RTCP/SRTP	This is to allow clients to dial to voice mail and UM attendant if configured in Enterprise Voice Deployments, 5061 accepts connections and 5065 and 5066 handles actual media traffic, more information here http://autodiscover.wordpress.com/2010/12/30/exchange-exchange2010-a-deeper-look-to-the-um-worker-process-and-wp-recycling/

Table 3 Firewall Ports Settings Required for Servers VLAN and Clients VLAN (The Configuration has been validated in live environment):

Source IP Address	Source Port	Destination IP Address	Destination Port	Transport	Application	Notes
Internal Clients	5061	Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB	5061	TCP		SIP
Internal Clients	5062	Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB	5062	TCP		Used for incoming SIP listening requests for IM conferencing.
Internal Clients	5063	Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB	5063	TCP		Used for incoming SIP listening requests for audio/video (A/V) conferencing.
Internal Clients	5064	Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB	5064	TCP		Used for incoming SIP listening requests for telephony conferencing.
Internal Clients	5065	Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB	5065	TCP		Used for incoming SIP listening requests for application sharing.
Internal Clients	5071	Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB	5071	TCP		Used for incoming SIP listening requests for Response Group Service.
Internal Clients	5072	Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB	5072	TCP		Used for incoming SIP listening requests for Conferencing Attendant.
Internal Clients	5073	Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB	5073	TCP		Used for incoming SIP listening requests for Conferencing Announcement Service.
Internal Clients	5074	Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB	5074	TLS		Used for incoming SIP listening requests for Outside Voice Control.
Any	8057	Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB	8057	TCP	PSOM
Internal Clients	443	Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB	443	TCP	Conference Data/Metadata
Internal Clients	443	Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB	443	STUN/TCP	Conference Data/Metadata
Internal Clients	60000-64000	Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB	60000-64000	SRTP/RTCP
Internal Clients	1024-65535	Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB	49152 to 65535	TCP/UDP	RDP/RTCP	This range is used for media exchange, if you configured media port range then you don't need that range and need the media range only, for more information about media ports range refer to the end of this wiki.
Internal Clients	6891-6901	Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB	6891-6901	TCP	Port range used by Live Meeting for file transfer.
Internal Clients	3478	Front End IP (in case single FE Deployment (ENT or STD) or the FE VIP in case using HLB	3478	UDP	STUN

keep in mind in A/V media exchange and in presence of HLB the connection has to be maintained on the server directly meaning the connection or shall we say media does not traverse HLB.
also in CWA desktop sharing session scenario where limited ports is applied either you deploy EDGE server in order to CWA utilize internal Edge interface for Media Exchange otherwise you have to open default media range
You can change the default media ports using pool settings, this affects A/V Conferencing and all application performing media exchange , keep in mind you have to maintain minimum 128 ports

Office Communication Server Clients Media Range:

in OCS 2007 R2, you can configure clients to use specific range of media ports to exchange media between clients and servers, to configure OCS media ports range refer to the below articles

http://blogs.technet.com/b/drrez/archive/2010/09/27/limit-media-ports-in-office-communications-server-2007-r2-devices.aspx

http://technet.microsoft.com/en-us/library/bb964029(office.12).aspx

Note: Please keep in mind that port media range is only for peer to peer calls/communications, in conferencing scenario port media range doesn't apply. if you don't configure media port range, clients will communicate using the edge server.

in summary you need at least 20 ports to be configured using the min/max ports configuration which will be used by the clients for media exchange.

Discussion Items - Depending on how people want to use the wiki, I am creating this section for topics people want to discuss or clarify if they choose not to edit the content itself.

Lync Server 2010

The same content for Lync Server 2010 is here - http://social.technet.microsoft.com/wiki/contents/articles/lync-server-2010-firewall-port-settings.aspx

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

OCS 2007 R2 Firewall Port Settings