Very often we might get confused in a new deployment project if we are running into multiple issues and tasks. The most confusing part that we will often run into is the port requirements for internal,external as well as related services.I have consolidated and prepared a document for the port requirements for a new deployment of on-premise Lync and Exchange servers.
Lets have a look at the Lync server requirements first –
Following ports for the respective protocol and direction should be opened, for hassle free and full featured Lync enabled User to function perfectly fine.
Port Protocol Direction Usage
5060/5061 TCP/UDP Bidirectional For SIP
1434 UDP Bidirectional For SQL servers
443 STUN/TCP Outgoing Audio, video, application sharing sessions
444 HTTPS/TCP Bidirectional Lync Front End server
443 PSOM/TLS Outgoing Data sharing sessions
3478 STUN/UDP Outgoing Audio, video sessions, Desktop Sharing
5223 TCP Outgoing Lync Mobile pushes notifications
50000 – 59999 RTP/UDP Outgoing Audio, video sessions
5067 TCP/TLS Bidirectional Incoming SIP requests for Mediation servers.
57501-65535 TCP/UDP Bidirectional VideoConferencing
8057,8058 TCP/TLS Bidirectional Front End Service
For remote access to work for IM and Presence, it is mandatory that SIP traffic is allowed to flow bi-directionally. Hence, Port needs to be allowed as follows:
• Port 443 and 5061 from Internet to Access Edge External IP (bi-directional)
• Port 5061 from Edge Internal IP to Internal Network (bi-directional)
Edge server should be accessible from the Internet over port 443, 3478 and 5061.
Reverse Proxy require Port 443 to be opened.
For a Mobile Access user who is outside the corporate network, the request hits the Reverse Proxy and is then sent to the Front End pool or Director.No user level authentication is done on the reverse proxy.
Its always recommend to implement a Director Server Role for additional security.The Director is both offloading the authentication and providing an extra layer of security against DoS attacks.
Director must be in the same subnet where the Front End Servers reside which will be in the Private network. It should not be in the perimeter or DMZ.
Below will be the Flow of mobile application requests for Mobility Service :
All the External user Lync log in requests through mobile devices –> will go through the reverse proxy server –> and it will go to the edge server –> and hit the front end pool.
The Microsoft Lync Server gets user information from Auto-discover Service and then it returns all the Web Services URLs for the user’s home pool, including the Mobility Service URLs.
Below are the list of additional features that require external access through a reverse proxy for users accessing them externally.We need to think of validating them once the deployment is completed.
1) Enabling external users to download meeting content for any meetings.
2) Enabling external users to expand distribution groups.
3) Enabling remote users to download files from the Address Book service.
4) Accessing the Microsoft Lync Web App client.
5) Accessing the Dial-in Conferencing Settings webpage.
6) Accessing the Location Information service.
7) Enabling external devices to connect to Device Update web service and obtain updates.
Now we will look into the port requirement for Exchange servers as well.
Port Requirements for Exchange On-premise Servers (Applies to Exchange2 2010 and 2013):
Port Protocol Direction Usage
25 SMTP Bidirectional For Sending and receiving emails
50636 TCP Bidirectional From Hub to Edge and Vice Versa
135 TCP/RPC Outgoing HUB to Mailbox via MAPI
80/443 HTTP/HTTPS Bidirectional Autodiscover
993 TCP Incoming IMAP
995/110 TCP Incoming POP3(Any one of the port depends upon config)
5075-5077 TCP Incoming CAS to OCS Communications
5061 TCP Outgoing CAS to OCS Communications
For OWA and Outlook Anywhere port 443 should be opened in firewall.
For IMAP port 993 should be opened in Firewall.Port 25 should be opened on Firewall for both internal and external internet mail flow traffic.
I think most of the port requirement for Lync and Exchange deployment have been added above. Feel free to comment or correct me if anything needs to be added or corrected.
MVP – Exchange Server