IPsec exceptions in Lync Server 2013

 

Topic Last Modified: 2012-06-27

For enterprise networks where Internet Protocol security (IPsec) (see IETF RFC 4301-4309) has been deployed, IPsec must be disabled over the range of ports used for the delivery of audio, video, and panorama video. The recommendation is motivated by the need to avoid any delay in the allocation of media ports due to IPsec negotiation.

The following table explains the recommended IPsec exception settings.

Rule name Source IP Destination IP Protocol Source port Destination port Authentication Requirement

A/V Edge Server Internal Inbound

Any

A/V Edge Server Internal

UDP and TCP

Any

Any

Do not authenticate

A/V Edge Server External Inbound

Any

A/V Edge Server External

UDP and TCP

Any

Any

Do not authenticate

A/V Edge Server Internal Outbound

A/V Edge Server Internal

Any

UDP & TCP

Any

Any

Do not authenticate

A/V Edge Server External Outbound

A/V Edge Server External

Any

UDP and TCP

Any

Any

Do not authenticate

Mediation Server Inbound

Any

Mediation

Server(s)

UDP and TCP

Any

Any

Do not authenticate

Mediation Server Outbound

Mediation

Server(s)

Any

UDP and TCP

Any

Any

Do not authenticate

Conferencing Attendant Inbound

Any

Front End Server running Conferencing Attendant

UDP and TCP

Any

Any

Do not authenticate

Conferencing Attendant Outbound

Front End Server running Conferencing Attendant

Any

UDP and TCP

Any

Any

Do not authenticate

A/V Conferencing Inbound

Any

Front End Servers

UDP and TCP

Any

Any

Do not authenticate

A/V Conferencing Outbound

Front End Servers

Any

UDP and TCP

Any

Any

Do not authenticate

Exchange Inbound

Any

Exchange Unified Messaging

UDP and TCP

Any

Any

Do not authenticate

Application Sharing Servers Inbound

Any

Application Sharing Servers

TCP

Any

Any

Do not authenticate

Application Sharing Server Outbound

Application Sharing Servers

Any

TCP

Any

Any

Do not authenticate

Exchange Outbound

Exchange Unified Messaging

Any

UDP and TCP

Any

Any

Do not authenticate

Clients

Any

Any

UDP

Specified media port range

Any

Do not authenticate