Edge Server environmental requirements in Skype for Business Server 2015

Skype for Business Server 2015
 

Topic Last Modified: 2016-07-11

Summary: Learn about the environmental requirements for Edge Server in Skype for Business Server 2015.

A lot of planning and preparation needs to take place outside of the Skype for Business Server 2015 Edge Server environment itself. In this article, we'll review what preparations need to be made in the organizational environment, as per our list below:

Skype for Business Server 2015 Edge Server topologies are able to use:

  • Routable public IP addresses.

  • Non-routable private IP addresses, if symmetric network address translation (NAT) is used.

tipTip:
Your Edge Server can be configured to use a single IP address with distinct ports for each service, or it can use distinct IP addresses for each service, but use the same default port (which by default will be TCP 443). We have more information in IP Address requirements section, below.

If you choose non-routable private IP addresses with NAT, remember these points:

  • You need to use routable private IP addresses on all three external interfaces.

  • You need to configure symmetric NAT for incoming and outgoing traffic. Symmetric NAT is the only supported NAT you can use with Skype for Business Server 2015 Edge Server.

  • Configure your NAT to not change incoming source addresses. The A/V Edge service needs to be able to receive the incoming source address to find the optimal media path.

  • Your Edge Servers need to be able to communicate with one another from their public A/V Edge IP addresses. Your firewall needs to allow this traffic.

  • NAT can only be used for scaled consolidated Edge Servers if you use DNS load balancing. If you use hardware load balancing (HLB), you need to use publicly routable IP addresses without NAT.

You'll have no problems having your Access, Web conferencing and A/V Edge interfaces behind a router or firewall performing symmetric NAT for both single and scaled consolidated Edge Server topologies (as long as you're not using hardware load balancing).

We have several topology options available for Skype for Business Server 2015 Edge Server deployments:

  • Single consolidated Edge with private IP addresses and NAT

  • Single consolidated Edge with public IP addresses

  • Scaled consolidated Edge with private IP addresses and NAT

  • Scaled consolidated Edge with public IP addresses

  • Scaled consolidated Edge with hardware load balancers

To help you choose one, we have the following table which gives a summary of what options you have for each topology:

 

TopologyHigh availabilityAdditional DNS records required for external Edge Server in the Edge pool?Edge failover for Skype for Business Server sessionsEdge failover for Skype for Business Server federation sessions

Single consolidated Edge with private IP addresses and NAT

No

No

No

No

Single consolidated Edge with public IP addresses

No

No

No

No

Scaled consolidated Edge with private IP addresses and NAT (DNS load balanced)

Yes

Yes

Yes

Yes*

Scaled consolidated Edge with public IP addresses (DNS load balanced)

Yes

Yes

Yes

Yes*

Scaled consolidated Edge with hardware load balancers

Yes

No (one DNS A record per VIP)

Yes

Yes

*Exchange Unified Messaging (UM) remote user failover using DNS load balancing requires Exchange 2013 or newer.

On a fundamental level, three services need IP addresses; Access Edge service, Web Conferencing Edge service, and A/V Edge service. You have the option of either using three IP addresses, one for each of the services, or you can use one and opt to put each service on a different port (you can check out the Port and firewall planning section for more information on some of that). For a single consolidated Edge environment, that's pretty much it.

noteNote:
As noted above, you can choose to have one IP address for all three services and run them on different ports. But to be clear, we don't recommend this. If your customers can't access the alternate ports you'd be using in this scenario, they can't access the full functionality of your Edge environment, either.

It can be a little more complicated with scaled consolidated topologies, so let's look at some tables that lay out the IP Address requirements, keeping in mind that the primary decision points for topology selection are high availability and load balancing. High availability needs can influence your load balancing choice (we'll talk about that more after the tables).

 

Number of Edge Servers per poolNumber of required IP addresses for DNS load balancingNumber of required IP addresses for hardware load balancing

2

6

3 (1 per VIP) + 6

3

9

3 (1 per VIP) + 9

4

12

3 (1 per VIP) + 12

5

15

3 (1 per VIP) +15

 

Number of Edge Servers per poolNumber of required IP addresses for DNS load balancingNumber of required IP addresses for hardware load balancing

2

2

1 (1 per VIP) + 2

3

3

1 (1 per VIP) + 3

4

4

1 (1 per VIP) + 4

5

5

1 (1 per VIP) + 5

Let's look at some additional things to think about while planning.

  • High availability: If you need high availability in your deployment, you should deploy at least two Edge Servers in a pool. It's worth noting that a single Edge pool will support up to 12 Edge Servers (though Topology Builder will allow you to add up to 20, that's not tested or supported, so we advise you don't do that). If you need more than 12 Edge Servers, you should create additional Edge pools for them.

  • Hardware load balancing: We recommend DNS load balancing for most scenarios. Hardware load balancing is also supported, of course, but notably it's required for a single scenario over DNS load balancing:

    • External access to Exchange 2007 or Exchange 2010 (with no SP) Unified Messaging (UM).

  • DNS load balancing: For UM, Exchange 2010 SP1 and newer are able to be supported by DNS load balancing. Note that if you need to go with DNS load balancing for an earlier version of Exchange, it'll work, but all the traffic for this will go to the first server in the pool, and if it's not available, that traffic will subsequently fail.

    DNS load balancing is also recommended if you're federating with companies using Lync Server 2010, Lync Server 2013, and Microsoft Office 365.

When it comes to Skype for Business Server 2015 Edge Server deployment, it's vital to prepare for DNS properly. With the right records in place, the deployment will be much more straightforward. Hopefully you've chosen a topology in the section above, as we're going to do an overview, and then list a couple of tables outlining the DNS records for those scenarios. We'll also have some Advanced DNS planning for Skype for Business Server 2015 for more in-depth reading, if you need it.

These will be the DNS records you're going to need for a singe Edge Server using either public IPs or private IPs with NAT. Because this is sample data, we'll give example IPs so you can work out your own entries more easily:

  • Internal network adapter: 172.25.33.10 (no default gateway's assigned)

    noteNote:
    Ensure that there is a route from the network containing the Edge internal interface to any networks that contain servers running Skype for Business Server 2015 or Lync Server 2013 clients (for example, from 172.25.33.0 to 192.168.10.0).
  • External network adapter:

    • Public IP:s

      • Access Edge: 131.107.155.10 (this is the primary, with default gateway set to your public router, ex: 131.107.155.1)

      • Web Conferencing Edge: 131.107.155.20 (secondary)

      • A/V Edge: 131.107.155.30 (secondary)

      Web conferencing and A/V Edge public IP addresses are additional (secondary) IP addresses in the Advanced section of the properties of Internet Protocol Version 4 (TCP/IPv4) and Internet Protocol Version 6 (TCP/IPv6) of the Local Area Connection Properties in Windows Server.

    • Private IPs:

      • Access Edge: 10.45.16.10 (this is the primary, with default gateway set to your router, ex: 10.45.16.1)

      • Web Conferencing Edge: 10.45.16.20 (secondary)

      • A/V Edge: 10.45.16.30 (secondary)

Web conferencing and A/V Edge public IP addresses are additional (secondary) IP addresses in the Advanced section of the properties of Internet Protocol Version 4 (TCP/IPv4) and Internet Protocol Version 6 (TCP/IPv6) of the Local Area Connection Properties in Windows Server.

tipTip:
There are other possible configurations here:
  • You could use one IP address on the external network adapter. We don't recommend this because then you're going to need to differentiate between the thee services using different ports (which you can do in Skype for Business Server) but there are some firewalls that may block the alternate ports. See the Port and firewall planning section for more about this.

  • You can have three external network adapters instead of one, and assign one of the service IPs to each one. Why do this? It would separate the services and if something goes wrong, that would make it easier to troubleshoot, and potentially let your other services continue working while you resolve an issue.

 

LocationTypePortFQDN or DNS recordIP address or FQDNNotes

External DNS

A record

NA

sip.contoso.com

 

publicprivate

131.107.155.10

10.45.16.10

An external interface for your Access Edge service. You'll need one for every SIP domain with Skype for Business users.

External DNS

A record

NA

webcon.contoso.com

 

publicprivate

131.107.155.20

10.45.16.20

An external interface for your Web Conferencing Edge service.

External DNS

A record

NA

av.contoso.com

 

publicprivate

131.107.155.30

10.45.16.30

An external interface for your A/V Edge service.

External DNS

SRV record

443

_sip._tls.contoso.com

sip.contoso.com

An external interface for your Access Edge service. This SRV record is required for Skype for Business Server 2015, Lync Server 2013, and Lync Server 2010 clients to work externally. You'll need one for every domain with Skype for Business users.

External DNS

SRV record

5061

_sipfederationtls._tcp.contoso.com

sip.contoso.com

An external interface for your Access Edge service. This SRV record is required for automatic DNS discovery of federated partners called Allowed SIP domains. You'll need one for every domain with Skype for Business users.

Internal DNS

A record

NA

sfvedge.contoso.net

172.25.33.10

The internal interface for your consolidated Edge.

These will be the DNS records you're going to need for a singe Edge Server using either public IPs or private IPs with NAT. Because this is sample data, we'll give example IPs so you can work out your own entries more easily:

  • Internal network adapter:

    • Node 1: 172.25.33.10 (no default gateway's assigned)

    • Node 2: 172.25.33.11 (no default gateway's assigned)

    noteNote:
    Ensure that there is a route from the network containing the Edge internal interface to any networks that contain servers running Skype for Business Server 2015 or Lync Server 2013 clients (for example, from 172.25.33.0 to 192.168.10.0).
  • External network adapter:

    • Node 1

      • Public IPs:

        • Access Edge: 131.107.155.10 (this is the primary, with default gateway set to your public router, ex: 131.107.155.1)

        • Web Conferencing Edge: 131.107.155.20 (secondary)

        • A/V Edge: 131.107.155.30 (secondary)

        Web conferencing and A/V Edge public IP addresses are additional (secondary) IP addresses in the Advanced section of the properties of Internet Protocol Version 4 (TCP/IPv4) and Internet Protocol Version 6 (TCP/IPv6) of the Local Area Connection Properties in Windows Server.

      • Private IPs:

        • Access Edge: 10.45.16.10 (this is the primary, with default gateway set to your router, ex: 10.45.16.1)

        • Web Conferencing Edge: 10.45.16.20 (secondary)

        • A/V Edge: 10.45.16.30 (secondary)

      Web conferencing and A/V Edge public IP addresses are additional (secondary) IP addresses in the Advanced section of the properties of Internet Protocol Version 4 (TCP/IPv4) and Internet Protocol Version 6 (TCP/IPv6) of the Local Area Connection Properties in Windows Server.

    • Node 2

      • Public IPs:

        • Access Edge: 131.107.155.11 (this is the primary, with default gateway set to your public router, ex: 131.107.155.1)

        • Web Conferencing Edge: 131.107.155.21 (secondary)

        • A/V Edge: 131.107.155.31 (secondary)

        Web conferencing and A/V Edge public IP addresses are additional (secondary) IP addresses in the Advanced section of the properties of Internet Protocol Version 4 (TCP/IPv4) and Internet Protocol Version 6 (TCP/IPv6) of the Local Area Connection Properties in Windows Server.

      • Private IPs:

        • Access Edge: 10.45.16.11 (this is the primary, with default gateway set to your router, ex: 10.45.16.1)

        • Web Conferencing Edge: 10.45.16.21 (secondary)

        • A/V Edge: 10.45.16.31 (secondary)

      Web conferencing and A/V Edge public IP addresses are additional (secondary) IP addresses in the Advanced section of the properties of Internet Protocol Version 4 (TCP/IPv4) and Internet Protocol Version 6 (TCP/IPv6) of the Local Area Connection Properties in Windows Server.

tipTip:
There are other possible configurations here:
  • You could use one IP address on the external network adapter. We don't recommend this because then you're going to need to differentiate between the thee services using different ports (which you can do in Skype for Business Server) but there are some firewalls that may block the alternate ports. See the Port and firewall planning section for more about this.

  • You can have three external network adapters instead of one, and assign one of the service IPs to each one. Why do this? It would separate the services and if something goes wrong, that would make it easier to troubleshoot, and potentially let your other services continue working while you resolve an issue.

 

LocationTypePortFQDN or DNS recordIP address or FQDNNotes

External DNS

A record

NA

sip.contoso.com

 

publicprivate

131.107.155.10 and 131.107.155.11

10.45.16.10 and 10.45.16.11

An external interface for your Access Edge service. You'll need one for every SIP domain with Skype for Business users.

External DNS

A record

NA

webcon.contoso.com

 

publicprivate

131.107.155.20 and 131.107.155.21

10.45.16.20 and 10.45.16.21

An external interface for your Web Conferencing Edge service.

External DNS

A record

NA

av.contoso.com

 

publicprivate

131.107.155.30 and 131.107.155.31

10.45.16.30 and 10.45.16.31

An external interface for your A/V Edge service.

External DNS

SRV record

443

_sip._tls.contoso.com

sip.contoso.com

An external interface for your Access Edge service. This SRV record is required for Skype for Business Server 2015, Lync Server 2013, and Lync Server 2010 clients to work externally. You'll need one for every domain with Skype for Business.

External DNS

SRV record

5061

_sipfederationtls._tcp.contoso.com

sip.contoso.com

An external interface for your Access Edge service. This SRV record is required for automatic DNS discovery of federated partners called Allowed SIP domains. You'll need one for every domain with Skype for Business.

Internal DNS

A record

NA

sfvedge.contoso.net

172.25.33.10 and 172.25.33.11

The internal interface for your consolidated Edge.

 

LocationTypePortFQDNFQDN host recordNotes

External DNS

SRV

5061

_sipfederationtls_tcp.contoso.com

sip.contoso.com

The SIP Access Edge external interface required for automatic DNS discovery. Used by your other potential federation partners. It's also known as "Allow SIP domains." You'll need one of these for each SIP domain with Skype for Business users.

noteNote:
You will need this SRV record for mobility and the push notification clearing house.

 

LocationTypePortFQDNIP address or FQDN host recordNotes

External DNS

SRV

5269

_xmpp-server._tcp.contoso.com

xmpp.contoso.com

The XMPP proxy interface on your Access Edge service or Edge pool. You need to repeat this as needed for all internal SIP domains with Skype for Business enabled users, where contact with XMPP contacts is allowed through:

  • a global policy

  • a site policy where the user's enabled

  • a user policy applied to the Skype for Business enabled user

An allowed XMPP policy also needs to be configured in the XMPP federated users policy.

External DNS

SRV

A

xmpp.contoso.com

IP address of the Access Edge service on the Edge Server or Edge pool hosting your XMPP Proxy service

This points to the Access Edge service on the Edge Server or Edge pool that hosts theXMPP Proxy service. Typically the SRV record that you create will point to this host (A or AAAA) record.

Skype for Business Server 2015 uses certificates for secure, encrypted communications both between servers and from server to client. As you'd expect, your certificates will need to have DNS records for your servers match up to any subject name (SN) and subject alternate name (SAN) on your certificates. This will take work now, at the planning stage, to ensure you have the right FQDNs registered in DNS for the SN and SAN entries for your certificates.

We'll discuss external and internal certificate needs separately, and then look at a table providing the requirements for both.

At a minimum, the certificate assigned to your external Edge Server interfaces will need to be provided by a public Certificate Authority (CA). We can't recommend a specific CA to you, but we do have a list of CAs, Unified Communications certificate partners that you can take a look at to see if your preferred CA is listed.

When will you need to submit a request to a CA for this public certificate, and how do you do it? There are a couple of ways to accomplish this:

  • You can go through the installation of Skype for Business Server, and then the Edge Server deployment. The Skype for Business Server Deployment Wizard will have a step to generate a certificate request, which you can then send to your chosen CA.

  • You can also use Windows PowerShell commands to generate this request, if that's more inline with your business needs or deployment strategy.

  • Finally, your CA may have their own submission process, which may also involve Windows PowerShell or another method. In that case, you'll need to rely on their documentation, in addition to the information provided here for your reference.

After you've gotten the certificate, you'll need to go ahead and assign it to these services in Skype for Business Server:

  • Access Edge service interface

  • Web Conferencing Edge service interface

  • Audio/Video Authentication service (don't confuse this with the A/V Edge service, as that doesn't use a certificate to encrypt audio and video streams)

importantImportant:
All Edge Servers need to have the exact same certificate with the same private key for the Media Relay Authentication service.

For the internal Edge Server interface, you can use a public certificate from a public CA, or a certificate issued from your organization's internal CA. The thing to remember about the internal certificate is that it uses an SN entry, and no SAN entries, so you don't have to worry about SAN on the internal cert at all.

We have a table here to help you out with your requests. The FQDN entries here are for sample domains only. You're going to need to make requests based on your own private and public domains, but here's a guide to what we've used:

  • contoso.com: Public FQDN

  • fabrikam.com: Second public FQDN (added as a demo of what to request if you have multiple SIP domains)

  • Contoso.net: Internal domain

Regardless of whether you're doing a single Edge Server or an Edge pool, this is what you'll need for your certificate:

 

ComponentSubject name (SN)Subject alternative names (SAN)/orderNotes

External Edge

sip.contoso.com

sip.contoso.com

webcon.contoso.com

sip.fabrikam.com

This is the certificate you need to request from a public CA. It'll need to be assigned to the external Edge interfaces for the following:

  • Access Edge

  • Web Conferencing Edge

  • Audio/Video Authentication

The good news is that SANs are automatically added to your certificate request, and therefore your certificate after you submit the request, based on what you defined for this deployment in Topology Builder. You'll only need to add SAN entries for any additional SIP domains or other entries you need to support. Why is sip.contoso.com replicated in this instance? That happens automatically as well, and it's needed for things to work properly.

noteNote:
This certificate can also be used for Public Instant Messaging connectivity. You don't need to do anything differently with it, but in previous versions of this documentation, it was listed as a separate table, and now it's not.

Internal Edge

sfbedge.contoso.com

NA

You can get this certificate from a public CA or an internal CA. It'll need to contain the server EKU (Enhanced Key Usage), and you'll assign it to the internal Edge interface.

noteNote:
If you need a certificate for Extensible Messaging and Presence Protocol (XMPP), it will look identical to the External Edge table entries above, but will have the following two additional SAN entries:
  • xmpp.contoso.com

  • *.contoso.com

Please remember that currently XMPP is only supported for Google Talk, if you want or need to use it for anything else, you need to confirm that functionality with the third-party vendor involved.

Getting your planning right for ports and firewalls for Skype for Business Server Edge Server deployments can save you days or weeks of troubleshooting and stress. As a result, we're going to list a couple of tables that will indicate our protocol usage and what ports you need to have open, inbound and outbound, both for NAT and public IP scenarios. We'll also have separate tables for hardware load balanced scenarios (HLB) and some further guidance on that. For more reading from there, we also have Technical diagrams for Skype for Business Server 2015, as well as some Edge Server scenarios in Skype for Business Server 2015 you can check out for your particular deployment concerns.

Before we look at the summary tables for external and internal firewalls, let's consider the following table as well:

 

Audio/Video transportUsage

UDP

The preferred transport layer protocol for audio and video.

TCP

The fallback transport layer protocol for audio and video.

The required transport layer protocol for application sharing to Skype for Business Server 2015, Lync Server 2013, and Lync Server 2010.

The required transport layer protocol for file transfer to Skype for Business Server 2015, Lync Server 2013, and Lync Server 2010.

The Source IP address and Destination IP address will contain information for users who are using Private IP addresses with NAT, as well as people using public IP addresses. This will cover all the permutations in our Edge Server scenarios in Skype for Business Server 2015 section.

 

Role or protocolTCP or UDPDestination Port or port rangeSource IP addressDestination IP addressNotes

XMPP

TCP

5269

Any

XMPP Proxy service (shares an IP address with the Access Edge service

The XMPP Proxy service accepts traffic from XMPP contacts in defined XMPP federations.

Access/HTTP

TCP

80

 

Private IP using NATPublic IP

Edge Server Access Edge service

Edge Server Access Edge service public IP address

Any

Certificate revocation and CRL check and retrieval.

Access/DNS

TCP

53

 

Private IP using NATPublic IP

Edge Server Access Edge service

Edge Server Access Edge service public IP address

Any

DNS query over TCP.

Access/DNS

UDP

53

 

Private IP using NATPublic IP

Edge Server Access Edge service

Edge Server Access Edge service public IP address

Any

DNS query over UDP.

Access/SIP(TLS)

TCP

443

Any

 

Private IP using NATPublic IP

Edge Server Access Edge service

Edge Server Access Edge service public IP address

Client-to-server SIP traffic for external user access.

Access/SIP(MTLS)

TCP

5061

Any

 

Private IP using NATPublic IP

Edge Server Access Edge service

Edge Server Access Edge service public IP address

For federated and public IM connectivity using SIP.

Access/SIP(MTLS)

TCP

5061

 

Private IP using NATPublic IP

Edge Server Access Edge service

Edge Server Access Edge service public IP address

Any

For federated and public IM connectivity using SIP.

Web conferencing/PSOM(TLS)

TCP

443

Any

 

Private IP using NATPublic IP

Edge Server Web Conferencing Edge service

Edge Server Web Conferencing Edge service service public IP address

Web conferencing media.

A/V/RTP

TCP

50000-59999

 

Private IP using NATPublic IP

Edge Server A/V Edge service service

Edge Server A/V Edge service public IP address

Any

This is used for relaying media traffic.

A/V/RTP

UDP

50000-59999

 

Private IP using NATPublic IP

Edge Server A/V Edge service service

Edge Server A/V Edge service public IP address

Any

This is used for relaying media traffic.

A/V/STUN.MSTURN

UDP

3478

 

Private IP using NATPublic IP

Edge Server A/V Edge service

Edge Server A/V Edge service public IP address

Any

3478 outbound is:

  • Used by Skype for Business Server to determine the version of Edge Server it's communicating with.

  • Used for media traffic between Edge Servers.

  • Required for federation with Lync Server 2010.

  • Needed if multiple Edge pools are deployed within your organization.

A/V/STUN.MSTURN

UDP

3478

Any

 

Private IP using NATPublic IP

Edge Server A/V Edge service

Edge Server A/V Edge service public IP address

STUN/TURN negotiation of candidates over UDP on port 3478.

A/V/STUN.MSTURN

TCP

443

Any

 

Private IP using NATPublic IP

Edge Server A/V Edge service

Edge Server A/V Edge service public IP address

STUN/TURN negotiation of candidates over TCP on port 443.

A/V/STUN.MSTURN

TCP

443

 

Private IP using NATPublic IP

Edge Server A/V Edge service

Edge Server A/V Edge service public IP address

Any

STUN/TURN negotiation of candidates over TCP on port 443.

 

ProtocolTCP or UDPPortSource IP addressDestination IP addressNotes

XMPP/MTLS

TCP

23456

Any of the following running the XMPP Gateway service:

  • Front End Server

  • Front End pool

Edge Server internal interface

Outbound XMPP traffic from your XMPP Gateway service running on your Front End Server or Front End pool.

SIP/MTLS

TCP

5061

Any:

  • Director

  • Director pool

  • Front End Server

  • Front End pool

Edge Server internal interface

Outbound SIP traffic from your Director, Director pool, Front End Server or Front End pool to your Edge Server internal interface.

SIP/MTLS

TCP

5061

Edge Server internal interface

Any:

  • Director

  • Director pool

  • Front End Server

  • Front End pool

Inbound SIP traffic to your Director, Director pool, Front End Server, or Front End pool from your Edge Server internal interface.

PSOM/MTLS

TCP

8057

Any:

  • Front End Server

  • Each Front End Server

    in your Front End pool

Edge Server internal interface

Web conferencing traffic from your Front End Server or each Front End Server (if you have a Front End pool) to your Edge Server internal interface.

SIP/MTLS

TCP

5062

Any:

  • Front End Server

  • Front End pool

  • Any Survivable Branch Appliance using this Edge Server

  • Any Survivable Branch Server using this Edge Server

Edge Server internal interface

Authentication of A/V users from your Front End Server or Front End pool, or your Survivable Branch Appliance or Survivable Branch Server, using your Edge Server.

STUN/MSTURN

UDP

3478

Any

Edge Server internal interface

Preferred path for A/V media transfer between your internal and external users and your Survivable Branch Appliance or Survivable Branch Server.

STUN/MSTURN

TCP

443

Any

Edge Server internal interface

Fallback path for A/V media transfer between your internal and external users and your Survivable Branch Appliance or Survivable Branch Server, if UDP communication doesn't work. TCP is then used for file transfers and desktop sharing.

HTTPS

TCP

4443

Any:

  • Front End Server that holds the Central Management store

  • Front End pool that holds the Central Management store

Edge Server internal interface

Replication of changes from your Central Management store store to your Edge Server.

MTLS

TCP

50001

Any

Edge Server internal interface

Centralized Logging Service controller using Skype for Business Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection.

MTLS

TCP

50002

Any

Edge Server internal interface

Centralized Logging Service controller using Skype for Business Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection.

MTLS

TCP

50003

Any

Edge Server internal interface

Centralized Logging Service controller using Skype for Business Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection.

We're giving hardware load balancers (HLBs) and Edge ports their own section, as things are a little more complicated with the additional hardware. Please refer to the tables below for guidance for this particular scenario:

The Source IP address and Destination IP address will contain information for users who are using Private IP addresses with NAT, as well as people using public IP addresses. This will cover all the permutations in our Edge Server scenarios in Skype for Business Server 2015 section.

 

Role or protocolTCP or UDPDestination Port or port rangeSource IP addressDestination IP addressNotes

Access/HTTP

TCP

80

Edge Server Access Edge service public IP address

Any

Certificate revocation and CRL check and retrieval.

Access/DNS

TCP

53

Edge Server Access Edge service public IP address

Any

DNS query over TCP.

Access/DNS

UDP

53

Edge Server Access Edge service public IP address

Any

DNS query over UDP.

A/V/RTP

TCP

50000-59999

Edge Server A/V Edge service IP address

Any

This is used for relaying media traffic.

A/V/RTP

UDP

50000-59999

Edge Server A/V Edge service public IP address

Any

This is used for relaying media traffic.

A/V/STUN.MSTURN

UDP

3478

Edge Server A/V Edge service public IP address

Any

3478 outbound is:

  • Used by Skype for Business Server to determine the version of Edge Server it's communicating with.

  • Used for media traffic between Edge Servers.

  • Required for federation.

  • Needed if multiple Edge pools are deployed within your organization.

A/V/STUN.MSTURN

UDP

3478

Any

Edge Server A/V Edge service public IP address

STUN/TURN negotiation of candidates over UDP on port 3478.

A/V/STUN.MSTURN

TCP

443

Any

Edge Server A/V Edge service public IP address

STUN/TURN negotiation of candidates over TCP on port 443.

A/V/STUN.MSTURN

TCP

443

Edge Server A/V Edge service public IP address

Any

STUN/TURN negotiation of candidates over TCP on port 443.

 

ProtocolTCP or UDPPortSource IP addressDestination IP addressNotes

XMPP/MTLS

TCP

23456

Any of the following running the XMPP Gateway service:

  • Front End Server

  • Front End pool VIP address running the XMPP Gateway service

Edge Server internal interface

Outbound XMPP traffic from your XMPP Gateway service running on your Front End Server or Front End pool.

HTTPS

TCP

4443

Any:

  • Front End Server that holds the Central Management store

  • Front End pool that holds the Central Management store

Edge Server internal interface

Replication of changes from your Central Management store to your Edge Server.

PSOM/MTLS

TCP

8057

Any:

  • Front End Server

  • Each Front End Server in your Front End pool

Edge Server internal interface

Web conferencing traffic from your Front End Server or each Front End Server (if you have a Front End pool) to your Edge Server internal interface.

STUN/MSTURN

UDP

3478

Any:

  • Front End Server

  • Each Front End Server in your Front End pool

Edge Server internal interface

Preferred path for A/V media transfer between your internal and external users and your Survivable Branch Appliance or Survivable Branch Server.

STUN/MSTURN

TCP

443

Any:

  • Front End Server

  • Each Front End Server in your pool

Edge Server internal interface

Fallback path for A/V media transfer between your internal and external users and your Survivable Branch Appliance or Survivable Branch Server, if UDP communication doesn't work. TCP is then used for file transfers and desktop sharing.

MTLS

TCP

50001

Any

Edge Server internal interface

Centralized Logging Service controller using Skype for Business Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection.

MTLS

TCP

50002

Any

Edge Server internal interface

Centralized Logging Service controller using Skype for Business Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection.

MTLS

TCP

50003

Any

Edge Server internal interface

Centralized Logging Service controller using Skype for Business Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection.

 

Role or protocolTCP or UDPDestination Port or port rangeSource IP addressDestination IP addressNotes

XMPP

TCP

5269

Any

XMPP Proxy service (shares an IP address with the Access Edge service)

The XMPP Proxy service accepts traffic from XMPP contacts in defined XMPP federations.

XMPP

TCP

5269

XMPP Proxy service (shares an IP address with the Access Edge service)

Any

The XMPP Proxy service sends traffic from XMPP contacts in defined XMPP federations.

Access/SIP(TLS)

TCP

443

Any

 

Private IP using NATPublic IP

Edge Server Access Edge service

Edge Server Access Edge service public IP address

Client-to-server SIP traffic for external user access.

Access/SIP(MTLS)

TCP

5061

Any

 

Private IP using NATPublic IP

Edge Server Access Edge service

Edge Server Access Edge service public IP address

For federated and public IM connectivity using SIP.

Access/SIP(MTLS)

TCP

5061

 

Private IP using NATPublic IP

Edge Server Access Edge service service

Edge Server Access Edge service public IP address

Any

For federated and public IM connectivity using SIP.

Web conferencing/PSOM(TLS)

TCP

443

Any

 

Private IP using NATPublic IP

Edge Server Web Conferencing Edge service

Edge Server Web Conferencing Edge service public IP address

Web conferencing media.

A/V/STUN.MSTURN

UDP

3478

Any

 

Private IP using NATPublic IP

Edge Server A/V Edge service

Edge Server A/V Edge service public IP address

STUN/TURN negotiation of candidates over UDP on port 3478.

A/V/STUN.MSTURN

TCP

443

Any

 

Private IP using NATPublic IP

Edge Server A/V Edge service

Edge Server A/V Edge service public IP address

STUN/TURN negotiation of candidates over TCP on port 443.

Our guidance here is going to be a little different. In actuality, in a HLB situation, we now recommend you only have routing through an internal VIP under the following circumstances:

  • If you are using Exchange 2007 or Exchange 2010 Unified Messaging (UM).

  • If you have legacy clients using the Edge.

The following table does give guidance for those scenarios, but otherwise, you should be able to depend on Central Management store (CMS) to route traffic to the individual Edge Server it's aware of (this does require that CMS is kept up to date on Edge Server information, of course).

 

ProtocolTCP or UDPPortSource IP addressDestination IP addressNotes

Access/SIP(MTLS)

TCP

5061

Any:

  • Director

  • Director pool VIP address

  • Front End Server

  • Front End pool VIP address

Edge Server internal interface

Outbound SIP traffic from your Director, Director pool VIP address, Front End Server, or Front End pool VIP address to your Edge Server internal interface.

Access/SIP(MTLS)

TCP

5061

Edge Server internal VIP interface

Any:

  • Director

  • Director pool VIP address

  • Front End Server

  • Front End pool VIP address

Inbound SIP traffic to your Director, Director pool VIP address, Front End Server, or Front End pool VIP address from your Edge Server internal interface.

SIP/MTLS

TCP

5062

Any:

  • Front End Server IP address

  • Front End pool IP address

  • Any Survivable Branch Appliance using this Edge Server

  • Any Survivable Branch Server using this Edge Server

Edge Server internal interface

Authentication of A/V users from your Front End Server or Front End pool, or your Survivable Branch Appliance or Survivable Branch Server, using your Edge Server.

STUN/MSTURN

UDP

3478

Any

Edge Server internal interface

Preferred path for A/V media transfer between your internal and external users.

STUN/MSTURN

TCP

443

Any

Edge Server internal VIP interface

Fallback path for A/V media transfer between your internal and external users if UDP communication doesn't work. TCP is then used for file transfers and desktop sharing.

 
Show: