Home
Microsoft

Simplified port requirements for Skype for Business Online

We are happy to announce that the 50,000-59,999 port range (UDP and TCP) is no longer a requirement for Skype for Business endpoints to communicate with Skype for Business Online.

Earlier this year we talked about making simplification for network connectivity for Skype for Business Online (see blog article here) and we recently updated our guidance and removed the mentioned port range as a requirement: Office 365 URLs and IP address ranges

 

So which ports are required for clients?

All clients need to be able to directly connect to Skype for Business Online on the following destination ports: (the IP addresses and FQDNs can be found in the Office 365 URLs and IP address ranges)

  • TCP 80, 443
  • UDP 3478, 3479, 3480, 3481
  • Optional: UDP/TCP 50,000-59,999

 

Is there a minimum client version required to benefit from the port changes?

This change applies to all clients supported against Skype for Business Online. No clients are excluded and there are no specific minimum version required (although we always recommend to run the latest version).

 

Why are these ports not required anymore?

To answer this question, it is important to understand first how the 50,000-59,999 ports were used in the first place. (To understand all the details of their purpose, we recommend watching Troubleshoot media flows in Skype for Business across online, server and hybrid.)

Let's have the following example:

  • User A wants to call User B
  • For the sake of the example, the direct connection between User A and User B is blocked (e.g. User and User B are at different branch offices behind firewalls), so the media traffic cannot go directly peer to peer and needs to flow via Skype for Business Online
  • There are now the following possible media paths
    • The 50,000-59,999 port range can be leveraged to include only a single Relay Server in the media path
    • Without the 50,000-59,999 port range, the traffic needs to travel via two Relay Server.

As you can see, closing the 50,000-59,999 port range will force the traffic to travel via an additional hop. While logic tells us that usually we want to avoid additional hops under all circumstances, the analysis on call quality data has shown us, that this additional hop does not significantly affect call quality - since both these Relay Servers are homed on the Microsoft Network, all traffic between the Relay Servers is sent over a highly reliable pipe designed for real-time communication.

 

Our organization has these ports open, should we close them?

Having the 50,000-59,999 port range open can still have (some) benefits when it comes to call setup times and under some circumstances on call quality. However in our data analysis and pilot deployments with some customers these differences did not show significance. If you have the ports open today, it makes sense to leave them open.

 

What does this change for hybrid between Skype for Business Server and Skype for Business Online?

This change only applies to users who are homed in Skype for Business Online. If you have an on-premises deployment of Skype for Business, the requirements for your Edge Server to communicate to Skype for Business Online remain unchanged (and also for any Federation scenarios including Skype for Business on-premises).

The A/V Edge Server in your environment will need to be configured liked this. Please note that the Source Port is only relevant, if your firewall requires a source port to be specified (and a lot of firewalls do not require this setting):

Source IP

Destination IP

Source Port

Destination Port

A/V Edge service interface

Any

UDP 3478

UDP 3478

A/V Edge service interface

Any

TCP 50,000-59,999

TCP 443

Any

A/V Edge service interface

Any

UDP 3478

Any

A/V Edge service interface

Any

TCP 443

 

Full requirements for Skype for Business Edge Server can be found here: Edge Server environmental requirements in Skype for Business Server 2015.

 

Does this change anything for Cloud Connector Edition?

No, the requirements for Cloud Connector Edition (see Plan for Skype for Business Cloud Connector Edition) remain unchanged.

 

Call to Action

  1. Celebrate about the simplified port requirements
  2. Update any design templates you might have
  3. For future deployments, open only TCP 80, 443 and UDP 3478, 3479, 3480, 3481 per new guideline (and, optionally, 50,000-59,999 UDP and TCP)

If you have any questions or comments, please let us know in the community

 

This post is brought to you by Skype Academy. Visit Skype Academy for technical trainings and readiness around the Skype Operations Framework.

15 Comments
New Contributor

Great stuff!

 

Is this explicitly true for Cloud-PBX certified IP Phones from Polycom/Yealink/etc aswell?

Microsoft

@Martin Koenig, yes , this applies to all supported clients. As mentioned there might be some benefits with opening the 50,000-59,999 range when it comes to call setup times, if this is something you are worried about.

Occasional Visitor

When will it be available for Skype for Business Server?

Microsoft

@Ajay Kakkar, the server does not require inbound (from the internet to the Edge Server) traffic on the range 50,000-59,999 for UPD or TCP since Office Communications Server 2007 R2. The only time where it requires the port range is as a source port fro traffic from the AV Edge Server to the Internet. You can find the complete table above and I also recommend watching Skype for Business media flows for all the details.

 

hth,

thomas

Occasional Visitor

Does this also affect federated connections from On-Premises Edge to SfB Edge? Thx Christian Schindler

Microsoft

@Christian Schindler, no the on-premise requirements are staying the same as this will not change server to server traffic.

Occasional Visitor

Thanks for the confirmation!

Frequent Visitor

For QoSing SfB Cloud PBX, would you recommend port based or IP traffic prioritization?  If port based, QoS TCP443 would be bad since a lot of traffic rides on TCP 443, no?

Microsoft

@Daniel Koziupa, client port ranges can solve for parts of it -- 50,000-50,019 for Audio, 50,020-50,039 for Video and 50,040-50,059 for Sharing -- can solve for part of the problem. However, these ports are used only by PC and Mac client. In the future, you will be able to do taggijng based on destination port (3479 UDP for Audio, 3480 UDP for Video, 3481 UDP for Sharing), but the rollout to all customers will take some time.

Frequent Visitor

First of all, great article!

To reiterate your comment directed to me: for Skype for Business Online Cloud PBX, the optional 50,000 port range has not fully implemented on all tenants and we should still consider it, but only later, correct?  If so how will we know when?  I am asking from a (a) keep ports open perspective, but more so from a (b) QoSing perspective.  I am debating to switch to a port based QoSing for traffic prioritization in one of our sites verses the IP based QoS technique we are using now for call quality, but you comment makes me question if it is ready.  What do you recommend?  Currently we are doing QoSing for SfB Cloud PBX w/ PSTN connection based on the IP address list here: https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-ab...

Visitor

@Thomas Binder It appears to me that "Share Desktop" (and similar functions) still leverage the 50000-59999 port range. Is this the case? Is there a plan to update this function as well to use known ports?

Microsoft

@Josh Gillam, taking offline to understand the details.

Occasional Visitor

Hi, so in many instances i have experienced, it takes alot of effort to get Polycom SFB online qualified endpoints( Video codec and Desk SIP phones) to register to the SFB online server. Sometimes it is TIME settings related but in many failed occassion it has been said that some ports might need to be opened on the firewall. Do these ports stated in this article apply for initial client( Video codec and Desk SIP phones) registration and call setup purposes. Anybody with a similar experience with registration ??

Occasional Visitor

Hi, @Thomas Binder  so in many instances i have experienced, it takes alot of effort to get Polycom SFB online qualified endpoints( Video codec and Desk SIP phones) to register to the SFB online server. Sometimes it is TIME settings related but in many failed occassion it has been said that some ports might need to be opened on the firewall. Do these ports stated in this article apply for initial client( Video codec and Desk SIP phones) registration and call setup purposes. Anybody with a similar experience with registration ??

Microsoft

@Akpevwe Egbelughe, the ports above are mostly for media -- for registration you will need port TCP 80 and 443.