Simplified port requirements for Skype for Business Online
Published Jun 12 2017 11:59 AM 185K Views
Microsoft

Note: This article applies only to Office 365 Worldwide (including Government Community Cloud). For guidance on Office 365 operated by 21 Vianet, Office 365 Germany, Office 365 U.S. Government DoD or Office 365 U.S. Government GCC High click on the respective links.

 

We are happy to announce that the 50,000-59,999 port range (UDP and TCP) is no longer a requirement for Skype for Business endpoints to communicate with Skype for Business Online.

Earlier this year we talked about making simplification for network connectivity for Skype for Business Online (see blog article here) and we recently updated our guidance and removed the mentioned port range as a requirement: Office 365 URLs and IP address ranges

 

So which ports are required for clients?

All clients need to be able to directly connect to Skype for Business Online on the following destination ports: (the IP addresses and FQDNs can be found in the Office 365 URLs and IP address ranges)

  • TCP 80, 443
  • UDP 3478, 3479, 3480, 3481
  • Optional: UDP/TCP 50,000-59,999

 

Is there a minimum client version required to benefit from the port changes?

This change applies to all clients supported against Skype for Business Online. No clients are excluded and there are no specific minimum version required (although we always recommend to run the latest version).

 

Why are these ports not required anymore?

To answer this question, it is important to understand first how the 50,000-59,999 ports were used in the first place. (To understand all the details of their purpose, we recommend watching Troubleshoot media flows in Skype for Business across online, server and hybrid.)

Let's have the following example:

  • User A wants to call User B
  • For the sake of the example, the direct connection between User A and User B is blocked (e.g. User and User B are at different branch offices behind firewalls), so the media traffic cannot go directly peer to peer and needs to flow via Skype for Business Online
  • There are now the following possible media paths
    • The 50,000-59,999 port range can be leveraged to include only a single Relay Server in the media path
    • Without the 50,000-59,999 port range, the traffic needs to travel via two Relay Server.

As you can see, closing the 50,000-59,999 port range will force the traffic to travel via an additional hop. While logic tells us that usually we want to avoid additional hops under all circumstances, the analysis on call quality data has shown us, that this additional hop does not significantly affect call quality - since both these Relay Servers are homed on the Microsoft Network, all traffic between the Relay Servers is sent over a highly reliable pipe designed for real-time communication.

 

Our organization has these ports open, should we close them?

Having the 50,000-59,999 port range open can still have (some) benefits when it comes to call setup times and under some circumstances on call quality. However in our data analysis and pilot deployments with some customers these differences did not show significance. If you have the ports open today, it makes sense to leave them open.

 

What does this change for hybrid between Skype for Business Server and Skype for Business Online?

This change only applies to users who are homed in Skype for Business Online. If you have an on-premises deployment of Skype for Business, the requirements for your Edge Server to communicate to Skype for Business Online remain unchanged (and also for any Federation scenarios including Skype for Business on-premises).

The A/V Edge Server in your environment will need to be configured liked this. Please note that the Source Port is only relevant, if your firewall requires a source port to be specified (and a lot of firewalls do not require this setting):

Source IP

Destination IP

Source Port

Destination Port

A/V Edge service interface

Any

UDP 3478

UDP 3478

A/V Edge service interface

Any

TCP 50,000-59,999

TCP 443

Any

A/V Edge service interface

Any

UDP 3478

Any

A/V Edge service interface

Any

TCP 443

 

Full requirements for Skype for Business Edge Server can be found here: Edge Server environmental requirements in Skype for Business Server 2015.

 

Does this change anything for Cloud Connector Edition?

No, the requirements for Cloud Connector Edition (see Plan for Skype for Business Cloud Connector Edition) remain unchanged.

 

Call to Action

  1. Celebrate about the simplified port requirements
  2. Update any design templates you might have
  3. For future deployments, open only TCP 80, 443 and UDP 3478, 3479, 3480, 3481 per new guideline (and, optionally, 50,000-59,999 UDP and TCP)

If you have any questions or comments, please let us know in the community

 

This post is brought to you by Skype Academy. Visit Skype Academy for technical trainings and readiness around the Skype Operations Framework.

63 Comments
Copper Contributor

Great stuff!

 

Is this explicitly true for Cloud-PBX certified IP Phones from Polycom/Yealink/etc aswell?

Microsoft

@Martin Koenig, yes , this applies to all supported clients. As mentioned there might be some benefits with opening the 50,000-59,999 range when it comes to call setup times, if this is something you are worried about.

When will it be available for Skype for Business Server?

Microsoft

@Ajay Kakkar, the server does not require inbound (from the internet to the Edge Server) traffic on the range 50,000-59,999 for UPD or TCP since Office Communications Server 2007 R2. The only time where it requires the port range is as a source port fro traffic from the AV Edge Server to the Internet. You can find the complete table above and I also recommend watching Skype for Business media flows for all the details.

 

hth,

thomas

Brass Contributor

Does this also affect federated connections from On-Premises Edge to SfB Edge? Thx Christian Schindler

Microsoft

@Christian Schindler, no the on-premise requirements are staying the same as this will not change server to server traffic.

Brass Contributor

Thanks for the confirmation!

Copper Contributor

For QoSing SfB Cloud PBX, would you recommend port based or IP traffic prioritization?  If port based, QoS TCP443 would be bad since a lot of traffic rides on TCP 443, no?

Microsoft

@Daniel Koziupa, client port ranges can solve for parts of it -- 50,000-50,019 for Audio, 50,020-50,039 for Video and 50,040-50,059 for Sharing -- can solve for part of the problem. However, these ports are used only by PC and Mac client. In the future, you will be able to do taggijng based on destination port (3479 UDP for Audio, 3480 UDP for Video, 3481 UDP for Sharing), but the rollout to all customers will take some time.

Copper Contributor

First of all, great article!

To reiterate your comment directed to me: for Skype for Business Online Cloud PBX, the optional 50,000 port range has not fully implemented on all tenants and we should still consider it, but only later, correct?  If so how will we know when?  I am asking from a (a) keep ports open perspective, but more so from a (b) QoSing perspective.  I am debating to switch to a port based QoSing for traffic prioritization in one of our sites verses the IP based QoS technique we are using now for call quality, but you comment makes me question if it is ready.  What do you recommend?  Currently we are doing QoSing for SfB Cloud PBX w/ PSTN connection based on the IP address list here: https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-ab...

Copper Contributor

@Thomas Binder It appears to me that "Share Desktop" (and similar functions) still leverage the 50000-59999 port range. Is this the case? Is there a plan to update this function as well to use known ports?

Microsoft

@Josh Gillam, taking offline to understand the details.

Copper Contributor

Hi, so in many instances i have experienced, it takes alot of effort to get Polycom SFB online qualified endpoints( Video codec and Desk SIP phones) to register to the SFB online server. Sometimes it is TIME settings related but in many failed occassion it has been said that some ports might need to be opened on the firewall. Do these ports stated in this article apply for initial client( Video codec and Desk SIP phones) registration and call setup purposes. Anybody with a similar experience with registration ??

Copper Contributor

Hi, @Thomas Binder  so in many instances i have experienced, it takes alot of effort to get Polycom SFB online qualified endpoints( Video codec and Desk SIP phones) to register to the SFB online server. Sometimes it is TIME settings related but in many failed occassion it has been said that some ports might need to be opened on the firewall. Do these ports stated in this article apply for initial client( Video codec and Desk SIP phones) registration and call setup purposes. Anybody with a similar experience with registration ??

Microsoft

@Akpevwe Egbelughe, the ports above are mostly for media -- for registration you will need port TCP 80 and 443.

 

thanks For this Article Thomas

Just a little question regarding these dynamic ports and their usefullness when video calls happens between a Skype client and a Legacy one as Lync.

I seem to recall that they are still used no ?

Microsoft

@laurent Teruin, yes the ports 50,000-59,999 will still be used for audio, video and sharing -- if they are open and can have positive effects on call setup times as well as call quality. However the effects are very small and do not outweigh the hassle that a lot of companies have to open them. For a detailed discussion I recommend to watch the following session from Ignite: https://myignite.microsoft.com/sessions/53247?source=sessions

how about microsoft surface hub whether it will use the same port

Microsoft

@Sankarasubramanian Parameswaran, since these are the ports on the service (not on the client) they apply to all clients.

Nope it is not working. when we approach surface hub team they told it will use 50,000 ports not 3478 ports....

 

 

Issue Definition: According to the O365 SfB documentation, the 50k+ ports are optional:

https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-ab...

But with the Hub's SfB client, they are not optional, and you have found that hosted calls/multi-party calls cannot establish media sessions to Skype for Business online unless those ports are opened.

Scope Agreement: This case will be considered resolved when we have updated the documentation to properly list the Hub's requirements or provided a timeline for when the Hub's SfB client will function like the desktop client in terms of port usage.

Microsoft

@Sankarasubramanian Parameswaran, thanks for raising this. I will look into this.

Thank you. Please keep us posted. Our network team not ready to open all the ports for the surface hub.

Copper Contributor

Hi Thomas,

 

Thanks for your great post and regular answers!

 

Any plan to be able to set a proxy in the Skype for Business Client?

Or at least take the one set in a PAC file?

Microsoft

@bel.vincent Proxy Servers are not recommended, but Skype for Business will leverage the Proxy Server configured for your machine. A PAC file can be found here: https://support.office.com/en-us/article/Managing-Office-365-endpoints-99cab9d4-ef59-4207-9f2b-3728e...

Microsoft

@Sankarasubramanian Parameswaran, sorry I just realized I never closed the loop on your question regarding Surface Hub. For media Surface Hub will behave like the other clients -- it will try to connect via 50,000-59,999 port range if open, but 3478-81 UDP will be sufficient. So the guidance in the article applies fully to Surface Hub as well.

Hi Thomas

 

We have tried with 4 ports and it does not work. We have to open all the 50,000 ports to make it works

 

 

we have another issue in the Skype. we have opened all the ports for all our users for the Skype communication, and it is failed due to below error for the desktop sharing. any thoughts

error message

Call failed to establish due to a media connectivity failure when one endpoint is internal and the other is remote

Microsoft

@Sankarasubramanian Parameswaran, I recommend to open a case with support. Reasons can range from ports not open, missing IP ranges, proxy configuration, firewall configuration, etc.

Brass Contributor

I had a Case at a Customer where Desktop sharing with External users was constantly failing. All other modalities worked fine. We also checked ports, etc. several times. In the end I took a Network trace from an internal Client Machine. It  turned out to be an issues with a security product they were using. All requests to TCP port 443 (remember: Desktop Sharing uses TCP 443) were redirected to a Proxy Server - regardless of Proxy Settings in the browser, etc. After we configured an exception in the security product to allow tcp 443 traffic to Edge Servers without a Proxy, everything started working... Just my 2 Cents, Cheers Christian

Do you have any recommendation of tools to verify the connections and port settings


@Thomas Binder wrote:

Note: This article applies only to Office 365 Worldwide (including Government Community Cloud). For guidance on Office 365 operated by 21 Vianet, Office 365 Germany, Office 365 U.S. Government DoD or Office 365 U.S. Government GCC High click on the respective links.

 

We are happy to announce that the 50,000-59,999 port range (UDP and TCP) is no longer a requirement for Skype for Business endpoints to communicate with Skype for Business Online.

Earlier this year we talked about making simplification for network connectivity for Skype for Business Online (see blog article here) and we recently updated our guidance and removed the mentioned port range as a requirement: Office 365 URLs and IP address ranges

 

So which ports are required for clients?

All clients need to be able to directly connect to Skype for Business Online on the following destination ports: (the IP addresses and FQDNs can be found in the Office 365 URLs and IP address ranges)

  • TCP 80, 443
  • UDP 3478, 3479, 3480, 3481
  • Optional: UDP/TCP 50,000-59,999

 

Is there a minimum client version required to benefit from the port changes?

This change applies to all clients supported against Skype for Business Online. No clients are excluded and there are no specific minimum version required (although we always recommend to run the latest version).

 

Why are these ports not required anymore?

To answer this question, it is important to understand first how the 50,000-59,999 ports were used in the first place. (To understand all the details of their purpose, we recommend watching Troubleshoot media flows in Skype for Business across online, server and hybrid.)

Let's have the following example:

  • User A wants to call User B
  • For the sake of the example, the direct connection between User A and User B is blocked (e.g. User and User B are at different branch offices behind firewalls), so the media traffic cannot go directly peer to peer and needs to flow via Skype for Business Online
  • There are now the following possible media paths
    • The 50,000-59,999 port range can be leveraged to include only a single Relay Server in the media path
    • Without the 50,000-59,999 port range, the traffic needs to travel via two Relay Server.

As you can see, closing the 50,000-59,999 port range will force the traffic to travel via an additional hop. While logic tells us that usually we want to avoid additional hops under all circumstances, the analysis on call quality data has shown us, that this additional hop does not significantly affect call quality - since both these Relay Servers are homed on the Microsoft Network, all traffic between the Relay Servers is sent over a highly reliable pipe designed for real-time communication.

 

Our organization has these ports open, should we close them?

Having the 50,000-59,999 port range open can still have (some) benefits when it comes to call setup times and under some circumstances on call quality. However in our data analysis and pilot deployments with some customers these differences did not show significance. If you have the ports open today, it makes sense to leave them open.

 

What does this change for hybrid between Skype for Business Server and Skype for Business Online?

This change only applies to users who are homed in Skype for Business Online. If you have an on-premises deployment of Skype for Business, the requirements for your Edge Server to communicate to Skype for Business Online remain unchanged (and also for any Federation scenarios including Skype for Business on-premises).

The A/V Edge Server in your environment will need to be configured liked this. Please note that the Source Port is only relevant, if your firewall requires a source port to be specified (and a lot of firewalls do not require this setting):

Source IP

Destination IP

Source Port

Destination Port

A/V Edge service interface

Any

UDP 3478

UDP 3478

A/V Edge service interface

Any

TCP 50,000-59,999

TCP 443

Any

A/V Edge service interface

Any

UDP 3478

Any

A/V Edge service interface

Any

TCP 443

 

Full requirements for Skype for Business Edge Server can be found here: Edge Server environmental requirements in Skype for Business Server 2015.

 

Does this change anything for Cloud Connector Edition?

No, the requirements for Cloud Connector Edition (see Plan for Skype for Business Cloud Connector Edition) remain unchanged.

 

Call to Action

  1. Celebrate about the simplified port requirements
  2. Update any design templates you might have
  3. For future deployments, open only TCP 80, 443 and UDP 3478, 3479, 3480, 3481 per new guideline (and, optionally, 50,000-59,999 UDP and TCP)

If you have any questions or comments, please let us know in the community

 

This post is brought to you by Skype Academy. Visit Skype Academy for technical trainings and readiness around the Skype Operations Framework.


 

Brass Contributor

Nothing Special. I started with a Client trace and analyzed it in Snooper. In the end I user Wireshark to trace all TCP Port 43 traffic... Cheers Christian

Microsoft

@Sankarasubramanian Parameswaran, for testing the ports I recommend the Skype for Business Network Assessment Tool. "Running NetworkAssessmentTool.exe / connectivitycheck" will allow you to test connectivity.

Sure. We will check. 

Iron Contributor

Does IP Ranges get updated frequently for Skype For Business? or if they are permitted on firewall/proxy, they are good to go for long time without make any changes?

 

Thanks


 wrote:

Note: This article applies only to Office 365 Worldwide (including Government Community Cloud). For guidance on Office 365 operated by 21 Vianet, Office 365 Germany, Office 365 U.S. Government DoD or Office 365 U.S. Government GCC High click on the respective links.

 

We are happy to announce that the 50,000-59,999 port range (UDP and TCP) is no longer a requirement for Skype for Business endpoints to communicate with Skype for Business Online.

Earlier this year we talked about making simplification for network connectivity for Skype for Business Online (see blog article here) and we recently updated our guidance and removed the mentioned port range as a requirement: Office 365 URLs and IP address ranges

 

So which ports are required for clients?

All clients need to be able to directly connect to Skype for Business Online on the following destination ports: (the IP addresses and FQDNs can be found in the Office 365 URLs and IP address ranges)

  • TCP 80, 443
  • UDP 3478, 3479, 3480, 3481
  • Optional: UDP/TCP 50,000-59,999

     

    Is there a minimum client version required to benefit from the port changes?

    This change applies to all clients supported against Skype for Business Online. No clients are excluded and there are no specific minimum version required (although we always recommend to run the latest version).

     

    Why are these ports not required anymore?

    To answer this question, it is important to understand first how the 50,000-59,999 ports were used in the first place. (To understand all the details of their purpose, we recommend watching Troubleshoot media flows in Skype for Business across online, server and hybrid.)

    Let's have the following example:

    • User A wants to call User B
    • For the sake of the example, the direct connection between User A and User B is blocked (e.g. User and User B are at different branch offices behind firewalls), so the media traffic cannot go directly peer to peer and needs to flow via Skype for Business Online
    • There are now the following possible media paths
      • The 50,000-59,999 port range can be leveraged to include only a single Relay Server in the media path
      • Without the 50,000-59,999 port range, the traffic needs to travel via two Relay Server.

        As you can see, closing the 50,000-59,999 port range will force the traffic to travel via an additional hop. While logic tells us that usually we want to avoid additional hops under all circumstances, the analysis on call quality data has shown us, that this additional hop does not significantly affect call quality - since both these Relay Servers are homed on the Microsoft Network, all traffic between the Relay Servers is sent over a highly reliable pipe designed for real-time communication.

         

        Our organization has these ports open, should we close them?

        Having the 50,000-59,999 port range open can still have (some) benefits when it comes to call setup times and under some circumstances on call quality. However in our data analysis and pilot deployments with some customers these differences did not show significance. If you have the ports open today, it makes sense to leave them open.

         

        What does this change for hybrid between Skype for Business Server and Skype for Business Online?

        This change only applies to users who are homed in Skype for Business Online. If you have an on-premises deployment of Skype for Business, the requirements for your Edge Server to communicate to Skype for Business Online remain unchanged (and also for any Federation scenarios including Skype for Business on-premises).

        The A/V Edge Server in your environment will need to be configured liked this. Please note that the Source Port is only relevant, if your firewall requires a source port to be specified (and a lot of firewalls do not require this setting):

        Source IP

        Destination IP

        Source Port

        Destination Port

        A/V Edge service interface

        Any

        UDP 3478

        UDP 3478

        A/V Edge service interface

        Any

        TCP 50,000-59,999

        TCP 443

        Any

        A/V Edge service interface

        Any

        UDP 3478

        Any

        A/V Edge service interface

        Any

        TCP 443

         

        Full requirements for Skype for Business Edge Server can be found here: Edge Server environmental requirements in Skype for Business Server 2015.

         

        Does this change anything for Cloud Connector Edition?

        No, the requirements for Cloud Connector Edition (see Plan for Skype for Business Cloud Connector Edition) remain unchanged.

         

        Call to Action

        1. Celebrate about the simplified port requirements
        2. Update any design templates you might have
        3. For future deployments, open only TCP 80, 443 and UDP 3478, 3479, 3480, 3481 per new guideline (and, optionally, 50,000-59,999 UDP and TCP)

          If you have any questions or comments, please let us know in the community

           

          This post is brought to you by Skype Academy. Visit Skype Academy for technical trainings and readiness around the Skype Operations...


           

Microsoft

@Ali Fadavinia, unfortunately there are changes required from time to time. In the feature we want this to be more stable, but admins will have to monitor the page to learn about IP changes. As mention in the article there is an RSS feed available, however we plan to enable more automated ways in the future as described here: Announcing: Office 365 endpoint categories and Office 365 IP Address and URL web service

Iron Contributor

Thank you Thomas for reaching out.


That would be great if this could be done in a dynamic way. It would be hard for Enterprises to make these changes manually.

 


 wrote:

Note: This article applies only to Office 365 Worldwide (including Government Community Cloud). For guidance on Office 365 operated by 21 Vianet, Office 365 Germany, Office 365 U.S. Government DoD or Office 365 U.S. Government GCC High click on the respective links.

 

We are happy to announce that the 50,000-59,999 port range (UDP and TCP) is no longer a requirement for Skype for Business endpoints to communicate with Skype for Business Online.

Earlier this year we talked about making simplification for network connectivity for Skype for Business Online (see blog article here) and we recently updated our guidance and removed the mentioned port range as a requirement: Office 365 URLs and IP address ranges

 

So which ports are required for clients?

All clients need to be able to directly connect to Skype for Business Online on the following destination ports: (the IP addresses and FQDNs can be found in the Office 365 URLs and IP address ranges)

  • TCP 80, 443
  • UDP 3478, 3479, 3480, 3481
  • Optional: UDP/TCP 50,000-59,999

     

    Is there a minimum client version required to benefit from the port changes?

    This change applies to all clients supported against Skype for Business Online. No clients are excluded and there are no specific minimum version required (although we always recommend to run the latest version).

     

    Why are these ports not required anymore?

    To answer this question, it is important to understand first how the 50,000-59,999 ports were used in the first place. (To understand all the details of their purpose, we recommend watching Troubleshoot media flows in Skype for Business across online, server and hybrid.)

    Let's have the following example:

    • User A wants to call User B
    • For the sake of the example, the direct connection between User A and User B is blocked (e.g. User and User B are at different branch offices behind firewalls), so the media traffic cannot go directly peer to peer and needs to flow via Skype for Business Online
    • There are now the following possible media paths
      • The 50,000-59,999 port range can be leveraged to include only a single Relay Server in the media path
      • Without the 50,000-59,999 port range, the traffic needs to travel via two Relay Server.

        As you can see, closing the 50,000-59,999 port range will force the traffic to travel via an additional hop. While logic tells us that usually we want to avoid additional hops under all circumstances, the analysis on call quality data has shown us, that this additional hop does not significantly affect call quality - since both these Relay Servers are homed on the Microsoft Network, all traffic between the Relay Servers is sent over a highly reliable pipe designed for real-time communication.

         

        Our organization has these ports open, should we close them?

        Having the 50,000-59,999 port range open can still have (some) benefits when it comes to call setup times and under some circumstances on call quality. However in our data analysis and pilot deployments with some customers these differences did not show significance. If you have the ports open today, it makes sense to leave them open.

         

        What does this change for hybrid between Skype for Business Server and Skype for Business Online?

        This change only applies to users who are homed in Skype for Business Online. If you have an on-premises deployment of Skype for Business, the requirements for your Edge Server to communicate to Skype for Business Online remain unchanged (and also for any Federation scenarios including Skype for Business on-premises).

        The A/V Edge Server in your environment will need to be configured liked this. Please note that the Source Port is only relevant, if your firewall requires a source port to be specified (and a lot of firewalls do not require this setting):

        Source IP

        Destination IP

        Source Port

        Destination Port

        A/V Edge service interface

        Any

        UDP 3478

        UDP 3478

        A/V Edge service interface

        Any

        TCP 50,000-59,999

        TCP 443

        Any

        A/V Edge service interface

        Any

        UDP 3478

        Any

        A/V Edge service interface

        Any

        TCP 443

         

        Full requirements for Skype for Business Edge Server can be found here: Edge Server environmental requirements in Skype for Business Server 2015.

         

        Does this change anything for Cloud Connector Edition?

        No, the requirements for Cloud Connector Edition (see Plan for Skype for Business Cloud Connector Edition) remain unchanged.

         

        Call to Action

        1. Celebrate about the simplified port requirements
        2. Update any design templates you might have
        3. For future deployments, open only TCP 80, 443 and UDP 3478, 3479, 3480, 3481 per new guideline (and, optionally, 50,000-59,999 UDP and TCP)

          If you have any questions or comments, please let us know in the community

           

          This post is brought to you by Skype Academy. Visit Skype Academy for technical trainings and readiness around the Skype Operations...



           wrote:

          Note: This article applies only to Office 365 Worldwide (including Government Community Cloud). For guidance on Office 365 operated by 21 Vianet, Office 365 Germany, Office 365 U.S. Government DoD or Office 365 U.S. Government GCC High click on the respective links.

           

          We are happy to announce that the 50,000-59,999 port range (UDP and TCP) is no longer a requirement for Skype for Business endpoints to communicate with Skype for Business Online.

          Earlier this year we talked about making simplification for network connectivity for Skype for Business Online (see blog article here) and we recently updated our guidance and removed the mentioned port range as a requirement: Office 365 URLs and IP address ranges

           

          So which ports are required for clients?

          All clients need to be able to directly connect to Skype for Business Online on the following destination ports: (the IP addresses and FQDNs can be found in the Office 365 URLs and IP address ranges)

          • TCP 80, 443
          • UDP 3478, 3479, 3480, 3481
          • Optional: UDP/TCP 50,000-59,999

             

            Is there a minimum client version required to benefit from the port changes?

            This change applies to all clients supported against Skype for Business Online. No clients are excluded and there are no specific minimum version required (although we always recommend to run the latest version).

             

            Why are these ports not required anymore?

            To answer this question, it is important to understand first how the 50,000-59,999 ports were used in the first place. (To understand all the details of their purpose, we recommend watching Troubleshoot media flows in Skype for Business across online, server and hybrid.)

            Let's have the following example:

            • User A wants to call User B
            • For the sake of the example, the direct connection between User A and User B is blocked (e.g. User and User B are at different branch offices behind firewalls), so the media traffic cannot go directly peer to peer and needs to flow via Skype for Business Online
            • There are now the following possible media paths
              • The 50,000-59,999 port range can be leveraged to include only a single Relay Server in the media path
              • Without the 50,000-59,999 port range, the traffic needs to travel via two Relay Server.

                As you can see, closing the 50,000-59,999 port range will force the traffic to travel via an additional hop. While logic tells us that usually we want to avoid additional hops under all circumstances, the analysis on call quality data has shown us, that this additional hop does not significantly affect call quality - since both these Relay Servers are homed on the Microsoft Network, all traffic between the Relay Servers is sent over a highly reliable pipe designed for real-time communication.

                 

                Our organization has these ports open, should we close them?

                Having the 50,000-59,999 port range open can still have (some) benefits when it comes to call setup times and under some circumstances on call quality. However in our data analysis and pilot deployments with some customers these differences did not show significance. If you have the ports open today, it makes sense to leave them open.

                 

                What does this change for hybrid between Skype for Business Server and Skype for Business Online?

                This change only applies to users who are homed in Skype for Business Online. If you have an on-premises deployment of Skype for Business, the requirements for your Edge Server to communicate to Skype for Business Online remain unchanged (and also for any Federation scenarios including Skype for Business on-premises).

                The A/V Edge Server in your environment will need to be configured liked this. Please note that the Source Port is only relevant, if your firewall requires a source port to be specified (and a lot of firewalls do not require this setting):

                Source IP

                Destination IP

                Source Port

                Destination Port

                A/V Edge service interface

                Any

                UDP 3478

                UDP 3478

                A/V Edge service interface

                Any

                TCP 50,000-59,999

                TCP 443

                Any

                A/V Edge service interface

                Any

                UDP 3478

                Any

                A/V Edge service interface

                Any

                TCP 443

                 

                Full requirements for Skype for Business Edge Server can be found here: Edge Server environmental requirements in Skype for Business Server 2015.

                 

                Does this change anything for Cloud Connector Edition?

                No, the requirements for Cloud Connector Edition (see Plan for Skype for Business Cloud Connector Edition) remain unchanged.

                 

                Call to Action

                1. Celebrate about the simplified port requirements
                2. Update any design templates you might have
                3. For future deployments, open only TCP 80, 443 and UDP 3478, 3479, 3480, 3481 per new guideline (and, optionally, 50,000-59,999 UDP and TCP)

                  If you have any questions or comments, please let us know in the community

                   

                  This post is brought to you by Skype Academy. Visit Skype Academy for technical trainings and readiness around the Skype Operations...




 We have allowed some Ip address in our firewall but not sure we allowed all the IP address. How we can validate the missing Ip address and update accordingly. Do you have any tool to check this

Iron Contributor

If it is for Skype for business. here is the IPs:

 

13.67.180.128/32

13.70.151.216/32

13.71.127.197/32

13.75.126.169/32

13.72.245.115/32

13.73.1.120/32

13.76.241.210/32

13.78.94.7/32

13.79.153.60/32

13.91.252.242/32

13.93.167.93/32

13.95.234.10/32

13.107.3.0/24

13.107.8.0/24

13.107.64.0/18

23.97.78.16/32

23.99.101.118/32

23.99.112.73/32

23.99.113.163/32

23.99.121.38/32

23.101.61.176/32

23.101.112.170/32

23.101.151.89/32

23.103.176.128/26

23.103.176.192/27

23.103.178.128/26

23.103.178.192/27

40.69.45.108/32

40.74.62.125/32

40.76.77.68/32

40.78.98.202/32

40.78.146.128/32

40.83.17.24/32

40.83.124.144/32

40.84.28.125/32

40.115.1.44/32

40.117.145.132/32

40.121.200.212/32

40.122.44.96/32

40.123.43.195/32

40.127.129.109/32

40.127.169.165/32

51.140.62.120/32

51.140.79.167/32

51.140.126.38/32

51.140.155.234/32

51.141.28.50/32

51.141.42.151/32

51.141.49.0/32

51.141.51.76/32

52.112.0.0/14

52.163.60.30/32

52.163.126.215/32

52.163.225.1/32

52.165.150.215/32

52.165.238.202/32

52.166.61.83/32

52.169.154.144/32

52.170.21.67/32

52.172.185.18/32

52.173.190.229/32

52.175.37.105/32

52.177.200.188/32

52.178.94.2/32

52.178.161.139/32

52.178.179.194/32

52.178.198.107/32

52.187.6.119/32

52.187.79.90/32

52.228.25.96/32

52.231.36.175/32

52.231.207.185/32

52.233.128.227/32

52.238.119.141/32

52.242.23.189/32

52.244.160.207/32

104.41.208.54/32

104.44.195.0/24

104.44.200.0/23

104.45.18.178/32

104.45.231.95/32

104.46.62.41/32

104.47.151.128/32

104.208.28.54/32

104.209.188.207/32

104.210.9.95/32

104.215.62.195/32

137.116.66.252/32

137.116.248.105/32

137.117.128.25/32

138.91.237.237/32

168.61.145.101/32

168.63.204.74/32

168.63.245.120/32

 

Main Link: Here

how we will compare the existing Ip address allowed and what is missed.  Whether we compare with excel or any other tool help us to validate this

whether it is applicable to Team ?

Iron Contributor

Excel could be one option. Use VLOOKUP maybe

Brass Contributor

In an optimal Scenario your Firewall can handle DNS based rules. Then you don't need to change IP Ranges monthly... This is an area were FW vendors definiteley need to improve... Christian 

we have allowed *lync.com with the port numbers 3478-3481 and when we ran Skype network assestment tool it shows blocked. Not sure why.

Microsoft

@Christian Schindler, @Sankarasubramanian Parameswaran, DNS based rules would not work as not all of the IPs are mapped to DNS entries. You need to allow all the IP ranges and all the FQDNs.

if there is any automate way to update the IP address instead of manual entry in the firewall

Copper Contributor

Hi @Thomas Binder

Thanks for the article.

Do you know of any client/endpoint requirements in order to make use of these new ports?

In other words, will we need to update our SfB PC clients, or Polycom endpoint/room devices firmware to use these ports?

I'm guessing these ports will be offered during the call setup and negotiated?

Cheers, Jason

Microsoft

@Jason Jacobs, while we highly recommend to stay always up to date on our latest clients (for various improvements), there are no minimum version requirements for the new ports. Lync 2010 clients will not support the new ports at all, but they will just continue to leverage the existing ports.

 

hth,

thomas

Copper Contributor

 Thanks Thomas

Iron Contributor

< My  Question is specifically for Skype for Business Enterprise - NOT O365 >

 

Besides the IP Address Ranges & Port Requirements for SfB- that we need to be sure they are whitelisted in our Firewall & Proxy Servers- What are the other requirements necessary to be considered?

I need a very clear concise answer, it is really appreciated. [ I feel like a loop in the links provided by Microsoft, they are just pointing one to another.]

 

Here are some thoughts & questions:

 

1) Is there any checklist/roadmap or action plan to check a full A-Z actions that should be taken?

 

Something like this: Actions to take to be sure skype for business online is functioning properly across your offices, branches, and organization:

1) check ports 

2) check IP ranges

3) FQDN and IP Address endpoints

...

 

2) For SfB, do we need to whitelist FQDNs also if we have already deployed and whitelisted IPV4, IPV6 ranges? or it is a redundant task?

 

3) For SfB, do we need to add PAC file in the proxy server to implement the principles?

                     [ same as what advised for Office 365:

Use our PAC files to implement the principles below.

 

Bypass your proxy for all FQDN/CIDR paired and CIDR prefix only destinations, such as row 2 and 3 in portal and shared.

 

Bypass your proxy or remove inspection, authentication, reputation lookup services for any FQDNs marked required without a CIDR prefix, such as row 5 in portal and shared.

 

For any remaining optional FQDNs, wildcards, DNS, CDN, CRL, or other unpublished destinations requested by Office 365 services, ensure clients can access them over the Internet.] 

4) For SfB, do we need to a reach Office 365 worldwide endpoints? 

          [ same as what advised for Office 365:

[{"instance":"O365Worldwide","latest":"2018033000"},{"instance":"O365China","latest":"2018033000"},{"instance":"O365Germany","latest":"2018033000"},{"instance":"O365USGovDoD","latest":"2018033000"},{"instance":"O365USGovGCCHigh","latest":"2018033000"}

        ]

 

5) any other extra things should be considered?

 

Thank you in advance for your professional advice, time, and cooperation,

Ali

 

Bronze Contributor

When you have a company which does not allow direct connections through the external FWs, they need to live with proxy servers. Wishing to see, that Microsoft not so actively forgot this use case :(

 

Also, not sure why the P2P was not included to this either. Corporates do have corporate FWs between the clients itself. So allowing the P2P calls through the FWs is a good idea, as it is much better than via Proxy to Skype Online. At least I haven't found - with my blind eyes - where are list of the P2P ports. I know there are some blog articles etc. but the official document I have not found.

Version history
Last update:
‎Dec 12 2017 10:39 PM
Updated by: