Simplified port requirements for Skype for Business Online

Thomas Binder · ‎Jun 12 2017

Note: This article applies only to Office 365 Worldwide (including Government Community Cloud). For guidance on Office 365 operated by 21 Vianet, Office 365 Germany, Office 365 U.S. Government DoD or Office 365 U.S. Government GCC High click on the respective links.

We are happy to announce that the 50,000-59,999 port range (UDP and TCP) is no longer a requirement for Skype for Business endpoints to communicate with Skype for Business Online.

Earlier this year we talked about making simplification for network connectivity for Skype for Business Online (see blog article here) and we recently updated our guidance and removed the mentioned port range as a requirement: Office 365 URLs and IP address ranges

So which ports are required for clients?

All clients need to be able to directly connect to Skype for Business Online on the following destination ports: (the IP addresses and FQDNs can be found in the Office 365 URLs and IP address ranges)

TCP 80, 443
UDP 3478, 3479, 3480, 3481
Optional: UDP/TCP 50,000-59,999

Is there a minimum client version required to benefit from the port changes?

This change applies to all clients supported against Skype for Business Online. No clients are excluded and there are no specific minimum version required (although we always recommend to run the latest version).

Why are these ports not required anymore?

To answer this question, it is important to understand first how the 50,000-59,999 ports were used in the first place. (To understand all the details of their purpose, we recommend watching Troubleshoot media flows in Skype for Business across online, server and hybrid.)

Let's have the following example:

User A wants to call User B
For the sake of the example, the direct connection between User A and User B is blocked (e.g. User and User B are at different branch offices behind firewalls), so the media traffic cannot go directly peer to peer and needs to flow via Skype for Business Online
There are now the following possible media paths
- The 50,000-59,999 port range can be leveraged to include only a single Relay Server in the media path
- Without the 50,000-59,999 port range, the traffic needs to travel via two Relay Server.

As you can see, closing the 50,000-59,999 port range will force the traffic to travel via an additional hop. While logic tells us that usually we want to avoid additional hops under all circumstances, the analysis on call quality data has shown us, that this additional hop does not significantly affect call quality - since both these Relay Servers are homed on the Microsoft Network, all traffic between the Relay Servers is sent over a highly reliable pipe designed for real-time communication.

Our organization has these ports open, should we close them?

Having the 50,000-59,999 port range open can still have (some) benefits when it comes to call setup times and under some circumstances on call quality. However in our data analysis and pilot deployments with some customers these differences did not show significance. If you have the ports open today, it makes sense to leave them open.

What does this change for hybrid between Skype for Business Server and Skype for Business Online?

This change only applies to users who are homed in Skype for Business Online. If you have an on-premises deployment of Skype for Business, the requirements for your Edge Server to communicate to Skype for Business Online remain unchanged (and also for any Federation scenarios including Skype for Business on-premises).

The A/V Edge Server in your environment will need to be configured liked this. Please note that the Source Port is only relevant, if your firewall requires a source port to be specified (and a lot of firewalls do not require this setting):

Source IP	Destination IP	Source Port	Destination Port
A/V Edge service interface	Any	UDP 3478	UDP 3478
A/V Edge service interface	Any	TCP 50,000-59,999	TCP 443
Any	A/V Edge service interface	Any	UDP 3478
Any	A/V Edge service interface	Any	TCP 443

Full requirements for Skype for Business Edge Server can be found here: Edge Server environmental requirements in Skype for Business Server 2015.

Does this change anything for Cloud Connector Edition?

No, the requirements for Cloud Connector Edition (see Plan for Skype for Business Cloud Connector Edition) remain unchanged.

Call to Action

Celebrate about the simplified port requirements
Update any design templates you might have
For future deployments, open only TCP 80, 443 and UDP 3478, 3479, 3480, 3481 per new guideline (and, optionally, 50,000-59,999 UDP and TCP)

If you have any questions or comments, please let us know in the community

This post is brought to you by Skype Academy. Visit Skype Academy for technical trainings and readiness around the Skype Operations Framework.

Deleted · ‎Sep 18 2018

@Thomas Binder I'm performing some wireshark traces and I see traffic from the Skype for business online service coming in on the new UDP ports however my client continues to use the high ports. My client is Skype for Business 2016 MSO (16.0.9029.2106). Can help me understand what would be preventing it from utilizing the new ports?

I ran the connectivity test and here is one of the entries:

Starting Connectivity checks
Relay : 13.107.64.2 is reachable using Protocol UDP and Port 3478

Thomas Binder · ‎Sep 19 2018

@Deleted, the Skype for Business client will always communicate to its own relay via 3478 UDP (respectively 443 TCP if using TCP), however when talking to the relay of the person (or conferencing server) the client wants to talk to, it will still leverage the 50,000-59,999 UDP/TCP port range if the port range is open. If the port range is closed, it will always talk to its own relay via 3478 UDP and traffic will be relayed from there to either directly the other end point or the relay of the other endpoint.

Summary: it is expected for the client to use 50,000-59,999 UDP/TCP if it can. If it can't it will still work and be fully supported.

Deleted · ‎Sep 19 2018

@Thomas Binder thank you for the feedback. I was wondering if I needed to update the group policy for Qos to use the new ports?

Audio
- Ports 50,000-50,019 (Source)
- DSCP marking of 46
Video
- Ports 50,020-50,039 (Source)
- DSCP marking of 34
File Transfer
- Ports 50,040-50,059 (Source)
- DSCP marking of 18
Application Sharing
- Ports 50,040-50,059 (Source)
- DSCP marking of 18

Thomas Binder · ‎Sep 19 2018

@Deleted, no need to change the QoS policy as they client ports remain unchanged. 3478 UDP, 443 TCP and 50,000-59,999 UDP/TCP are referring to the service port.

Deleted · ‎Sep 20 2018

@Thomas Binder Thank you very much for clarifying.

Abhinay Sharma · ‎Sep 28 2018

@Thomas Binder- for federation between skype online organization with skype on premise organization, is it required to open 50000-59999 ports?

and if we are allowing all office 365 ips on our firewall, do we also need to allow FQDNs?

Thomas Binder · ‎Oct 01 2018

@Abhinay Sharma, yes as laid out in the table above you need for TCP the 50,000-59,999 as source -- so this is only relevant if you are configuring source ports on your firewall. And yes, you need to open the IPs and the FQDNs.

Abhinay Sharma · ‎Oct 01 2018

@Thomas Binder-thanks for the response Thomas, just one more thing, need to know if we need to open 50,000-59,999 (TCP/UDP) as destination port?

Thomas Binder · ‎Oct 02 2018

@Abhinay Sharma, 50,000-59,999 UDP/TCP are not required as destination ports.

Petri X · ‎Nov 07 2018

What is the port requirements for P2P calls?

UserA: OnPrem Skype user.

UserB: Skype Online user.

In case UserA locates in site 1 and UserB locates in site 2 but there is a FW between them. How we could allow the P2P calls for them? At the moment, when UserA is calling to UserB I can see UserB gives 50k port back to UserA. While UserA offers the candidates based on the conferecing configuration on the on-premises Skype.

If I read this: You can't connect to Skype for Business Online, or certain features don't work, because an on-premis... you perhaps could read from between lines P2P is using:
Audio (UDP/TCP): 50000 - 50019
Video (UDP/TCP): 50020 - 50039
Desktop Sharing (UDP/TCP): 50040 - 50059

Thomas Binder · ‎Nov 07 2018

@Petri X, Skype for Business Online should sue on the client side always the following ports:

Audio (UDP/TCP): 50000 - 50019
Video (UDP/TCP): 50020 - 50039
Desktop Sharing (UDP/TCP): 50040 - 50059

For Skype for Business Server you can configure which ports to use. I would recommend using the same port ranges.

hth,

thomas

Shebin_CMGi123 · ‎Jan 02 2019

We have all ports opened on our firewall and also matched the same with results of connectivity analyser, but still Skype for business consult and transfer is failing for one of our client. They are using SFB Phone Numbers, and in this scenario the main number is receiving call from external user and then a consult and transfer from main number to an internal user is failing with error "Transfer Failed", normal blind transfer works fine. We are using the MS recomended Yealink Phone (Yealink TS 48S) with the MS approved firmware on it.

Thomas Binder · ‎Jan 07 2019

@Shebin_CMGi123, I recommend to open a case with support.

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Simplified port requirements for Skype for Business Online