Simplifying port requirements for O365

Microsoft

Does your company policy have restrictions on which ports can be opened?  We are simplifying our port requirements and removing the need to have 50K port ranges opened.  If you are interested in this change and helping us validate please contact chermali@microsoft.com for more information.

 

Thanks,

Chermaine

2 Replies

I am interested

Hi all,

 

We are ready to expand this program and invite more customers to participate.  Details of the port simplification is listed below.  If you are interested, please reach out to me prior to making this change so we can ensure a smooth experience for your organization.

 

Port requirements for audio/video is located at: https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-ab... "Skype for Business Online" - "Expand to see the Skype for Business Online FQDNs" section, row # 5.  We currently require Destination Ports to include TCP/443, UDP 3478-3481, and TCP/UDP 50, 000 – 59, 000.  We are reducing the ports by removing the requirement for TCP/UDP 50000-59000.

 

 

Row

Purpose

Source | Credentials

Source Port

Destination

CDN

ExpressRoute for Office 365

Destination IP

Destination Port

5

Required: Audio, Video, & Desktop sharing

Client Computer | Logged on user

TCP/UDP 50,000-50019, TCP/UDP 50,020-50039, & TCP/UDP 50,040-50059

*.lync.com

No

Yes

Skype for Business IP ranges.

TCP 443, UDP 3478, 3479, 3480, & 3481, TCP/UDP 50,000-59,999

 

New recommendation for customers is to open the following firewall ports for Skype for Business Online media services:

Outbound TCP src=any dst=<edge/TR public IP range, both VIP & DIP>:443

Outbound UDP src=any dst=<edge/TR public IP range, both VIP&DIP>:3478

 

In addition, we will add 3 new ports for forward compatibility with future m-turn protocol:

Outbound UDP src=any, dst=<TR public IP range, DIP only>:3479 - 3481

 

Additional notes:

  • QoS is not impacted and there are no recommended changes to source ports.
  • Customers can continue to have 50K ports open for potential optimization as it allows the client to bypass relay and have fewer intermediate nodes.
  • This change is recommended for O365 customers only. There is no change to port guidelines for onprem or hybrid customers. 

 Sanity check after making the changes:

  • Have a user join an audio/video + app-sharing conference from outside the corp network using a SfB client.
  • Have a user join an audio/video + app-sharing conference from outside the corp network using LWA client.
  • Have a user join a conference from outside the corp network via PSTN.
  • Establish a P2P audio/video + app-sharing conversation  with a user outside of the corp network.

 

Thanks,

Chermaine