Deploying a Survivable Branch Appliance (SBA) into a Skype for Business topology takes a bit of planning. As part of the planning exercise you will no doubt be discussing what firewall ports are required in order to deploy the SBA securely from both external and internal source based attacks. Reading documentation from various sources online, I have yet to find a definitive and concise firewall rule table that addresses an SBA directly. However, breaking down an SBA into components it contains:
- Session Border Controller
- Skype for Business Mediation Server (collocated)
- Skype for Business Registrar Server (collocated)
- Skype for Business CMS local replica (collocated)
With this in mind I have collected all the ports required for a SBA deployment in a security conscious network.
Note: that these ports relate to the Sonus SBC 1000/2000 with the ASM SBA module installed. Other manufacturers of SBA’s may have other port requirements.
The above conceptual diagram lists all the ports and protocols required for an SBA to operate in a locked-down internal WAN. For a more descriptive break down of these ports please see the tables below.
Download the Visio Here: SBA FW Diagram
Administrator Computers and SBA
| Source |
Protocol / Port |
Destination |
Protocol / Port |
Description |
| Administrator IP |
TCP/Any |
ASM IP |
TCP/3389 |
Remote Desktop |
| Administrator IP |
TCP/Any |
SBC Mgmt IP |
TCP/443 |
SBC Management |
ASM and SBC
| Source |
Protocol / Port |
Destination |
Protocol / Port |
Description |
| SBC IP |
UDP/Any |
ASM IP |
UDP/111 |
File share between ASM and Sonus SBC (updating) |
| SBC IP |
TCP/Any |
ASM IP |
TCP/111 |
File share between ASM and Sonus SBC (updating) |
| SBC IP |
UDP/Any |
ASM IP |
UDP/1048 |
Mount used between ASM and SBC (file share) |
| SBC IP |
UDP/Any |
ASM IP |
UDP/2049 |
NFS used to share between ASM and SBC |
| SBC IP |
UDP/Any |
ASM IP |
UDP/514 |
Syslog used to send logs from ASM to SBC |
| SBC IP |
TCP/Any |
ASM IP |
TCP/5067 |
Used for SIP requests from SBC to ASM |
| ASM IP |
TCP/Any |
ASM IP |
TCP/5067 |
Used for SIP requests from ASM to SBC |
| SBC IP |
UDP/Any |
ASM IP |
UDP/49152-57500 |
Audio Port range |
| ASM IP |
UDP/Any |
SBC IP |
UDP/16384-17584 |
Audio Port range |
SBC and PSTN (via SIP Provider)
These will be provided by your ITSP provider
ASM and Domain Controllers
| Source |
Protocol / Port |
Destination |
Protocol / Port |
Description |
| ASM IP |
TCP/Any |
DC IP |
TCP/88 |
Kerberos Authentication |
| ASM IP |
UDP/Any |
DC IP |
UDP/123 |
Synch with time service |
| ASM IP |
TCP/Any |
DC IP |
TCP/135 |
RPC Endpoint Mapper (client to domain) |
| ASM IP |
TCP/Any |
DC IP |
TCP/53 |
DNS Resolution |
| ASM IP |
UDP/Any |
DC IP |
UDP/53 |
DNS Resolution |
| ASM IP |
TCP/Any |
DC IP |
TCP/389 |
LDAP queries |
| ASM IP |
UDP/Any |
DC IP |
UDP/389 |
LDAP Ping |
| ASM IP |
TCP/Any |
DC IP |
TCP/445 |
Microsoft AD File replication service |
| ASM IP |
TCP/Any |
DC IP |
TCP/3268 |
Global Catalog |
| ASM IP |
TCP/Any |
DC IP |
TCP/49152-65535 |
RPC Dynamic Ports (allow auto submit certificate to DC) |
ASM and Central Skype for Business Front End Server
| Source |
Protocol / Port |
Destination |
Protocol / Port |
Description |
| ASM IP |
TCP/Any |
Front End Servers |
TCP/444 |
HTTPS Communication between Skype for Business servers (conference state) |
| Front End Servers |
TCP/Any |
ASM IP |
TCP/444 |
HTTPS Comunication between Skype for Business servers (conference state) |
| ASM IP |
TCP/Any |
Front End Servers |
TCP/5061 |
Internal SIP communications |
| Front End Servers |
TCP/Any |
ASM IP |
TCP/5061 |
Internal SIP communications |
| ASM IP |
TCP/Any |
Front End Servers |
TCP/448 |
Call Admission Control |
| ASM IP |
TCP/Any |
Front End Servers |
TCP/5088 |
Required by UCWA / Mobile clients |
ASM and CMS Master
| Source |
Protocol / Port |
Destination |
Protocol / Port |
Description |
| CMS IP |
TCP/Any |
ASM IP |
TCP/445 |
Status updates |
| CMS IP |
TCP/Any |
ASM IP |
TCP/4443 |
CMS Replication |
| CMS IP |
TCP/Any |
ASM IP |
TCP/444 |
Internal communication for Skype for Business servers |
ASM and Exchange Unified Messaging
| Source |
Protocol / Port |
Destination |
Protocol / Port |
Description |
| ASM IP |
TCP/Any |
Exchange UM IP |
TCP/5061 |
SIP signalling and communication |
| Exchange UM IP |
TCP/Any |
ASM IP |
TCP/5061 |
SIP signalling and communication |
| ASM IP |
TCP/Any |
Exchange UM IP |
TCP/5075 |
SIP signalling for presence and IM |
| Exchange UM IP |
TCP/Any |
ASM IP |
TCP/5075 |
SIP signalling for presence and IM |
| ASM IP |
UDP/Any |
Exchange UM IP |
UDP/1024-65535 |
Media Port Range |
| Exchange UM IP |
UDP/Any |
ASM IP |
UDP/102-65535 |
Media Port Range |
ASM and Central Skype for Business Edge Servers
| Source |
Protocol / Port |
Destination |
Protocol / Port |
Description |
| ASM IP |
TCP/Any |
Edge Internal IP |
TCP/5062 |
SIP Connections for MRAS |
| Edge Internal IP |
TCP/Any |
ASM IP |
TCP/5062 |
SIP Connections for MRAS |
| ASM IP |
TCP/Any |
Edge Internal IP |
TCP/5061 |
SIP TLS |
| Edge Internal IP |
TCP/Any |
ASM IP |
TCP/5061 |
SIP TLS |
ASM and Monitoring Servers
| Source |
Protocol / Port |
Destination |
Protocol / Port |
Description |
| ASM IP |
TCP/Any |
SCOM IP |
TCP/135 |
SMB |
| ASM IP |
TCP/Any |
SCOM IP |
TCP/389 |
LDAP |
| ASM IP |
TCP/Any |
SCOM IP |
TCP/1801 |
Used for Monitoring service |
| ASM IP |
TCP/Any |
SCOM IP |
TCP/2101-2105 |
Used for Monitoring service |
ASM and Branch Clients
| Source |
Protocol / Port |
Destination |
Protocol / Port |
Description |
| ASM IP |
TCP/Any |
All Branch Client IPs |
TCP/5061 |
SIP Signalling |
| All Branch Client IPs |
TCP/Any |
ASM IP |
TCP/5061 |
SIP Signalling |
| ASM IP |
UDP/Any |
All Branch Client IPs |
UDP/49152-65535 |
Audio and Video Media Port range |
| All Branch Client IPs |
UDP/Any |
ASM IP |
UDP/49152-65535 |
Audio and Video Media Port range |
Branch Clients and Central Skype for Business Front End Pool
| Source |
Protocol / Port |
Destination |
Protocol / Port |
Description |
| All Branch Client IPs |
TCP/Any |
Front End Servers |
TCP/8057 |
Conferencing |
| All Branch Client IPs |
TCP/Any |
Front End Servers |
TCP/8058 |
Conferencing |
| All Branch Client IPs |
TCP/Any |
Front End Servers |
TCP/5061 |
SIP Signaling |
| All Branch Client IPs |
TCP/Any |
Front End Servers |
TCP/443 |
Web Services |
| All Branch Client IPs |
TCP/Any |
Front End Servers |
TCP/5071 |
Response Group |
| All Branch Client IPs |
TCP/Any |
Front End Servers |
TCP/80 |
Required for Lync Phone Edition |
| All Branch Client IPs |
TCP/Any |
Front End Servers |
TCP/49152-65535 |
AV, Conf, MCU port range |
| All Branch Client IPs |
UDP/Any |
Front End Servers |
UDP/49152-65535 |
AV, Conf, MCU port range |
Branch Clients and Central Skype for Business Mediation Pool
| Source |
Protocol / Port |
Destination |
Protocol / Port |
Description |
| All Branch Client IPs |
TCP/Any |
Mediation Servers |
TCP/49152-65535 |
Media port range |
| All Branch Client IPs |
UDP/Any |
Mediation Servers |
UDP/49152-65535 |
Media port range |
Branch Clients and Central Site Edge Pool
| Source |
Protocol / Port |
Destination |
Protocol / Port |
Description |
| All Branch Client IPs |
TCP/Any |
Edge Server Internal IP |
TCP/443 |
AV Authentication |
| All Branch Client IPs |
UDP/Any |
Edge Server Internal IP |
UDP/3478 |
STUN |
Branch Clients and Central Site Exchange Unified Messaging
| Source |
Protocol / Port |
Destination |
Protocol / Port |
Description |
| All Branch Client IPs |
UDP/Any |
Exchange UM IP |
UDP/1024-65535 |
UM Media Port Range |
Mark is an Independent Microsoft Teams Consultant with over 15 years experience in Microsoft Technology. Mark is the founder of Commsverse, a dedicated Microsoft Teams conference and former MVP. You can follow him on twitter @UnifiedVale
Like this:
Like Loading...
Related
Would 5071 not also be required to the FE if RGS were in use ?
DT
Good spot! – I will update