Skype for Business Online connectivity paths
Recently Microsoft released a blog article to provide awareness and guidance on Simplified port requirements for Skype for Business Online: https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/Simplified-port-requirements-for-Skype-for-Business-Online/ba-p/77094
which had an updated destination ports to the cloud that makes the high ports TCP and UDP optional.
what concerns us here in this article is any traffic going through the Cloud services; so we will test only the conference media paths.
First lets look on how that is different from On-Premises and how the ICE protocol selects the ports in priorities.
in this scenarios I am going to test the Voice, Video , VBSS and RDP App Share.
I used Netmon to trace the ports and used coloring and marking from the previous blog post https://blogs.msdn.microsoft.com/mahmoud\_badran/2017/05/16/netmon-capabilities-for-skype-for-business-online-troubleshooting/
Here is an-on premises scenario where the caller dialled to a conference; as you can see here after a series of TURN requests the following Ports were selected ; Client Source Port UDP 50006 and Destination Port UDP 50680
What i am going to do is to add Video for the same call and below is my capture and as seen below Client Source Port is UDP 50036 and Destination Port is UDP 53400
again adding the VBSS (Desktop Share) the following UDP ports were selected Source port UDP 50058 and Destination port UDP 58760
And Finally with Application Sharing the following TCP ports were selected Source Port TCP 50048 and Destination Port 52972.
so in order to enforce the second media path we are going to block all the high ports UDP only from my machine with the Windows Firewall.
Now we are going to run the same tests for Audio, Video and VBSS only since they use the UDP high ports and see what happens on Netmon.
for Audio we saw that the second path was Source port 50016 and Destination Port UDP 3478
similar results for Video where the destination was UDP 3478
and similar results for VBSS where the destination was UDP 3478
Now for the Third Path we are going to Block UDP 3478 from our Firewall and lets see what happens:
Re Run the same Audio, Video and VBSS Scenarios:
Now the interesting Scenario here the TCP high ports are used for Audio, as seen Source Port TCP 50018 and Destination Port TCP 50921
Video as well got established on the TCP high ports, with Source Port TCP 50032 and Destination Port TCP 57669
and Similarly the VBSS was on TCP high ports, here is Client Source port TCP 50052 and Destination port TCP 55464
it is very Important to know that this Scenario you cannot differentiate between VBSS or App Share except from the Snooper Logs 
and below is the Snooper logs that proves this session was a TCP VBSS and used H264
06/13/2017|10:28:53.528 45DC:2A20 INFO :: Sending Packet - xx.xx.xx.xx:443 (From Local Address: 192.168.50.121:59364) 3166 bytes:
06/13/2017|10:28:53.528 45DC:2A20 INFO ::
INVITE sip:mbadran@contoso.com;gruu;opaque=app:conf:applicationsharing:id:TLD18BDT SIP/2.0
Via: SIP/2.0/TLS 192.168.50.121:59364
Max-Forwards: 70
From: <sip:mbadran@contoso.com>;tag=dc0670b210;epid=03413c7128
To: <sip:mbadran@contoso.com;gruu;opaque=app:conf:applicationsharing:id:TLD18BDT>;tag=673cc255;epid=361A8A700C
Call-ID: e733471e87ce4f849b9e46122232b0bc
CSeq: 2 INVITE
User-Agent: UCCAPI/16.0.7766.5352 OC/16.0.7766.2091 (Skype for Business)
Supported: ms-dialog-route-set-update
Supported: timer
Supported: histinfo
Supported: ms-safe-transfer
Supported: ms-sender
Supported: ms-early-media
ms-keep-alive: UAC;hop-hop=yes
ms-subnet: 192.168.50.0
ms-endpoint-location-data: NetworkScope;ms-media-location-type=Internet
Proxy-Authorization: TLS-DSK qop="auth", realm="SIP Communications Service", opaque="3E0FAC86", targetname="contoso.com", crand="9ab215e7", cnum="166", response="9e30cf5b6d03f822abb93d19c2bb10b598e1917d"
Content-Type: application/sdp
Content-Length: 1610
v=0
o=- 0 2 IN IP4 xx.xx.xx.xx
s=session
c=IN IP4 xx.xx.xx.xx
b=CT:99980
t=0 0
a=x-mediabw:applicationsharing-video send=8100;recv=4000
m=applicationsharing 50049 TCP/RTP/SAVP 127
a=ice-ufrag:t8XO
a=ice-pwd:/R1zFbA5Rdy5X4V4YVfem42q
a=candidate:14 1 TCP-ACT 1852570879 24.140.230.224 50049 typ prflx raddr 192.168.50.121 rport 50049
a=x-candidate-info:14 network-type=wlan
a=crypto:2 AES_CM_128_HMAC_SHA1_80 inline:Enb/Q/W9NCW2r/4A+IJzCq90n18lQYiXot3EVgAa|2^31|1:1
a=remote-candidates:1 xx.xx.xx.xx 50336 2 xx.xx.xx.xx 50336
a=setup:active
a=connection:existing
a=rtpmap:127 x-data/90000
a=rtcp-mux
a=x-bwealgorithm:packetpair
a=x-applicationsharing-session-id:1
a=x-applicationsharing-role:sharer
a=x-applicationsharing-media-type:rdp
a=x-applicationsharing-contentflow:sendonly
m=video 50052 TCP/RTP/SAVP 122 123
a=x-ssrc-range:2832877825-2832877924
a=rtcp-fb:* x-message app send:src,x-pli recv:src,x-pli
a=rtcp-rsize
a=label:applicationsharing-video
a=ice-ufrag:NLIp
a=ice-pwd:oX/60lMgeMaJTxar75FhtfCk
a=x-mediasettings:applicationsharing-video=required
a=candidate:11 1 TCP-ACT 1852567295 xx.xx.xx.xx 50052 typ prflx raddr 192.168.50.121 rport 50052
a=x-candidate-info:11 network-type=wlan
a=cryptoscale:1 client AES_CM_128_HMAC_SHA1_80 inline:Enb/Q/W9NCW2r/4A+IJzCq90n18lQYiXot3EVgAa|2^31|1:1
a=remote-candidates:1 xx.xx.xx.xx 55646 2 xx.xx.xx.xx 55646
a=setup:active
a=connection:existing
a=sendonly
a=rtpmap:122 X-H264UC/90000
a=fmtp:122 packetization-mode=1;mst-mode=NI-TC
a=rtpmap:123 x-ulpfecuc/90000
a=rtcp-mux
a=x-bwealgorithm:packetpair
Now we will run the same Session for RDP and see the difference in Snooper, as you see the Source port was TCP 50043 and Destination Port TCP 51039
06/13/2017|10:43:01.703 45DC:2A20 INFO :: Sending Packet - xx.xx.xx.xx:443 (From Local Address: 192.168.50.121:59364) 2320 bytes:
06/13/2017|10:43:01.703 45DC:2A20 INFO ::
INVITE sip:mbadran@contoso.com;gruu;opaque=app:conf:applicationsharing:id:Y6FD73H2 SIP/2.0
Via: SIP/2.0/TLS 192.168.50.121:59364
Max-Forwards: 70
From: <sip:mbadran@contoso.com>;tag=dc77454c41;epid=03413c7128
To: <sip:mbadran@contoso.com;gruu;opaque=app:conf:applicationsharing:id:Y6FD73H2>;tag=bbeffade50;epid=D9672F7281
Call-ID: 4d4d16fe0a9643f3ac565ca370b095d7
CSeq: 2 INVITE
Contact: <sip:mbadran@contoso.com;opaque=user:epid:5c4Y0LZ-P16OxFNemnoO7gAA;gruu>
User-Agent: UCCAPI/16.0.7766.5352 OC/16.0.7766.2091 (Skype for Business)
Supported: ms-dialog-route-set-update
Supported: timer
Supported: histinfo
Supported: ms-safe-transfer
Supported: ms-sender
Supported: ms-early-media
ms-keep-alive: UAC;hop-hop=yes
ms-subnet: 192.168.50.0
ms-endpoint-location-data: NetworkScope;ms-media-location-type=Internet
Proxy-Authorization: TLS-DSK qop="auth", realm="SIP Communications Service", opaque="3E0FAC86", targetname="contoso.com", crand="eac0f45a", cnum="383", response="2e315122a3a496c4abaa2e70d7b154567e64f1a2"
Content-Type: application/sdp
Content-Length: 763
v=0
o=- 0 1 IN IP4 xx.xx.xx.xx
s=session
c=IN IP4 xx.xx.xx.xx
b=CT:99980
t=0 0
m=applicationsharing 50043 TCP/RTP/SAVP 127
a=ice-ufrag:VvoJ
a=ice-pwd:za3jOXA4LzS7Lr4eZCC9appB
a=candidate:14 1 TCP-ACT 1852570879 xx.xx.xx.xx 50043 typ prflx raddr 192.168.50.121 rport 50043
a=x-candidate-info:14 network-type=wlan
a=crypto:2 AES_CM_128_HMAC_SHA1_80 inline:z0oEcJPviJ2Q4CNEXt75fE3PyOrJyDDE33PsRDUe|2^31|1:1
a=remote-candidates:1 xx.xx.xx.xx 51039 2 xx.xx.xx.xx 51039
a=setup:active
a=connection:existing
a=mid:1
a=rtpmap:127 x-data/90000
a=rtcp-mux
a=x-bwealgorithm:packetpair
a=x-applicationsharing-session-id:1
a=x-applicationsharing-role:sharer
a=x-applicationsharing-media-type:rdp
a=x-applicationsharing-contentflow:sendonly
And now Finally if we Blocked all UCP high ports , low ports and TCP high ports the final path will be port TCP 443 for all media types.
Note that i noticed a degradation in voice quality at this point but the SILKWide was still used as a codec, which i found in the VQReport.
Conclusion :
Destination Ports for Skype for Business Online and the alternative paths are different from that of the on-premises.
The tables below illustrate the destination ports and alternative paths in priority for each of the on-premises and cloud.
Outbound Traffic preferred route for On-premises:
Route 1:
| Media Type | Transport | Source | Port | Destination | Port |
| Audio | UDP | Client Subnet | 50000 - 50019 | SfB Edge Server IPs OR Client Subnet in P2P | 50000 - 59999 |
| Video | UDP | Client Subnet | 50020 - 50039 | SfB Edge Server IPs OR Client Subnet in P2P | 50000 - 59999 |
| VBSS | UDP | Client Subnet | 50040 - 50059 | SfB Edge Server IPs OR Client Subnet in P2P | 50000 - 59999 |
| AppShare RDP | TCP | Client Subnet | 50040 - 50059 | SfB Edge Server IPs OR Client Subnet in P2P | 50000 - 59999 |
Alternative Route 2:
| Media Type | Transport | Source | Port | Destination | Port |
| Audio | UDP | Client Subnet | 50000 - 50019 | SfB Edge Server IPs OR Client Subnet in P2P | 3478 |
| Video | UDP | Client Subnet | 50020 - 50039 | SfB Edge Server IPs OR Client Subnet in P2P | 3478 |
| VBSS | UDP | Client Subnet | 50040 - 50059 | SfB Edge Server IPs OR Client Subnet in P2P | 3478 |
| AppShare RDP | TCP | Client Subnet | 50040 - 50059 | SfB Edge Server IPs OR Client Subnet in P2P | 443 |
Alternative Route 3:
| Media Type | Transport | Source | Port | Destination | Port |
| Audio | TCP | Client Subnet | 50000 - 50019 | SfB Edge Server IPs OR Client Subnet in P2P | 50000 - 59999 |
| Video | TCP | Client Subnet | 50020 - 50039 | SfB Edge Server IPs OR Client Subnet in P2P | 50000 - 59999 |
| VBSS | TCP | Client Subnet | 50040 - 50059 | SfB Edge Server IPs OR Client Subnet in P2P | 50000 - 59999 |
| AppShare RDP | TCP | Client Subnet | 50040 - 50059 | SfB Edge Server IPs OR Client Subnet in P2P | 443 |
Alternative Route 4:
| Media Type | Transport | Source | Port | Destination | Port |
| Audio | TCP | Client Subnet | 50000 - 50019 | SfB Edge Server IPs OR Client Subnet in P2P | 443 |
| Video | TCP | Client Subnet | 50020 - 50039 | SfB Edge Server IPs OR Client Subnet in P2P | 443 |
| VBSS | TCP | Client Subnet | 50040 - 50059 | SfB Edge Server IPs OR Client Subnet in P2P | 443 |
| AppShare RDP | TCP | Client Subnet | 50040 - 50059 | SfB Edge Server IPs OR Client Subnet in P2P | 443 |
Inbound Traffic preferred route:
Route 1:
| Media Type | Transport | Source | Port | Destination | Port |
| Audio | UDP | SfB Edge Server IPs OR Client Subnet in P2P | 50000 - 59999 | Client Subnet | 50000 - 50019 |
| Video | UDP | SfB Edge Server IPs OR Client Subnet in P2P | 50000 - 59999 | Client Subnet | 50020 - 50039 |
| VBSS | UDP | SfB Edge Server IPs OR Client Subnet in P2P | 50000 - 59999 | Client Subnet | 50040 - 50059 |
| AppShare RDP | TCP | SfB Edge Server IPs OR Client Subnet in P2P | 50000 - 59999 | Client Subnet | 50040 - 50059 |
Alternative Route 2:
| Media Type | Transport | Source | Port | Destination | Port |
| Audio | UDP | SfB Edge Server IPs OR Client Subnet in P2P | 3478 | Client Subnet | 50000 - 50019 |
| Video | UDP | SfB Edge Server IPs OR Client Subnet in P2P | 3478 | Client Subnet | 50020 - 50039 |
| VBSS | UDP | SfB Edge Server IPs OR Client Subnet in P2P | 3478 | Client Subnet | 50040 - 50059 |
| AppShare RDP | TCP | SfB Edge Server IPs OR Client Subnet in P2P | 443 | Client Subnet | 50040 - 50059 |
Alternative Route 3:
| Media Type | Transport | Source | Port | Destination | Port |
| Audio | TCP | SfB Edge Server IPs OR Client Subnet in P2P | 50000 - 59999 | Client Subnet | 50000 - 50019 |
| Video | TCP | SfB Edge Server IPs OR Client Subnet in P2P | 50000 - 59999 | Client Subnet | 50020 - 50039 |
| VBSS | TCP | SfB Edge Server IPs OR Client Subnet in P2P | 50000 - 59999 | Client Subnet | 50040 - 50059 |
| AppShare RDP | TCP | SfB Edge Server IPs OR Client Subnet in P2P | 443 | Client Subnet | 50040 - 50059 |
Alternative Route 4:
| Media Type | Transport | Source | Port | Destination | Port |
| Audio | TCP | SfB Edge Server IPs OR Client Subnet in P2P | 443 | Client Subnet | 50000 - 50019 |
| Video | TCP | SfB Edge Server IPs OR Client Subnet in P2P | 443 | Client Subnet | 50020 - 50039 |
| VBSS | TCP | SfB Edge Server IPs OR Client Subnet in P2P | 443 | Client Subnet | 50040 - 50059 |
| AppShare RDP | TCP | SfB Edge Server IPs OR Client Subnet in P2P | 443 | Client Subnet | 50040 - 50059 |
The Way its configured now in the cloud is Different and below is the table for the cloud media paths:
Outbound Traffic preferred route for Skype for Business Online:
Route 1:
| Media Type | Transport | Source | Port | Destination | Port |
| Audio | UDP | Client Subnet | 50000 - 50019 | SfB Online IPs OR Client Subnet in P2P | 50000 - 59999 |
| Video | UDP | Client Subnet | 50020 - 50039 | SfB Online IPs OR Client Subnet in P2P | 50000 - 59999 |
| VBSS | UDP | Client Subnet | 50040 - 50059 | SfB Online IPs OR Client Subnet in P2P | 50000 - 59999 |
| AppShare RDP | TCP | Client Subnet | 50040 - 50059 | SfB Online IPs OR Client Subnet in P2P | 443 |
Alternative Route 2:
| Media Type | Transport | Source | Port | Destination | Port |
| Audio | UDP | Client Subnet | 50000 - 50019 | SfB Online IPs OR Client Subnet in P2P | 3478 or Transport Relay 3479 |
| Video | UDP | Client Subnet | 50020 - 50039 | SfB Online IPs OR Client Subnet in P2P | 3478 or Transport Relay 3480 |
| VBSS | UDP | Client Subnet | 50040 - 50059 | SfB Online IPs OR Client Subnet in P2P | 3478 or Transport Relay 3481 |
| AppShare RDP | TCP | Client Subnet | 50040 - 50059 | SfB Online IPs OR Client Subnet in P2P | 443 |
Alternative Route 3:
| Media Type | Transport | Source | Port | Destination | Port |
| Audio | TCP | Client Subnet | 50000 - 50019 | SfB Online IPs OR Client Subnet in P2P | 443 |
| Video | TCP | Client Subnet | 50020 - 50039 | SfB Online IPs OR Client Subnet in P2P | 443 |
| VBSS | TCP | Client Subnet | 50040 - 50059 | SfB Online IPs OR Client Subnet in P2P | 443 |
| AppShare RDP | TCP | Client Subnet | 50040 - 50059 | SfB Online IPs OR Client Subnet in P2P | 443 |
Inbound Traffic preferred route:
Route 1:
| Media Type | Transport | Source | Port | Destination | Port |
| Audio | UDP | SfB Online IPs OR Client Subnet in P2P | 50000 - 59999 | Client Subnet | 50000 - 50019 |
| Video | UDP | SfB Online IPs OR Client Subnet in P2P | 50000 - 59999 | Client Subnet | 50020 - 50039 |
| VBSS | UDP | SfB Online IPs OR Client Subnet in P2P | 50000 - 59999 | Client Subnet | 50040 - 50059 |
| AppShare RDP | TCP | SfB Online IPs OR Client Subnet in P2P | 443 | Client Subnet | 50040 - 50059 |
Alternative Route 2:
| Media Type | Transport | Source | Port | Destination | Port |
| Audio | UDP | SfB Online IPs OR Client Subnet in P2P | 3478 or Transport Relay 3479 | Client Subnet | 50000 - 50019 |
| Video | UDP | SfB Online IPs OR Client Subnet in P2P | 3478 or Transport Relay 3480 | Client Subnet | 50020 - 50039 |
| VBSS | UDP | SfB Online IPs OR Client Subnet in P2P | 3478 or Transport Relay 3481 | Client Subnet | 50040 - 50059 |
| AppShare RDP | TCP | SfB Online IPs OR Client Subnet in P2P | 443 | Client Subnet | 50040 - 50059 |
Alternative Route 3:
| Media Type | Transport | Source | Port | Destination | Port |
| Audio | TCP | SfB Online IPs OR Client Subnet in P2P | 443 | Client Subnet | 50000 - 50019 |
| Video | TCP | SfB Online IPs OR Client Subnet in P2P | 443 | Client Subnet | 50020 - 50039 |
| VBSS | TCP | SfB Online IPs OR Client Subnet in P2P | 443 | Client Subnet | 50040 - 50059 |
| AppShare RDP | TCP | SfB Online IPs OR Client Subnet in P2P | 443 | Client Subnet | 50040 - 50059 |