Dela via


Edge Server environmental requirements in Skype for Business Server

Summary: Learn about the environmental requirements for Edge Server in Skype for Business Server.

A lot of planning and preparation needs to take place outside of the Skype for Business Server Edge Server environment itself. In this article, we'll review what preparations need to be made in the organizational environment, as per our list below:

Topology planning

Skype for Business Server Edge Server topologies are able to use:

  • Routable public IP addresses.

  • Non-routable private IP addresses, if symmetric network address translation (NAT) is used.

Tip

Your Edge Server can be configured to use a single IP address with distinct ports for each service, or it can use distinct IP addresses for each service, but use the same default port (which by default will be TCP 443). We have more information in IP Address requirements section, below.

If you choose non-routable private IP addresses with NAT, remember these points:

  • You need to use routable private IP addresses on all three external interfaces.

  • You need to configure symmetric NAT for incoming and outgoing traffic. Symmetric NAT is the only supported NAT you can use with Skype for Business Server Edge Server.

  • Configure your NAT to not change incoming source addresses. The A/V Edge service needs to be able to receive the incoming source address to find the optimal media path.

  • Your Edge Servers need to be able to communicate with one another from their public A/V Edge IP addresses. Your firewall needs to allow this traffic.

  • NAT can only be used for scaled consolidated Edge Servers if you use DNS load balancing. If you use hardware load balancing (HLB), you need to use publicly routable IP addresses without NAT.

You'll have no problems having your Access, Web conferencing and A/V Edge interfaces behind a router or firewall performing symmetric NAT for both single and scaled consolidated Edge Server topologies (as long as you're not using hardware load balancing).

Summary of Edge Server topology options

We have several topology options available for Skype for Business Server Edge Server deployments:

  • Single consolidated Edge with private IP addresses and NAT

  • Single consolidated Edge with public IP addresses

  • Scaled consolidated Edge with private IP addresses and NAT

  • Scaled consolidated Edge with public IP addresses

  • Scaled consolidated Edge with hardware load balancers

To help you choose one, we have the following table which gives a summary of what options you have for each topology:

Topology High availability Additional DNS records required for external Edge Server in the Edge pool? Edge failover for Skype for Business Server sessions Edge failover for Skype for Business Server federation sessions
Single consolidated Edge with private IP addresses and NAT
No
No
No
No
Single consolidated Edge with public IP addresses
No
No
No
No
Scaled consolidated Edge with private IP addresses and NAT (DNS load balanced)
Yes
Yes
Yes
Yes¹
Scaled consolidated Edge with public IP addresses (DNS load balanced)
Yes
Yes
Yes
Yes¹
Scaled consolidated Edge with hardware load balancers
Yes
No (one DNS A record per VIP)
Yes
Yes

¹ Exchange Unified Messaging (UM) remote user failover using DNS load balancing requires Exchange 2013 or newer.

IP Address requirements

On a fundamental level, three services need IP addresses; Access Edge service, Web Conferencing Edge service, and A/V Edge service. You have the option of either using three IP addresses, one for each of the services, or you can use one and opt to put each service on a different port (you can check out the Port and firewall planning section for more information on some of that). For a single consolidated Edge environment, that's pretty much it.

Note

As noted above, you can choose to have one IP address for all three services and run them on different ports. But to be clear, we don't recommend this. If your customers can't access the alternate ports you'd be using in this scenario, they can't access the full functionality of your Edge environment, either.

It can be a little more complicated with scaled consolidated topologies, so let's look at some tables that lay out the IP Address requirements, keeping in mind that the primary decision points for topology selection are high availability and load balancing. High availability needs can influence your load balancing choice (we'll talk about that more after the tables).

IP Address requirements for scaled consolidated Edge (IP Address per role)

Number of Edge Servers per pool Number of required IP addresses for DNS load balancing Number of required IP addresses for hardware load balancing
2
6
3 (1 per VIP) + 6
3
9
3 (1 per VIP) + 9
4
12
3 (1 per VIP) + 12
5
15
3 (1 per VIP) +15

IP Address requirements for scale consolidated Edge (Single IP address for all roles)

Number of Edge Servers per pool Number of required IP addresses for DNS load balancing Number of required IP addresses for hardware load balancing
2
2
1 (1 per VIP) + 2
3
3
1 (1 per VIP) + 3
4
4
1 (1 per VIP) + 4
5
5
1 (1 per VIP) + 5

Let's look at some additional things to think about while planning.

  • High availability: If you need high availability in your deployment, you should deploy at least two Edge Servers in a pool. It's worth noting that a single Edge pool will support up to 12 Edge Servers (though Topology Builder will allow you to add up to 20, that's not tested or supported, so we advise you don't do that). If you need more than 12 Edge Servers, you should create additional Edge pools for them.

  • Hardware load balancing: We recommend DNS load balancing for most scenarios. Hardware load balancing is also supported, of course, but notably it's required for a single scenario over DNS load balancing:

    • External access to Exchange 2007 or Exchange 2010 (with no SP) Unified Messaging (UM).
  • DNS load balancing: For UM, Exchange 2010 SP1 and newer are able to be supported by DNS load balancing. Note that if you need to go with DNS load balancing for an earlier version of Exchange, it'll work, but all the traffic for this will go to the first server in the pool, and if it's not available, that traffic will subsequently fail.

    DNS load balancing is also recommended if you're federating with companies using:

  • Skype for Business Server 2015:

    • Lync Server 2010
    • Lync Server 2013
    • Microsoft 365 or Office 365
  • Skype for Business Server 2019:

    • Lync Server 2013
    • Skype for Business Server 2015
    • Microsoft 365 or Office 365

DNS planning

When it comes to Skype for Business Server Edge Server deployment, it's vital to prepare for DNS properly. With the right records in place, the deployment will be much more straightforward. Hopefully you've chosen a topology in the section above, as we're going to do an overview, and then list a couple of tables outlining the DNS records for those scenarios. We'll also have some Advanced Edge Server DNS planning for Skype for Business Server for more in-depth reading, if you need it.

DNS records for Single consolidated Edge Server scenarios

These will be the DNS records you're going to need for a singe Edge Server using either public IPs or private IPs with NAT. Because this is sample data, we'll give example IPs so you can work out your own entries more easily:

  • Internal network adapter: 172.25.33.10 (no default gateways assigned)

    Note

    Ensure that there is a route from the network containing the Edge internal interface to any networks that contain servers running Skype for Business Server or Lync Server 2013 clients (for example, from 172.25.33.0 to 192.168.10.0).

  • External network adapter:

    • Public IPs:

    • Access Edge: 131.107.155.10 (this is the primary, with default gateway set to your public router, ex: 131.107.155.1)

    • Web Conferencing Edge: 131.107.155.20 (secondary)

    • A/V Edge: 131.107.155.30 (secondary)

    Web conferencing and A/V Edge public IP addresses are additional (secondary) IP addresses in the Advanced section of the properties of Internet Protocol Version 4 (TCP/IPv4) and Internet Protocol Version 6 (TCP/IPv6) of the Local Area Connection Properties in Windows Server.

    • Private IPs:

    • Access Edge: 10.45.16.10 (this is the primary, with default gateway set to your router, ex: 10.45.16.1)

    • Web Conferencing Edge: 10.45.16.20 (secondary)

    • A/V Edge: 10.45.16.30 (secondary)

Web conferencing and A/V Edge public IP addresses are additional (secondary) IP addresses in the Advanced section of the properties of Internet Protocol Version 4 (TCP/IPv4) and Internet Protocol Version 6 (TCP/IPv6) of the Local Area Connection Properties in Windows Server.

Tip

There are other possible configurations here:

  • You could use one IP address on the external network adapter. We don't recommend this because then you're going to need to differentiate between the thee services using different ports (which you can do in Skype for Business Server) but there are some firewalls that may block the alternate ports. See the Port and firewall planning section for more about this.

  • You can have three external network adapters instead of one, and assign one of the service IPs to each one. Why do this? It would separate the services and if something goes wrong, that would make it easier to troubleshoot, and potentially let your other services continue working while you resolve an issue.

Location Type Port FQDN or DNS record IP address or FQDN Notes
External DNS
A record
NA
sip.contoso.com
public: 131.107.155.10
private: 10.45.16.10
An external interface for your Access Edge service. You'll need one for every SIP domain with Skype for Business users.
External DNS
A record
NA
webcon.contoso.com
public: 131.107.155.20
private: 10.45.16.20
An external interface for your Web Conferencing Edge service.
External DNS
A record
NA
av.contoso.com
public: 131.107.155.30
private: 10.45.16.30
An external interface for your A/V Edge service.
External DNS
SRV record
443
_sip._tls.contoso.com
sip.contoso.com
An external interface for your Access Edge service. This SRV record is required for Skype for Business Server, Lync Server 2013, and Lync Server 2010 clients to work externally. You'll need one for every domain with Skype for Business users.
External DNS
SRV record
5061
_sipfederationtls._tcp.contoso.com
sip.contoso.com
An external interface for your Access Edge service. This SRV record is required for automatic DNS discovery of federated partners called Allowed SIP domains. You'll need one for every domain with Skype for Business users.
Internal DNS
A record
NA
sfvedge.contoso.net
172.25.33.10
The internal interface for your consolidated Edge.

DNS records for Scaled DNS and hardware Edge Server scenarios

These will be the DNS records you're going to need for a singe Edge Server using either public IPs or private IPs with NAT. Because this is sample data, we'll give example IPs so you can work out your own entries more easily:

  • Internal network adapter:

    • Node 1: 172.25.33.10 (no default gateway's assigned)

    • Node 2: 172.25.33.11 (no default gateway's assigned)

      Note

      Ensure that there is a route from the network containing the Edge internal interface to any networks that contain servers running Skype for Business Server or Lync Server 2013 clients (for example, from 172.25.33.0 to 192.168.10.0).

  • External network adapter:

    • Node 1

      • Public IPs:

        • Access Edge: 131.107.155.10 (this is the primary, with default gateway set to your public router, ex: 131.107.155.1)

        • Web Conferencing Edge: 131.107.155.20 (secondary)

        • A/V Edge: 131.107.155.30 (secondary)

          Web conferencing and A/V Edge public IP addresses are additional (secondary) IP addresses in the Advanced section of the properties of Internet Protocol Version 4 (TCP/IPv4) and Internet Protocol Version 6 (TCP/IPv6) of the Local Area Connection Properties in Windows Server.

      • Private IPs:

        • Access Edge: 10.45.16.10 (this is the primary, with default gateway set to your router, ex: 10.45.16.1)

        • Web Conferencing Edge: 10.45.16.20 (secondary)

        • A/V Edge: 10.45.16.30 (secondary)

        Web conferencing and A/V Edge public IP addresses are additional (secondary) IP addresses in the Advanced section of the properties of Internet Protocol Version 4 (TCP/IPv4) and Internet Protocol Version 6 (TCP/IPv6) of the Local Area Connection Properties in Windows Server.

    • Node 2

      • Public IPs:

        • Access Edge: 131.107.155.11 (this is the primary, with default gateway set to your public router, ex: 131.107.155.1)

        • Web Conferencing Edge: 131.107.155.21 (secondary)

        • A/V Edge: 131.107.155.31 (secondary)

        Web conferencing and A/V Edge public IP addresses are additional (secondary) IP addresses in the Advanced section of the properties of Internet Protocol Version 4 (TCP/IPv4) and Internet Protocol Version 6 (TCP/IPv6) of the Local Area Connection Properties in Windows Server.

    • Private IPs:

      • Access Edge: 10.45.16.11 (this is the primary, with default gateway set to your router, ex: 10.45.16.1)

      • Web Conferencing Edge: 10.45.16.21 (secondary)

      • A/V Edge: 10.45.16.31 (secondary)

        Web conferencing and A/V Edge public IP addresses are additional (secondary) IP addresses in the Advanced section of the properties of Internet Protocol Version 4 (TCP/IPv4) and Internet Protocol Version 6 (TCP/IPv6) of the Local Area Connection Properties in Windows Server.

There are other possible configurations here:

  • You could use one IP address on the external network adapter. We don't recommend this because then you're going to need to differentiate between the thee services using different ports (which you can do in Skype for Business Server) but there are some firewalls that may block the alternate ports. See the Port and firewall planning section for more about this.

  • You can have three external network adapters instead of one, and assign one of the service IPs to each one. Why do this? It would separate the services and if something goes wrong, that would make it easier to troubleshoot, and potentially let your other services continue working while you resolve an issue.

Location Type Port FQDN or DNS record IP address or FQDN Notes
External DNS
A record
NA
sip.contoso.com
public: 131.107.155.10 and 131.107.155.11
private: 10.45.16.10 and 10.45.16.11
An external interface for your Access Edge service. You'll need one for every SIP domain with Skype for Business users.
External DNS
A record
NA
webcon.contoso.com
public: 131.107.155.20 and 131.107.155.21
private: 10.45.16.20 and 10.45.16.21
An external interface for your Web Conferencing Edge service.
External DNS
A record
NA
av.contoso.com
public: 131.107.155.30 and 131.107.155.31
private: 10.45.16.30 and 10.45.16.31
An external interface for your A/V Edge service.
External DNS
SRV record
443
_sip._tls.contoso.com
sip.contoso.com
An external interface for your Access Edge service. This SRV record is required for Skype for Business Server, Lync Server 2013, and Lync Server 2010 clients to work externally. You'll need one for every domain with Skype for Business.
External DNS
SRV record
5061
_sipfederationtls._tcp.contoso.com
sip.contoso.com
An external interface for your Access Edge service. This SRV record is required for automatic DNS discovery of federated partners called Allowed SIP domains. You'll need one for every domain with Skype for Business.
Internal DNS
A record
NA
sfvedge.contoso.net
172.25.33.10 and 172.25.33.11
The internal interface for your consolidated Edge.

DNS record for federation (all scenarios)

Location Type Port FQDN FQDN host record Notes
External DNS
SRV
5061
_sipfederationtls_tcp.contoso.com
sip.contoso.com
The SIP Access Edge external interface required for automatic DNS discovery. Used by your other potential federation partners. It's also known as "Allow SIP domains." You'll need one of these for each SIP domain with Skype for Business users.

Note: You will need this SRV record for mobility and the push notification clearing house.

DNS records for extensible messaging and presence protocol

Location Type Port FQDN IP address or FQDN host record Notes
External DNS
SRV
5269
_xmpp-server._tcp.contoso.com
xmpp.contoso.com
The XMPP proxy interface on your Access Edge service or Edge pool. You need to repeat this as needed for all internal SIP domains with Skype for Business Server enabled users, where contact with XMPP contacts is allowed through:
• a global policy
• a site policy where the user's enabled
• a user policy applied to the Skype for Business Server enabled user
An allowed XMPP policy also needs to be configured in the XMPP federated users policy.
External DNS
SRV
A
xmpp.contoso.com
IP address of the Access Edge service on the Edge Server or Edge pool hosting your XMPP Proxy service
This points to the Access Edge service on the Edge Server or Edge pool that hosts the XMPP Proxy service. Typically the SRV record that you create will point to this host (A or AAAA) record.

Note

XMPP Gateways and proxies are available in Skype for Business Server 2015 but are no longer supported in Skype for Business Server 2019. See Migrating XMPP federation for more information.

Certificate planning

Skype for Business Server uses certificates for secure, encrypted communications both between servers and from server to client. As you'd expect, your certificates will need to have DNS records for your servers match up to any subject name (SN) and subject alternate name (SAN) on your certificates. This will take work now, at the planning stage, to ensure you have the right FQDNs registered in DNS for the SN and SAN entries for your certificates.

We'll discuss external and internal certificate needs separately, and then look at a table providing the requirements for both.

External Certificates

At a minimum, the certificate assigned to your external Edge Server interfaces will need to be provided by a public Certificate Authority (CA). We can't recommend a specific CA to you, but we do have a list of CAs, Unified Communications certificate partners that you can take a look at to see if your preferred CA is listed.

When will you need to submit a request to a CA for this public certificate, and how do you do it? There are a couple of ways to accomplish this:

  • You can go through the installation of Skype for Business Server, and then the Edge Server deployment. The Skype for Business Server Deployment Wizard will have a step to generate a certificate request, which you can then send to your chosen CA.

  • You can also use Windows PowerShell commands to generate this request, if that's more inline with your business needs or deployment strategy.

  • Finally, your CA may have their own submission process, which may also involve Windows PowerShell or another method. In that case, you'll need to rely on their documentation, in addition to the information provided here for your reference.

After you've gotten the certificate, you'll need to go ahead and assign it to these services in Skype for Business Server:

  • Access Edge service interface

  • Web Conferencing Edge service interface

  • Audio/Video Authentication service (don't confuse this with the A/V Edge service, as that doesn't use a certificate to encrypt audio and video streams)

Important

All Edge Servers (if they belong to the same pool of Edge Servers) need to have the exact same certificate with the same private key for the Media Relay Authentication service.

Internal Certificates

For the internal Edge Server interface, you can use a public certificate from a public CA, or a certificate issued from your organization's internal CA. The thing to remember about the internal certificate is that it uses an SN entry, and no SAN entries, so you don't have to worry about SAN on the internal cert at all.

Required Certificates table

We have a table here to help you out with your requests. The FQDN entries here are for sample domains only. You're going to need to make requests based on your own private and public domains, but here's a guide to what we've used:

  • contoso.com: Public FQDN

  • fabrikam.com: Second public FQDN (added as a demo of what to request if you have multiple SIP domains)

  • Contoso.net: Internal domain

Edge Certificate table

Regardless of whether you're doing a single Edge Server or an Edge pool, this is what you'll need for your certificate:

Component Subject name (SN) Subject alternative names (SAN)/order Notes
External Edge
sip.contoso.com
sip.contoso.com
webcon.contoso.com
sip.fabrikam.com
This is the certificate you need to request from a public CA. It'll need to be assigned to the external Edge interfaces for the following:
• Access Edge
• Web Conferencing Edge
• Audio/Video Authentication

The good news is that SANs are automatically added to your certificate request, and therefore your certificate after you submit the request, based on what you defined for this deployment in Topology Builder. You'll only need to add SAN entries for any additional SIP domains or other entries you need to support. Why is sip.contoso.com replicated in this instance? That happens automatically as well, and it's needed for things to work properly.

Note: This certificate can also be used for Public Instant Messaging connectivity. You don't need to do anything differently with it, but in previous versions of this documentation, it was listed as a separate table, and now it's not.
Internal Edge
sfbedge.contoso.com
NA
You can get this certificate from a public CA or an internal CA. It'll need to contain the server EKU (Enhanced Key Usage), and you'll assign it to the internal Edge interface.

If you need a certificate for Extensible Messaging and Presence Protocol (XMPP), it will look identical to the External Edge table entries above, but will have the following two additional SAN entries:

  • xmpp.contoso.com

  • *.contoso.com

Please remember that currently XMPP is only supported in Skype for Business Server for Google Talk, if you want or need to use it for anything else, you need to confirm that functionality with the third-party vendor involved.

Port and firewall planning

Getting your planning right for ports and firewalls for Skype for Business Server Edge Server deployments can save you days or weeks of troubleshooting and stress. As a result, we're going to list a couple of tables that will indicate our protocol usage and what ports you need to have open, inbound and outbound, both for NAT and public IP scenarios. We'll also have separate tables for hardware load balanced scenarios (HLB) and some further guidance on that. For more reading from there, we also have some Edge Server scenarios in Skype for Business Server you can check out for your particular deployment concerns.

General protocol usage

Before we look at the summary tables for external and internal firewalls, let's consider the following table as well:

Audio/Video transport Usage
UDP
The preferred transport layer protocol for audio and video.
TCP
The fallback transport layer protocol for audio and video.
The required transport layer protocol for application sharing to Skype for Business Server, Lync Server 2013, and Lync Server 2010.
The required transport layer protocol for file transfer to Skype for Business Server, Lync Server 2013, and Lync Server 2010.

External port firewall summary table

The Source IP address and Destination IP address will contain information for users who are using Private IP addresses with NAT, as well as people using public IP addresses. This will cover all the permutations in our Edge Server scenarios in Skype for Business Server section.

Role or protocol TCP or UDP Destination Port or port range Source IP address Destination IP address Notes
XMPP
Not supported in Skype for Business Server 2019
TCP
5269
Any
XMPP Proxy service (shares an IP address with the Access Edge service
The XMPP Proxy service accepts traffic from XMPP contacts in defined XMPP federations.
Access/HTTP
TCP
80
Private IP using NAT: Edge Server Access Edge service
Public IP: Edge Server Access Edge service public IP address
Any
Certificate revocation and CRL check and retrieval.
Access/DNS
TCP
53
Private IP using NAT: Edge Server Access Edge service
Public IP: Edge Server Access Edge service public IP address
Any
DNS query over TCP.
Access/DNS
UDP
53
Private IP using NAT: Edge Server Access Edge service
Public IP: Edge Server Access Edge service public IP address
Any
DNS query over UDP.
Access/SIP(TLS)
TCP
443
Any
Private IP using NAT: Edge Server Access Edge service
Public IP: Edge Server Access Edge service public IP address
Client-to-server SIP traffic for external user access.
Access/SIP(MTLS)
TCP
5061
Any
Private IP using NAT: Edge Server Access Edge service
Public IP: Edge Server Access Edge service public IP address
For federated and public IM connectivity using SIP.
Access/SIP(MTLS)
TCP
5061
Private IP using NAT: Edge Server Access Edge service
Public IP: Edge Server Access Edge service public IP address
Any
For federated and public IM connectivity using SIP.
Web conferencing/PSOM(TLS)
TCP
443
Any
Private IP using NAT: Edge Server Web Conferencing Edge service
Public IP: Edge Server Web Conferencing Edge service public IP address
Web conferencing media.
A/V/RTP
TCP
50000-59999
Private IP using NAT: Edge Server A/V Edge service
Public IP: Edge Server A/V Edge service public IP address
Any
This is used for relaying media traffic.
A/V/RTP
UDP
50000-59999
Private IP using NAT: Edge Server A/V Edge service
Public IP: Edge Server A/V Edge service public IP address
Any
This is used for relaying media traffic.
A/V/STUN.MSTURN
UDP
3478
Private IP using NAT: Edge Server A/V Edge service
Public IP: Edge Server A/V Edge service public IP address
Any
3478 outbound is:
• Used by Skype for Business Server to determine the version of Edge Server it's communicating with.
• Used for media traffic between Edge Servers.
• Required for federation with Lync Server 2010.
• Needed if multiple Edge pools are deployed within your organization.
A/V/STUN.MSTURN
UDP
3478
Any
Private IP using NAT: Edge Server A/V Edge service
Public IP: Edge Server A/V Edge service public IP address
STUN/TURN negotiation of candidates over UDP on port 3478.
A/V/STUN.MSTURN
TCP
443
Any
Private IP using NAT: Edge Server A/V Edge service
Public IP: Edge Server A/V Edge service public IP address
STUN/TURN negotiation of candidates over TCP on port 443.
A/V/STUN.MSTURN
TCP
443
Private IP using NAT: Edge Server A/V Edge service
Public IP: Edge Server A/V Edge service public IP address
Any
STUN/TURN negotiation of candidates over TCP on port 443.

Internal port firewall summary table

Protocol TCP or UDP Port Source IP address Destination IP address Notes
XMPP/MTLS
TCP
23456
Any of the following running the XMPP Gateway service:
• Front End Server
• Front End pool
Edge Server internal interface
Outbound XMPP traffic from your XMPP Gateway service running on your Front End Server or Front End pool.
Note: XMPP Gateways and proxies are available in Skype for Business Server 2015 but are no longer supported in Skype for Business Server 2019. See Migrating XMPP federation for more information.
SIP/MTLS
TCP
5061
Any:
• Director
• Director pool
• Front End Server
• Front End pool
Edge Server internal interface
Outbound SIP traffic from your Director, Director pool, Front End Server or Front End pool to your Edge Server internal interface.
SIP/MTLS
TCP
5061
Edge Server internal interface
Any:
• Director
• Director pool
• Front End Server
• Front End pool
Inbound SIP traffic to your Director, Director pool, Front End Server, or Front End pool from your Edge Server internal interface.
PSOM/MTLS
TCP
8057
Any:
• Front End Server
• Each Front End Server
in your Front End pool
Edge Server internal interface
Web conferencing traffic from your Front End Server or each Front End Server (if you have a Front End pool) to your Edge Server internal interface.
SIP/MTLS
TCP
5062
Any:
• Front End Server
• Front End pool
• Any Survivable Branch Appliance using this Edge Server
• Any Survivable Branch Server using this Edge Server
Edge Server internal interface
Authentication of A/V users from your Front End Server or Front End pool, or your Survivable Branch Appliance or Survivable Branch Server, using your Edge Server.
STUN/MSTURN
UDP
3478
Any
Edge Server internal interface
Preferred path for A/V media transfer between your internal and external users and your Survivable Branch Appliance or Survivable Branch Server.
STUN/MSTURN
TCP
443
Any
Edge Server internal interface
Fallback path for A/V media transfer between your internal and external users and your Survivable Branch Appliance or Survivable Branch Server, if UDP communication doesn't work. TCP is then used for file transfers and desktop sharing.
HTTPS
TCP
4443
Any:
• Front End Server that holds the Central Management store
• Front End pool that holds the Central Management store
Edge Server internal interface
Replication of changes from your Central Management store to your Edge Server.
MTLS
TCP
50001
Any
Edge Server internal interface
Centralized Logging Service controller using Skype for Business Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection.
MTLS
TCP
50002
Any
Edge Server internal interface
Centralized Logging Service controller using Skype for Business Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection.
MTLS
TCP
50003
Any
Edge Server internal interface
Centralized Logging Service controller using Skype for Business Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection.

Hardware load balancers for Edge port tables

We're giving hardware load balancers (HLBs) and Edge ports their own section, as things are a little more complicated with the additional hardware. Please refer to the tables below for guidance for this particular scenario:

External port firewall summary table

The Source IP address and Destination IP address will contain information for users who are using Private IP addresses with NAT, as well as people using public IP addresses. This will cover all the permutations in our Edge Server scenarios in Skype for Business Server section.

Role or protocol TCP or UDP Destination Port or port range Source IP address Destination IP address Notes
Access/HTTP
TCP
80
Edge Server Access Edge service public IP address
Any
Certificate revocation and CRL check and retrieval.
Access/DNS
TCP
53
Edge Server Access Edge service public IP address
Any
DNS query over TCP.
Access/DNS
UDP
53
Edge Server Access Edge service public IP address
Any
DNS query over UDP.
A/V/RTP
TCP
50000-59999
Edge Server A/V Edge service IP address
Any
This is used for relaying media traffic.
A/V/RTP
UDP
50000-59999
Edge Server A/V Edge service public IP address
Any
This is used for relaying media traffic.
A/V/STUN.MSTURN
UDP
3478
Edge Server A/V Edge service public IP address
Any
3478 outbound is:
• Used by Skype for Business Server to determine the version of Edge Server it's communicating with.
• Used for media traffic between Edge Servers.
• Required for federation.
• Needed if multiple Edge pools are deployed within your organization.
A/V/STUN.MSTURN
UDP
3478
Any
Edge Server A/V Edge service public IP address
STUN/TURN negotiation of candidates over UDP on port 3478.
A/V/STUN.MSTURN
TCP
443
Any
Edge Server A/V Edge service public IP address
STUN/TURN negotiation of candidates over TCP on port 443.
A/V/STUN.MSTURN
TCP
443
Edge Server A/V Edge service public IP address
Any
STUN/TURN negotiation of candidates over TCP on port 443.

Internal port firewall summary table

Protocol TCP or UDP Port Source IP address Destination IP address Notes
XMPP/MTLS
TCP
23456
Any of the following running the XMPP Gateway service:
• Front End Server
• Front End pool VIP address running the XMPP Gateway service
Edge Server internal interface
Outbound XMPP traffic from your XMPP Gateway service running on your Front End Server or Front End pool.

Note: XMPP Gateways and proxies are available in Skype for Business Server 2015 but are no longer supported in Skype for Business Server 2019. See Migrating XMPP federation for more information.
HTTPS
TCP
4443
Any:
• Front End Server that holds the Central Management store
• Front End pool that holds the Central Management store
Edge Server internal interface
Replication of changes from your Central Management store to your Edge Server.
PSOM/MTLS
TCP
8057
Any:
• Front End Server
• Each Front End Server in your Front End pool
Edge Server internal interface
Web conferencing traffic from your Front End Server or each Front End Server (if you have a Front End pool) to your Edge Server internal interface.
STUN/MSTURN
UDP
3478
Any:
• Front End Server
• Each Front End Server in your Front End pool
Edge Server internal interface
Preferred path for A/V media transfer between your internal and external users and your Survivable Branch Appliance or Survivable Branch Server.
STUN/MSTURN
TCP
443
Any:
• Front End Server
• Each Front End Server in your pool
Edge Server internal interface
Fallback path for A/V media transfer between your internal and external users and your Survivable Branch Appliance or Survivable Branch Server, if UDP communication doesn't work. TCP is then used for file transfers and desktop sharing.
MTLS
TCP
50001
Any
Edge Server internal interface
Centralized Logging Service controller using Skype for Business Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection.
MTLS
TCP
50002
Any
Edge Server internal interface
Centralized Logging Service controller using Skype for Business Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection.
MTLS
TCP
50003
Any
Edge Server internal interface
Centralized Logging Service controller using Skype for Business Server Management Shell and Centralized Logging Service cmdlets, ClsController command line (ClsController.exe) or agent (ClsAgent.exe) commands and log collection.

External interface Virtual IPs

Role or protocol TCP or UDP Destination Port or port range Source IP address Destination IP address Notes
XMPP
Not Supported in Skype for Businesss Server 2019
TCP
5269
Any
XMPP Proxy service (shares an IP address with the Access Edge service)
The XMPP Proxy service accepts traffic from XMPP contacts in defined XMPP federations.
XMPP
Not Supported in Skype for Businesss Server 2019
TCP
5269
XMPP Proxy service (shares an IP address with the Access Edge service)
Any
The XMPP Proxy service sends traffic from XMPP contacts in defined XMPP federations.
Access/SIP(TLS)
TCP
443
Any
Private IP using NAT: Edge Server Access Edge service
Public IP: Edge Server Access Edge service public IP address
Client-to-server SIP traffic for external user access.
Access/SIP(MTLS)
TCP
5061
Any
Private IP using NAT: Edge Server Access Edge service
Public IP: Edge Server Access Edge service public IP address
For federated and public IM connectivity using SIP.
Access/SIP(MTLS)
TCP
5061
Private IP using NAT: Edge Server Access Edge service
Public IP: Edge Server Access Edge service public IP address
Any
For federated and public IM connectivity using SIP.
Web conferencing/PSOM(TLS)
TCP
443
Any
Private IP using NAT: Edge Server Web Conferencing Edge service
Public IP: Edge Server Web Conferencing Edge service public IP address
Web conferencing media.
A/V/STUN.MSTURN
UDP
3478
Any
Private IP using NAT: Edge Server A/V Edge service
Public IP: Edge Server A/V Edge service public IP address
STUN/TURN negotiation of candidates over UDP on port 3478.
A/V/STUN.MSTURN
TCP
443
Any
Private IP using NAT: Edge Server A/V Edge service
Public IP: Edge Server A/V Edge service public IP address
STUN/TURN negotiation of candidates over TCP on port 443.

Internal interface Virtual IPs

Our guidance here is going to be a little different. In actuality, in a HLB situation, we now recommend you only have routing through an internal VIP under the following circumstances:

  • If you are using Exchange 2007 or Exchange 2010 Unified Messaging (UM).

  • If you have legacy clients using the Edge.

The following table does give guidance for those scenarios, but otherwise, you should be able to depend on Central Management store (CMS) to route traffic to the individual Edge Server it's aware of (this does require that CMS is kept up to date on Edge Server information, of course).

Protocol TCP or UDP Port Source IP address Destination IP address Notes
Access/SIP(MTLS)
TCP
5061
Any:
• Director
• Director pool VIP address
• Front End Server
• Front End pool VIP address
Edge Server internal interface
Outbound SIP traffic from your Director, Director pool VIP address, Front End Server, or Front End pool VIP address to your Edge Server internal interface.
Access/SIP(MTLS)
TCP
5061
Edge Server internal VIP interface
Any:
• Director
• Director pool VIP address
• Front End Server
• Front End pool VIP address
Inbound SIP traffic to your Director, Director pool VIP address, Front End Server, or Front End pool VIP address from your Edge Server internal interface.
SIP/MTLS
TCP
5062
Any:
• Front End Server IP address
• Front End pool IP address
• Any Survivable Branch Appliance using this Edge Server
• Any Survivable Branch Server using this Edge Server
Edge Server internal interface
Authentication of A/V users from your Front End Server or Front End pool, or your Survivable Branch Appliance or Survivable Branch Server, using your Edge Server.
STUN/MSTURN
UDP
3478
Any
Edge Server internal interface
Preferred path for A/V media transfer between your internal and external users.
STUN/MSTURN
TCP
443
Any
Edge Server internal VIP interface
Fallback path for A/V media transfer between your internal and external users if UDP communication doesn't work. TCP is then used for file transfers and desktop sharing.