Deploying a Lync SBA? Watch out for port 444 (Updated with more ports)

As Lync deployments start ramping up, we are starting to notice a few gotchas in documentation and deployments. One thing that has come up a couple of times is deploying a Lync SBA in a branch site with a firewall between the Datacenter and branch office.

The firewall ports required for the SBA are not well documented, particularly one that is very important to making the SBA Work.

Port 444 TCP is required for front end to SBA communications, below is the only documentation I have found on it so far in the CHM.

Front End Servers

Front-End service

444

HTTPS

TCP

Used for HTTPS communication between the Focus (the Lync Server component that manages conference state) and the individual servers.

This port is also used for TCP communication between Front End Servers and Survivable Branch Appliances.

 

I reviewed the Lync 2010 Workloads Poster and it is not showing this port as well. However, I have requested an update which we will hopefully see soon.

So, very important, open port 444 TCP between your Data Center and your Branch Office or users will not be able to register against the SBA. Reference of the ports can be seen below.

 

image

As a follow up, one of my colleagues pulled together the full list of firewall requirements for branch users. As many enterprises have firewalls between branch and central sites, this list becomes very important. Look for a workloads poster focused on firewalls from Microsoft soon, but hopefully this comes by then. Credit for this list goes to Peter Pawlak at UnifySquare:

SBA (ASM side) <-> Central Site Pool(s):

· TCP/5061 (both ways)

· TCP/444 (both ways)

· TCP/445

· TCP/448

· TCP/5062-5065

· TCP/5072-5073

· TCP/5076

· TCP/5080

(NOTE: I’m not 100% positive that ports in RED are really needed)

SBA -> Monitoring Server(s) (to support MSMQ)

· TCP/135

· TCP/389

· TCP/1801

· TCP/2101

· TCP/2103

· TCP/2105

SBA (ASM side) <-> Exchange UM servers

· TCP/5061

· UDP/<ExUM media port range>

SBA (ASM side) <-> Edge Server(s):

· TCP/5061

· TCP/5062

CMS servers -> SBA (ASM side) (for local config store replication)

· TCP/4443

· TCP/444

· TCP/445

Branch Clients -> SBA (ASM side):

· TCP/5061 (client->SBA)

· TCP

· UDP/<media port range> (assumes no media bypass)

Branch Clients <-> SBA (GW side):

· UDP/<media port range> (assumes media bypass will be used)

Branch Clients -> Central site Pool (must be pool in site associated with Branch site)

· TCP/8057 (and TCP/8058 if using Lync’s legacy data conf service)

· TCP/5061 (to allow failover to backup central site)

· TCP/<app share conf MCU port range>

· UDP/<A/V conf MCU port range>

Branch Clients -> Central site Pool Web service HLB VIP (pool in site associated with Branch site)

· TCP/443

· TCP/80 (needed by Lync PE devices)

Branch clients <-> Clients & Mediation servers/services in other sites

· UDP/ <media port range>

· TCP/<media port range>

Branch clients <-> Edge servers (running media relay)

· UDP/3478

· UDP/ <media port range>

· TCP/443

· TCP/<media port range>

Branch clients -> Exchange UM servers

· UDP/<ExUM media port range>

Branch clients -> Exchange CAS servers (for EWS)

· TCP/443

(2445)

If you like it, share it!

    Posted on by Randy Wintle in Lync, Microsoft, Networking, Unified Communications 8 Comments

    8 Responses to Deploying a Lync SBA? Watch out for port 444 (Updated with more ports)

    1. Pingback: Deploying a Lync SBA? Watch out for port 444 (Updated with more ports) « Microsoft UC Made Easy « JC’s Blog-O-Gibberish

    2. Rui Maximo

      Great article Randy, and thank you for the feedback on port 444. I added it to the protocol poster a while ago. I just forgot to leave you a comment letting everyone know that the latest revision has this feedback incorporated.

      P.S. Looks like I forgot to add your name to my list of recognized reviewers who’ve provided substantial, valuable feedback on the poster. I’ll remedie this error on version 5.8 when it comes out. Sorry.

      thanks!

       
      • Randy Wintle

        Thanks Rui!

         
    3. Rui Maximo

      By the way, thanks for capturing the port info regarding SBA. I’ll be leveraging it to create that firewall poster I’m still working on!

       
    4. Luke

      Can this also be done if the Firewall uses NAT?

      Luke

       
      • Randy Wintle

        I have not tested with NAT. As long as the response makes it, you should be fine. The only way to know is to test 🙂

         
    5. Jeremy John

      Hi,

      Thank you very much for the article. We have a big environment and ocassionaly one or two of our branchsites report that they are unable to sign in to Lync. We checked the event logs of the SBA/SBS and we see many instances of Event ID 30989 and 30988. Basically, the SBA/SBA fails to deliver message to https://lyncfrontend:444/LiveServer/Focus at certain times. We checked using telnet and the port 444 is open. Do you have any suggestion as to how we should deal with this problem?
      Thank you very much.

       
    6. Dan Jaksic

      I have seen this also in my environment. While we use firewalls between Branch Sites and the central site, the firewall rules allow all traffic in both directions. However, we use a Load Balancer for Web Traffic and DNS Load Balancing for SIP traffic and in my case the web request is going to https://WHQLYNCPOOL.aam.com:444/LiveServer/Focus. The problem I see with this is that this FQDN is associated with the SIP DNS Load balancing and is not the Web Load Balancing FQDN that points to the Virtual IP of the Load Balancer. This is a no-no as all Web Traffic must go through a Load Balancer when there is a Enterprise Pool of multiple FE servers from what I understand. I still don’t have a solution or answer for this as it may be a mis-configuration in my topology or a Microsoft bug. Won’t know until I check with Microsoft.

       

    Add a Comment