What Ports do I need to open on my Firewall?

The first question often asked when exposing OCS functionality to the Internet is “what ports do I need to open on my firewall?”.

The answer depends on which Edge functionality (and the associated Edge Role), being exposed to the Internet.  Below is a concise recap of the default Ports that need to be opened to expose specific OCS functionality to external users (on the Internet).

Edge Role

Functionality

External F/W Port

Internal F/W Port

Protocol

Reverse Proxy

Address Book, File Download, etc…

443

443

HTTP(S)

Access

Remote IM and Presence, Federation, Public IM 

443, 5061

5061

SIP/MTLS

Web Conferencing

External Web Conf Participation

443

8057

PSOM/MTLS

Audio/Video Conferencing

External A/V Conf Participation

443, 3478, 50,000-59,999

443, 5062, 3478

PSOM/TLS/STUN

/TCP/UDP

Step 2.3 in the Office Communications Server 2007 Edge Server Deployment Guide as more details.

If you are deploying the Communicator Web Access 2007 R2 role and want remote Desktop Sharing, port 49152 through 65535 must also be open (http://blog.insideocs.com/2009/11/10/communicator-web-access-top-10/).

This Microsoft TechNet article provides a handy summary of the ports and protocols used by the OCS 2007 R2 and the Clients.

Share and Enjoy:
  • Twitter
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • LinkedIn
  • MySpace
  • Reddit
  • Technorati

12 comments to What Ports do I need to open on my Firewall?

  • Hi Vikram, my apologies – your comments was caught in my SPAM filter…

    No, it is not supported to use the Windows firewall for an OCS edge server.

    Curtis

  • Vikram Singh

    can we use windows firewall OS 2003 on OCS egde server.

  • Thanks for the reminder; I meant to post the results of looking into that.

    After a long drawn-out investigation :-) , the problem turned out to be anti-virus software – specifically the Kaspersky Anti-Virus suite. The “Web Protection” feature was blocking the desktop sharing, but surprisingly no other OCS features. Adding “Communicator.exe” to the “Trusted Applications” in Kaspersky anti-virus fixed the issue. Also, surprisingly, just disabling Kaspersky did not seem to work (I don’t understand why).

  • Emu

    I have the same problem as Thomas_K. Desktop Sharing within OC does not work for an authenticated internal user from his home office. Audio is working…
    Any results from the Thomas_K’s environment?

  • Curtis Johnstone

    Hi Thomas,
    I’ll will try to help (Pro bono) – which involves many questions about your environment, etc.., so I’ll start a dialog with you over email. Any interesting results can be posted back here.

    Also, you can take a look at the Microsoft “Office Communications Server and Client Troubleshooting and Support” page (http://technet.microsoft.com/en-us/office/ocs/dd450353.aspx) which includes contact information for Microsoft if you have ruled out basic configuration and environmental factors.

  • Thomas_K

    The user is a internal user connected via Internet to the Edge-Server. How should we proceed to get rid of the problem, any tipps? (or maybe we can hire you as consultant on a per hour basis?)

    Thanks in advance,
    Thomas

  • Thomas_K

    Its strange, on the remote client the Remote Desktop connects tries to establish and then just closes, without an error message. On the corporate side, it just says the the connection cannot be established. And one strange event log error message on the corporate client side:

    A SIP request made by Communicator failed in an unexpected manner (status code 80ef01e0). More information is contained in the following technical data:

    RequestUri: sip:xy@domain.xy
    From: sip:abc@domain.xy;tag=b4e60882bb
    To: sip:xy@domain.xy;tag=EF737F2074A2BC01A3E8CD2711672E73
    Call-ID: a9d04e41440b4b7fab17e63113929f98
    Content-type: application/sdp;call-type=im

    v=0
    o=- 0 0 IN IP4 192.168.1.1
    s=session
    c=IN IP4 192.168.1.1
    t=0 0
    m=message 5060 sip null
    a=accept-types:text/plain multipart/alternative image/gif text/rtf text/html application/x-ms-ink application/ms-imdn+xml text/x-msmsgsinvite

    Response Data:

    480 Temporarily Unavailable
    ms-diagnostics: 2;reason=”See response code and reason phrase”;source=”SERVER01.domain.local”;AppUri=”http://www.microsoft.com/LCS/DefaultRouting”

  • Curtis Johnstone

    Desktop Sharing uses the same communication path as the Edge A/V functionality (it uses the Remote Desktop Protocol (RDP) over SRTP), so if this is working there should be no additional ports to open for Desktop Sharing using Communicator. Also, if an external A/V session is working with the same external client, that eliminates a lot of potential firewall and certificate issues.

    Is the client (external) a authenticated internal user running externally? (e.g. not a PIC recipient) What error are they getting when they attempt to establish a desktop sharing session?

  • Thomas_K

    Hi,

    do you know which ports are required for Desktop sharing via Communicator?
    We have a client, which is able to do Video/Audio from the internet via edge to internal clients but no Desktop sharing?

    Thanks in advance

  • Curtis Johnstone

    No, unfortunately I have never worked with Checkpoint NGX.

  • Andrew_S

    HI

    Looking at the firewall requirmetns have you any experince of implementing this on checkpoint ngx.

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>