These ports and protocols are used by the GTm and is meant for customers who have Network Access Control (NAC) enabled, which analyzes traffic from the unit for security purposes.

Common

Outbound

Port Host Protocol Notes
53 DNS server as defined in the network configuration TCP/UDP (DNS) Used to resolve domain names or find services (for example, in autodiscovery on older configurations using SRV or A records)
67

Broadcast

DHCP server

UDP (DHCP) Requests to DHCP server
443 gtm.starleaf.com TCP (HTTPS)

Check for upgrades, synchronize time

If you are using the Maestro management platform, use the details in the row below

443

*.maestro.starleaf.com

Local Maestro server

TCP (HTTPS)

Management server connection (either Cloud or on-premise)

* currently denotes either config or fw. If you are using a proxy, the whitelist should be *.maestro.starleaf.com, and maestro.starleaf.com if the first rule doesn’t cover this

5355 Windows machines TCP/UDP (LLMNR) Used to resolve names on the local network

All source ports are ephemeral, that is, 1024-65535, unless otherwise specified.

Inbound

Port Host Protocol Notes
68 DHCP server UDP (DHCP) Responses from DHCP server
80 Any TCP (HTTP) Endpoint control API
443 Any TCP (HTTPS) Web UI

All source ports are ephemeral, that is, 1024-65535, unless otherwise specified.

On-premise Skype for Business 2015 or Lync 2013

Outbound

Port Host Protocol Notes
80

lyncdiscover.domain

lyncdiscoverinternal.domain

autodiscover.domain

TCP (HTTP) Used in Lync and EWS autodiscovery
88 AD server TCP/UDP Kerberos authentication
443

Local webticket

ADFS wsfed servers

TCP (HTTPS) Various authentication modes need external servers (also EWS server)
3478 Edge server UDP (STUN/MSTURN) Used for external user access to A/V sessions and media (UDP)
5061 Front End server TCP (MTLS) Used for client-to-server SIP traffic for external user access
1024-65535

Front end server

Other client

UDP Audio, and video (minimum of 40 ports required)
1024-65535

Front end server

Other client

TCP Audio, video, and application sharing
1024-65535

Front end server

Other client

TCP (PSOM) Peer-to-peer file transfer (for conferencing file transfer, clients use PSOM)

All source ports are ephemeral, that is, 1024-65535, unless otherwise specified.

GTm on external network

If the GTm is not located on the same local network as the Skype for Business deployment, that is, if it has to connect using the Edge server, the following ports and protocols also apply.

Port Host Protocol Notes
443 Edge server TCP (TLS) Used for client-to-server SIP traffic for external user access
443 Edge server TCP (PSOM/TLS) Used for external user access to web conferencing sessions
443 Edge server TCP (STUN/MSTURN) Used for external user access to A/V sessions and media (TCP)
3478 Edge server TCP (STUN/MSTURN) Used for external user access to A/V sessions and media (UDP)
1024-65535 Other client UDP Audio, and video
1024-65535 Other client TCP Audio, video, and application sharing
50,000-59,999 Edge server UDP Audio, and video
50,000-59,999 Edge server TCP Audio, video, and application sharing

All source ports are ephemeral, that is, 1024-65535, unless otherwise specified.

Skype for Business Online

Outbound

Port Host Protocol Notes
443 Skype for Business Online servers t TCP (HTTPS) Webticket, wsfed authentication
443 Skype for Business Online servers t TCP (TLS) SIP signaling
443 Skype for Business Online servers t TCP (PSOM/TLS) PSOM connections web conferencing
443 Skype for Business Online servers t TCP Audio, video, and application sharing (source port depends on configuration)
3478-3481 Skype for Business Online servers t UDP Audio, video, and application sharing (source port depends on configuration)
50,000-59,999

Skype for Business Online servers t

Other client

TCP/UDP Audio (source port 50,000-50,019)
50,000-59,999

Skype for Business Online servers t

Other client

TCP/UDP Video (source port 50,020-50,039)
50,000-59,999

Skype for Business Online servers t

Other client

TCP Application sharing (source port 50,040-50,059)

All source ports are ephemeral, that is, 1024-65535, unless otherwise specified.

The full range of Skype for Business Online IP addresses is available here https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US&fromAR=1#BKMK_LYO

Inbound

Port Host Protocol Notes
50,000-50,019

Skype for Business Online servers‡

Other client

TCP/UDP Audio (source port 50,000-59,999)
50,020-50,039

Skype for Business Online servers‡

Other client

TCP/UDP Audio (source port 50,000-59,999)
50,040-50,059

Skype for Business Online servers‡

Other client

TCP Application sharing (source port 50,000-59,999)

All source ports are ephemeral, i.e. 1024-65535, unless otherwise specified.

‡The full range of Skype for Business Online IP addresses is available here https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US&fromAR=1#BKMK_LYO