These ports and protocols are used by the GTm and is meant for customers who have Network Access Control (NAC) enabled, which analyzes traffic from the unit for security purposes.

Common

Outbound

PortHostProtocolNotes
53DNS server as defined in the network configurationTCP/UDP (DNS)Used to resolve domain names or find services (for example, in autodiscovery on older configurations using SRV or A records)
67

Broadcast

DHCP server

UDP (DHCP)Requests to DHCP server
443gtm.starleaf.comTCP (HTTPS)

Check for upgrades, synchronize time

If you are using the Maestro management platform, use the details in the row below

443

*.maestro.starleaf.com

Local Maestro server

TCP (HTTPS)

Management server connection (either Cloud or on-premise)

* currently denotes either config or fw. If you are using a proxy, the whitelist should be *.maestro.starleaf.com, and maestro.starleaf.com if the first rule doesn’t cover this

5355Windows machinesTCP/UDP (LLMNR)Used to resolve names on the local network

All source ports are ephemeral, that is, 1024-65535, unless otherwise specified.

Inbound

PortHostProtocolNotes
68DHCP serverUDP (DHCP)Responses from DHCP server
80AnyTCP (HTTP)Endpoint control API
443AnyTCP (HTTPS)Web UI

All source ports are ephemeral, that is, 1024-65535, unless otherwise specified.

On-premise Skype for Business 2015 or Lync 2013

Outbound

PortHostProtocolNotes
80

lyncdiscover.domain

lyncdiscoverinternal.domain

autodiscover.domain

TCP (HTTP)Used in Lync and EWS autodiscovery
88AD serverTCP/UDPKerberos authentication
443

Local webticket

ADFS wsfed servers

TCP (HTTPS)Various authentication modes need external servers (also EWS server)
3478Edge serverUDP (STUN/MSTURN)Used for external user access to A/V sessions and media (UDP)
5061Front End serverTCP (MTLS)Used for client-to-server SIP traffic for external user access
1024-65535

Front end server

Other client

UDPAudio, and video (minimum of 40 ports required)
1024-65535

Front end server

Other client

TCPAudio, video, and application sharing
1024-65535

Front end server

Other client

TCP (PSOM)Peer-to-peer file transfer (for conferencing file transfer, clients use PSOM)

All source ports are ephemeral, that is, 1024-65535, unless otherwise specified.

GTm on external network

If the GTm is not located on the same local network as the Skype for Business deployment, that is, if it has to connect using the Edge server, the following ports and protocols also apply.

PortHostProtocolNotes
443 Edge serverTCP (TLS)Used for client-to-server SIP traffic for external user access
443 Edge serverTCP (PSOM/TLS)Used for external user access to web conferencing sessions
443 Edge serverTCP (STUN/MSTURN)Used for external user access to A/V sessions and media (TCP)
3478Edge serverTCP (STUN/MSTURN)Used for external user access to A/V sessions and media (UDP)
1024-65535Other clientUDPAudio, and video
1024-65535Other clientTCPAudio, video, and application sharing
50,000-59,999Edge serverUDPAudio, and video
50,000-59,999Edge serverTCPAudio, video, and application sharing

All source ports are ephemeral, that is, 1024-65535, unless otherwise specified.

Skype for Business Online

Outbound

PortHostProtocolNotes
443Skype for Business Online servers tTCP (HTTPS)Webticket, wsfed authentication
443Skype for Business Online servers tTCP (TLS)SIP signaling
443Skype for Business Online servers tTCP (PSOM/TLS)PSOM connections web conferencing
443Skype for Business Online servers tTCPAudio, video, and application sharing (source port depends on configuration)
3478-3481Skype for Business Online servers tUDPAudio, video, and application sharing (source port depends on configuration)
50,000-59,999

Skype for Business Online servers t

Other client

TCP/UDPAudio (source port 50,000-50,019)
50,000-59,999

Skype for Business Online servers t

Other client

TCP/UDPVideo (source port 50,020-50,039)
50,000-59,999

Skype for Business Online servers t

Other client

TCPApplication sharing (source port 50,040-50,059)

All source ports are ephemeral, that is, 1024-65535, unless otherwise specified.

The full range of Skype for Business Online IP addresses is available here https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US&fromAR=1#BKMK_LYO

Inbound

PortHostProtocolNotes
50,000-50,019

Skype for Business Online servers ‡

Other client

TCP/UDPAudio (source port 50,000-59,999)
50,020-50,039

Skype for Business Online servers ‡

Other client

TCP/UDPAudio (source port 50,000-59,999)
50,040-50,059

Skype for Business Online servers ‡

Other client

TCPApplication sharing (source port 50,000-59,999)

All source ports are ephemeral, that is, 1024-65535, unless otherwise specified.

‡The full range of Skype for Business Online IP addresses is available here https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US&fromAR=1#BKMK_LYO