Firewall configuration for Skype for Business/Lync
Managing Firewall and bandwidth
Last updated March 6, 2020Skype for Business 2015 Server
Note that there is additional information about Skype for Business 2015 Server in How to use StarLeaf with Skype for Business Server.
For each StarLeaf domain you wish to call, ensure your firewall allows traffic to/from the organization’s <organization name>.call.sl domain in the following tables. This assumes you have a deployment where the ports 50,000 – 59,999 are used for media. If your firewall requires you to use IP addresses rather than DNS names, contact StarLeaf Support for the IP addresses. These port requirements are for connections, not for packet data.
Inbound port requirements
| Type | StarLeaf side (source) | Edge server (destination) | Reason |
|---|---|---|---|
| TCP | Ephemeral (1024-65535) | 5061 | Call signaling |
Outbound port requirements
| Type | Edge server (source) | StarLeaf side (destination) | Reason |
|---|---|---|---|
| TCP | Ephemeral (1024-65535) | 5061 | Call signaling |
| UDP* | 50000-59999 | 50000-59999 | Audio/video media |
| TCP | 50000-59999 | 50000-59999 | Audio/video and screen-share media |
*Recommended for best user experience, but not strictly necessary.
Microsoft Lync Server
Note that there is additional information about Microsoft Lync Server in How to use StarLeaf with Microsoft Lync Server.
For each StarLeaf domain you wish to call, ensure your firewall allows traffic to/from the organization’s <organization name>.call.sl domain in the following tables. This assumes you have a deployment where the ports 50,000 – 59,999 are used for media. If your firewall requires you to use IP addresses rather than DNS names, contact StarLeaf Support for the IP addresses. These port requirements are for connections, not for packet data.
Inbound port requirements
| Type | StarLeaf side (source) | Edge server (destination) | Reason |
|---|---|---|---|
| TCP | Ephemeral (1024-65535) | 5061 | Call signaling |
Outbound port requirements
| Type | Edge server (source) | StarLeaf side (destination) | Reason |
|---|---|---|---|
| TCP | Ephemeral (1024-65535) | 5061 | Call signaling |
| UDP* | 50000-59999 | 50000-59999 | Audio/video media |
| TCP | 50000-59999 | 50000-59999 | Audio/video and screen-share media |
*Recommended for best user experience, but not strictly necessary.
Microsoft Skype for Business Online
Note that there is additional information about Microsoft Skype for Business Online in How to use Microsoft Skype for Business Online.
Communication with StarLeaf
For each StarLeaf domain you wish to call, ensure your firewall allows traffic to/from the organization’s <organization name>.call.sl domain on the following in the following tables. If your firewall requires you to use IP addresses rather than DNS names, contact StarLeaf Support for the IP addresses. The following requirements are for outbound connections. Your firewall should also allow packets to flow inbound on established and related connections.
Outbound port requirements
| From 365 Client | To StarLeaf Cloud | Reason |
|---|---|---|
| UDP 50000-50059 | UDP 50000-59999 | Audio/video media |
| TCP 50000-50059 | TCP 50000-59999 | Screen-share media |
This configuration allows media to flow directly to StarLeaf Cloud to provide the best experience for the end user. If this configuration isn’t applied, you need to follow step three carefully to allow media to flow via the 365 servers . If you opt to follow step three without also following the instructions in step two, be aware that the quality may not be as good.
Communication with 365 servers in the Cloud
Successful communication between your Skype for Business Online (Office 365) clients and the StarLeaf Cloud also relies on your firewall being correctly configured for communication between the clients and the 365 server in the cloud. This is extensively documented at:
Ensure that both UDP and TCP connectivity is allowed.