Skype for Business / Sonus Survivable Branch Appliance Firewall Rules

Deploying a Survivable Branch Appliance (SBA) into a Skype for Business topology takes a bit of planning. As part of the planning exercise you will no doubt be discussing what firewall ports are required in order to deploy the SBA securely from both external and internal source based attacks. Reading documentation from various sources online, I have yet to find a definitive and concise firewall rule table that addresses an SBA directly. However, breaking down an SBA into components it contains:

  • Session Border Controller
  • Skype for Business Mediation Server (collocated)
  • Skype for Business Registrar Server (collocated)
  • Skype for Business CMS local replica (collocated)

With this in mind I have collected all the ports required for a SBA deployment in a security conscious network.

Note: that these ports relate to the Sonus SBC 1000/2000 with the ASM SBA module installed. Other manufacturers of SBA’s may have other port requirements.

SBA FW Diagram

The above conceptual diagram lists all the ports and protocols required for an SBA to operate in a locked-down internal WAN. For a more descriptive break down of these ports please see the tables below.

Download the Visio Here: SBA FW Diagram

Administrator Computers and SBA

Source Protocol / Port Destination Protocol / Port Description
Administrator IP TCP/Any ASM IP TCP/3389 Remote Desktop
Administrator IP TCP/Any SBC Mgmt IP TCP/443 SBC Management

ASM and SBC

Source Protocol / Port Destination Protocol / Port Description
SBC IP UDP/Any ASM IP UDP/111 File share between ASM and Sonus SBC (updating)
SBC IP TCP/Any ASM IP TCP/111 File share between ASM and Sonus SBC (updating)
SBC IP UDP/Any ASM IP UDP/1048 Mount used between ASM and SBC (file share)
SBC IP UDP/Any ASM IP UDP/2049 NFS used to share between ASM and SBC
SBC IP UDP/Any ASM IP UDP/514 Syslog used to send logs from ASM to SBC
SBC IP TCP/Any ASM IP TCP/5067 Used for SIP requests from SBC to ASM
ASM IP TCP/Any ASM IP TCP/5067 Used for SIP requests from ASM to SBC
SBC IP UDP/Any ASM IP UDP/49152-57500 Audio Port range
ASM IP UDP/Any SBC IP UDP/16384-17584 Audio Port range

SBC and PSTN (via SIP Provider)

These will be provided by your ITSP provider

ASM and Domain Controllers

Source Protocol / Port Destination Protocol / Port Description
ASM IP TCP/Any DC IP TCP/88 Kerberos Authentication
ASM IP UDP/Any DC IP UDP/123 Synch with time service
ASM IP TCP/Any DC IP TCP/135 RPC Endpoint Mapper (client to domain)
ASM IP TCP/Any DC IP TCP/53 DNS Resolution
ASM IP UDP/Any DC IP UDP/53 DNS Resolution
ASM IP TCP/Any DC IP TCP/389 LDAP queries
ASM IP UDP/Any DC IP UDP/389 LDAP Ping
ASM IP TCP/Any DC IP TCP/445 Microsoft AD File replication service
ASM IP TCP/Any DC IP TCP/3268 Global Catalog
ASM IP TCP/Any DC IP TCP/49152-65535 RPC Dynamic Ports (allow auto submit certificate to DC)

ASM and Central Skype for Business Front End Server

Source Protocol / Port Destination Protocol / Port Description
ASM IP TCP/Any Front End Servers TCP/444 HTTPS Communication between Skype for Business servers (conference state)
Front End Servers TCP/Any ASM IP TCP/444 HTTPS Comunication between Skype for Business servers (conference state)
ASM IP TCP/Any Front End Servers TCP/5061 Internal SIP communications
Front End Servers TCP/Any ASM IP TCP/5061 Internal SIP communications
ASM IP TCP/Any Front End Servers TCP/448 Call Admission Control
ASM IP TCP/Any Front End Servers TCP/5088 Required by UCWA  / Mobile clients

ASM and CMS Master

Source Protocol / Port Destination Protocol / Port Description
CMS IP TCP/Any ASM IP TCP/445 Status updates
CMS IP TCP/Any ASM IP TCP/4443 CMS Replication
CMS IP TCP/Any ASM IP TCP/444 Internal communication for Skype for Business servers

ASM and Exchange Unified Messaging

Source Protocol / Port Destination Protocol / Port Description
ASM IP TCP/Any Exchange UM IP TCP/5061 SIP signalling and communication
Exchange UM IP TCP/Any ASM IP TCP/5061 SIP signalling and communication
ASM IP TCP/Any Exchange UM IP TCP/5075 SIP signalling for presence and IM
Exchange UM IP TCP/Any ASM IP TCP/5075 SIP signalling for presence and IM
ASM IP UDP/Any Exchange UM IP UDP/1024-65535 Media Port Range
Exchange UM IP UDP/Any ASM IP UDP/102-65535 Media Port Range

ASM and Central Skype for Business Edge Servers

Source Protocol / Port Destination Protocol / Port Description
ASM IP TCP/Any Edge Internal IP TCP/5062 SIP Connections for MRAS
Edge Internal IP TCP/Any ASM IP TCP/5062 SIP Connections for MRAS
ASM IP TCP/Any Edge Internal IP TCP/5061 SIP TLS
Edge Internal IP TCP/Any ASM IP TCP/5061 SIP TLS

ASM and Monitoring Servers

Source Protocol / Port Destination Protocol / Port Description
ASM IP TCP/Any SCOM IP TCP/135 SMB
ASM IP TCP/Any SCOM IP TCP/389 LDAP
ASM IP TCP/Any SCOM IP TCP/1801 Used for Monitoring service
ASM IP TCP/Any SCOM IP TCP/2101-2105 Used for Monitoring service

ASM and Branch Clients

Source Protocol / Port Destination Protocol / Port Description
ASM IP TCP/Any All Branch Client IPs TCP/5061 SIP Signalling
All Branch Client IPs TCP/Any ASM IP TCP/5061 SIP Signalling
ASM IP UDP/Any All Branch Client IPs UDP/49152-65535 Audio and Video Media Port range
All Branch Client IPs UDP/Any ASM IP UDP/49152-65535 Audio and Video Media Port range

Branch Clients and Central Skype for Business Front End Pool

Source Protocol / Port Destination Protocol / Port Description
All Branch Client IPs TCP/Any Front End Servers TCP/8057 Conferencing
All Branch Client IPs TCP/Any Front End Servers TCP/8058 Conferencing
All Branch Client IPs TCP/Any Front End Servers TCP/5061 SIP Signaling
All Branch Client IPs TCP/Any Front End Servers TCP/443 Web Services
All Branch Client IPs TCP/Any Front End Servers TCP/5071 Response Group
All Branch Client IPs TCP/Any Front End Servers TCP/80 Required for Lync Phone Edition
All Branch Client IPs TCP/Any Front End Servers TCP/49152-65535 AV, Conf, MCU port range
All Branch Client IPs UDP/Any Front End Servers UDP/49152-65535 AV, Conf, MCU port range

Branch Clients and Central Skype for Business Mediation Pool

Source Protocol / Port Destination Protocol / Port Description
All Branch Client IPs TCP/Any Mediation Servers TCP/49152-65535 Media port range
All Branch Client IPs UDP/Any Mediation Servers UDP/49152-65535 Media port range

Branch Clients and Central Site Edge Pool

Source Protocol / Port Destination Protocol / Port Description
All Branch Client IPs TCP/Any Edge Server Internal IP TCP/443 AV Authentication
All Branch Client IPs UDP/Any Edge Server Internal IP UDP/3478 STUN

Branch Clients and Central Site Exchange Unified Messaging

Source Protocol / Port Destination Protocol / Port Description
All Branch Client IPs UDP/Any Exchange UM IP UDP/1024-65535 UM Media Port Range

3 thoughts on “Skype for Business / Sonus Survivable Branch Appliance Firewall Rules

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s