https://live.paloaltonetworks.com/t5/general-topics/lync-2013-skype-2015-gt-how-to-setup-security-app-id-ports-for/m-p/70576#M40549 <P>Palo’s</P> <P>I have searched, read these forums and have gone through many manuals, suggestions from the Internet regarding Palo (2020 Series) configuration to secure Lync 2013 / Skype Business 2015: but still experiencing some issues with how to setup our Firewall for Federation access.</P> <P>From a company perspective, our Lync is working great, our external road warriors can use Lync via VPN or Publically with all functions.</P> <P>The issues come up where we have Federated (open or controlled either way) with external users / other companies. Seems there is a configuration issue somewhere on our Palo where:</P> <P>A Federated User:</P> <OL> <LI>Can see us (presence status) online</LI> <LI>Can send us an IM</LI> <LI>Can send us a file</LI> <LI>Can send us a meeting</LI> <LI>Can send us a whiteboard</LI> <LI>CANNOT Lync Call Us</LI> <LI>CANNOT Desktop Share to Us..</LI> </OL> <P>So, our Lync is setup as close to Microsoft guides as possible, using 3x public IP’s per service. It’s the 3<SUP>rd</SUP> IP (av.domain.com) service that needs ports (tcp/udp/rtp) 50,000-59,999, 3478, 5061 and 443/80.</P> <P>We even gone as far as using an “any” rule to test if its our Edge Server, but its not Edge… something we missed… Has anyone successfully deployed Lync 2013 / Skype Business 2015 using App-ID level? Can you share your settings just for Lync/Skype.</P> <P>&nbsp;</P> <P>Greatly appreciated</P> Fri, 08 Jan 2016 15:47:06 GMT SharedMedia 2016-01-08T15:47:06Z https://live.paloaltonetworks.com/t5/general-topics/lync-2013-skype-2015-gt-how-to-setup-security-app-id-ports-for/m-p/70576#M40549 <P>Palo’s</P> <P>I have searched, read these forums and have gone through many manuals, suggestions from the Internet regarding Palo (2020 Series) configuration to secure Lync 2013 / Skype Business 2015: but still experiencing some issues with how to setup our Firewall for Federation access.</P> <P>From a company perspective, our Lync is working great, our external road warriors can use Lync via VPN or Publically with all functions.</P> <P>The issues come up where we have Federated (open or controlled either way) with external users / other companies. Seems there is a configuration issue somewhere on our Palo where:</P> <P>A Federated User:</P> <OL> <LI>Can see us (presence status) online</LI> <LI>Can send us an IM</LI> <LI>Can send us a file</LI> <LI>Can send us a meeting</LI> <LI>Can send us a whiteboard</LI> <LI>CANNOT Lync Call Us</LI> <LI>CANNOT Desktop Share to Us..</LI> </OL> <P>So, our Lync is setup as close to Microsoft guides as possible, using 3x public IP’s per service. It’s the 3<SUP>rd</SUP> IP (av.domain.com) service that needs ports (tcp/udp/rtp) 50,000-59,999, 3478, 5061 and 443/80.</P> <P>We even gone as far as using an “any” rule to test if its our Edge Server, but its not Edge… something we missed… Has anyone successfully deployed Lync 2013 / Skype Business 2015 using App-ID level? Can you share your settings just for Lync/Skype.</P> <P>&nbsp;</P> <P>Greatly appreciated</P> Fri, 08 Jan 2016 15:47:06 GMT https://live.paloaltonetworks.com/t5/general-topics/lync-2013-skype-2015-gt-how-to-setup-security-app-id-ports-for/m-p/70576#M40549 SharedMedia 2016-01-08T15:47:06Z https://live.paloaltonetworks.com/t5/general-topics/lync-2013-skype-2015-gt-how-to-setup-security-app-id-ports-for/m-p/70650#M40568 <P>Hi,</P> <P>&nbsp;</P> <P>Could you post the MS guide/specifications and your topology&nbsp;for Lync 2013. A few questions:</P> <P>&nbsp;</P> <P>1. Are you doing any decryption on the traffic?</P> <P>2. STUN protocol is working properly?</P> <P>3. my-lync-video and my-lync-audio applications are allowed?</P> <P>4. Does the Lync Call and desktop sharing work if bypass PA?</P> <P>&nbsp;</P> <P>I would suggest to open a case with Technical Support&nbsp;to look into this.</P> <P>&nbsp;</P> <P>BR</P> Mon, 11 Jan 2016 02:08:55 GMT https://live.paloaltonetworks.com/t5/general-topics/lync-2013-skype-2015-gt-how-to-setup-security-app-id-ports-for/m-p/70650#M40568 abjain 2016-01-11T02:08:55Z https://live.paloaltonetworks.com/t5/general-topics/lync-2013-skype-2015-gt-how-to-setup-security-app-id-ports-for/m-p/70695#M40580 <P>Abjain,</P> <P>Configs in General... note we do not use DNS for natting, this was optional..</P> <P>Based on Microsoft Ports, we know the App-ID related to Lync, but... should we use ports or App-ID's?</P> <P>Keeping in mind the App-ID "sip" uses port 5060, and there is an OLD OCS app-ID for port 5061.</P> <P>&nbsp;</P> <P><IMG title="Lync2013" alt="Lync2013" src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/1987i71EE0BA4B3C28782/image-size/original?v=mpbl-1&amp;px=-1" border="0" /></P> <P>&nbsp;</P> <P>1. Are you doing any decryption on the traffic? NO</P> <P>2. STUN protocol is working properly? YES</P> <P>3. my-lync-video and my-lync-audio applications are allowed? YES</P> <P>4. Does the Lync Call and desktop sharing work if bypass PA? YES</P> Mon, 11 Jan 2016 18:48:17 GMT https://live.paloaltonetworks.com/t5/general-topics/lync-2013-skype-2015-gt-how-to-setup-security-app-id-ports-for/m-p/70695#M40580 SharedMedia 2016-01-11T18:48:17Z https://live.paloaltonetworks.com/t5/general-topics/lync-2013-skype-2015-gt-how-to-setup-security-app-id-ports-for/m-p/70727#M40585 <P>Hi,</P> <P>&nbsp;</P> <P>There are a lot of components involved, so I would suggest opening a case with TAC as per your time zone and have them take a look. If 'any' rule did not help, it has to be something else, like a ALG issue or something.</P> <P>&nbsp;</P> <P>BR</P> Tue, 12 Jan 2016 00:58:55 GMT https://live.paloaltonetworks.com/t5/general-topics/lync-2013-skype-2015-gt-how-to-setup-security-app-id-ports-for/m-p/70727#M40585 abjain 2016-01-12T00:58:55Z