Lync 2013 | Skype 2015 > How to setup Security (app-id / ports) for transparent AV/Sip/Web Services

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Lync 2013 | Skype 2015 > How to setup Security (app-id / ports) for transparent AV/Sip/Web Services

L0 Member

Palo’s

I have searched, read these forums and have gone through many manuals, suggestions from the Internet regarding Palo (2020 Series) configuration to secure Lync 2013 / Skype Business 2015: but still experiencing some issues with how to setup our Firewall for Federation access.

From a company perspective, our Lync is working great, our external road warriors can use Lync via VPN or Publically with all functions.

The issues come up where we have Federated (open or controlled either way) with external users / other companies. Seems there is a configuration issue somewhere on our Palo where:

A Federated User:

  1. Can see us (presence status) online
  2. Can send us an IM
  3. Can send us a file
  4. Can send us a meeting
  5. Can send us a whiteboard
  6. CANNOT Lync Call Us
  7. CANNOT Desktop Share to Us..

So, our Lync is setup as close to Microsoft guides as possible, using 3x public IP’s per service. It’s the 3rd IP (av.domain.com) service that needs ports (tcp/udp/rtp) 50,000-59,999, 3478, 5061 and 443/80.

We even gone as far as using an “any” rule to test if its our Edge Server, but its not Edge… something we missed… Has anyone successfully deployed Lync 2013 / Skype Business 2015 using App-ID level? Can you share your settings just for Lync/Skype.

 

Greatly appreciated

3 REPLIES 3

L4 Transporter

Hi,

 

Could you post the MS guide/specifications and your topology for Lync 2013. A few questions:

 

1. Are you doing any decryption on the traffic?

2. STUN protocol is working properly?

3. my-lync-video and my-lync-audio applications are allowed?

4. Does the Lync Call and desktop sharing work if bypass PA?

 

I would suggest to open a case with Technical Support to look into this.

 

BR

Abjain,

Configs in General... note we do not use DNS for natting, this was optional..

Based on Microsoft Ports, we know the App-ID related to Lync, but... should we use ports or App-ID's?

Keeping in mind the App-ID "sip" uses port 5060, and there is an OLD OCS app-ID for port 5061.

 

Lync2013

 

1. Are you doing any decryption on the traffic? NO

2. STUN protocol is working properly? YES

3. my-lync-video and my-lync-audio applications are allowed? YES

4. Does the Lync Call and desktop sharing work if bypass PA? YES

Hi,

 

There are a lot of components involved, so I would suggest opening a case with TAC as per your time zone and have them take a look. If 'any' rule did not help, it has to be something else, like a ALG issue or something.

 

BR

  • 3099 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!