Configs in General... note we do not use DNS for natting, this was optional..
Based on Microsoft Ports, we know the App-ID related to Lync, but... should we use ports or App-ID's?
Keeping in mind the App-ID "sip" uses port 5060, and there is an OLD OCS app-ID for port 5061.
1. Are you doing any decryption on the traffic? NO
2. STUN protocol is working properly? YES
3. my-lync-video and my-lync-audio applications are allowed? YES
4. Does the Lync Call and desktop sharing work if bypass PA? YES
... View more
I have searched, read these forums and have gone through many manuals, suggestions from the Internet regarding Palo (2020 Series) configuration to secure Lync 2013 / Skype Business 2015: but still experiencing some issues with how to setup our Firewall for Federation access.
From a company perspective, our Lync is working great, our external road warriors can use Lync via VPN or Publically with all functions.
The issues come up where we have Federated (open or controlled either way) with external users / other companies. Seems there is a configuration issue somewhere on our Palo where:
A Federated User:
Can see us (presence status) online
Can send us an IM
Can send us a file
Can send us a meeting
Can send us a whiteboard
CANNOT Lync Call Us
CANNOT Desktop Share to Us..
So, our Lync is setup as close to Microsoft guides as possible, using 3x public IP’s per service. It’s the 3 rd IP (av.domain.com) service that needs ports (tcp/udp/rtp) 50,000-59,999, 3478, 5061 and 443/80.
We even gone as far as using an “any” rule to test if its our Edge Server, but its not Edge… something we missed… Has anyone successfully deployed Lync 2013 / Skype Business 2015 using App-ID level? Can you share your settings just for Lync/Skype.
... View more