locked
How to fix port(s) for AV Call RRS feed

  • Question

  • When Internal and External users (using Edge server, not VPN) connect using A/V Call, local OC client try directly connect to external user IP on many different ports, like: 61952, 20736, 3712, 11648, 16256, 6272,...

    On ISA server I create rule to allow Internal users connect to External on All Outbound Traffic, and now this is working, but this is bad, I want limit this rule to few ports only.

    Where can I configure on witch ports Internal client calling external client?

    Mario.

    Friday, March 30, 2007 8:00 AM

Answers

  • This can be configured using the "PortRange" registry keys: "HKLM\Software\Policies\Microsoft\Communicator\PortRange".

    Using the Enabled, MaxMediaPort and MinMediaPort values.  These can be configured manually, or as part of Group Policy using the communicator.adm.

    Settings are descibed in the communicator_2007_Group_Policy_Settings.xls in the public documentation.
    Friday, April 20, 2007 11:20 PM

All replies

  • Hi,

    You should only have to open port 443 (probably opened already) and port 5061. Have you gone through the OCS Edge Server Deployment guide? There is a section in it  called Step 2.2 Configure Firewalls starting on page 22, that goes over the ports needed.

    I hope this helps.

    Tuesday, April 10, 2007 5:58 AM
  • Hi,

    When I have opened only ports which are on Figure 5, in Step 2 Set up Infrastructure for Edge Servers, page 19 (23)

    I have situation that when one user from inside, and one from outside Company want to "Start Call", or "Start Video Call" , they have messages:

    1. Message for Answering call

    2. After user click on "Accept Call", they have message "Connecting call" for few second,

    3. End call and after that windows for audio/video call is closed.

    In this situation I monitor this connection for internal user on ISA 2004, and I have dropped connection for different ports directly to IP address of External user.
    Internal OCS client try to connect directly to External user on different ports.

    When I open all outbound connection for internal users, internal and external users can connect with Audio or Video call. 

    Mario.

     

    Friday, April 13, 2007 9:21 AM
  • This can be configured using the "PortRange" registry keys: "HKLM\Software\Policies\Microsoft\Communicator\PortRange".

    Using the Enabled, MaxMediaPort and MinMediaPort values.  These can be configured manually, or as part of Group Policy using the communicator.adm.

    Settings are descibed in the communicator_2007_Group_Policy_Settings.xls in the public documentation.
    Friday, April 20, 2007 11:20 PM
  • Hi,

     

    Yes, resolution are in Group policy settings.

     

    Thank You Thom!

     

    Mario.

    Monday, April 23, 2007 12:47 PM
  • See the following table from the OCS Edge Deployment documentation.  It covers the ports used by the A/V Conferencing Edge Server for audio/video communications between an internal and an external client.  Note that you can reduce the range of ports that is opened but cannot change the starting port of that range.  See "Step 2.2" in the documentation for more information.

     

    Table 10 Firewall Settings for the A/V Edge Server

    Firewall

    Policy Rules

    Figure Mapping

    Internal

    Local Port: 443 TCP (STUN/TCP)

    Direction: Outbound (for internal users to send media to external users)

    Remote Port: Any

    Local IP: The internal IP address of the A/V Edge Server

    Remote IP: Any IP address

    12

    Local Port: 5062 TCP (SIP/MTLS)

    Direction: Outbound (For authentication of A/V  users)

    Remote Port: Any

    Local IP:  The internal IP address of the A/V Edge Server.

    Remote IP: Any IP Address

    13

    Local Port: 3478 UDP (STUN/UDP)

    Direction: Outbound (for internal users to send media to external users)

    Remote Port: Any

    Local IP: The internal IP address of the A/V Edge Server

    Remote IP: Any IP Address

    Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive.

    14

    External

    Local Port: 443 TCP (STUN/TCP)

    Direction: Inbound (for external users access to media and A/V sessions)

    Remote Port: Any

    Local IP: The external IP address of the A/V Edge Server

    Remote IP: Any IP Address

    8

    Local Port Range: 50,000-52,999 TCP (RTP /TCP)

    Direction: Inbound/Outbound (for media transfer)

    Remote Port: Any

    Local IP: The external IP address of the A/V Edge Server. This IP address must be a publicly routable IP address.

    Remote IP: Any IP Address

    9

    Local Port: 3478 UDP (STUN/UDP)

    Direction: Inbound (for external users connecting to media or A/V sessions)

    Remote Port: Any

    Local IP: The external IP address of the A/V Edge Server

    Remote IP: Any IP Address

    Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive.

    10

    Local Port Range: 50,000-52,999 UDP (RTP/UDP)

    Direction: Inbound/Outbound (for media transfer)

    Remote Port: Any

    Local IP: The external IP address of the A/V Edge Server. This IP address must be a publicly routable IP address.

    Remote IP: Any IP Address

    11

    Friday, May 4, 2007 11:23 PM
  • Good Morning

    I have the same problem.

    I can't find the PortRange registry key. I have intalled the ADM for communicator but i can't find the policy for the port range.

    Can you help me

    Many thanks.

    Luca

    Tuesday, May 15, 2007 2:29 PM
  • Hi Luca,

     

    If you import communicator.adm file in your Group policy, then you must expand Computer configuration, Administrative, Templates, Microsoft Office Communicator Feature Policies, and inside you will see Setting with name  "Specify dynamic port ranges".

     

    This is description:

    "Specifies the ranges of dynamically-allocated ports that Microsoft Office Communicator can use to transmit audio and video data using RTP. If you open specific ranges of ports on a firewall between two clients to allow the clients to communicate, this policy forces the clients to use ports in those ranges.

    Note: If you enable this policy setting, avoid creating RTP port ranges that overlap.

    If you enable this policy setting, both ranges must fall between 1024 and 65535 inclusive, in each range the minimum must be less than the maximum, and the RTP range must contain at least four ports (if the lowest port number in the range is even) or five ports (if the lowest port number in the range is odd). If you specify a range that violates one of these rules, Microsoft Office Communicator cannot use the SIP Communications Service.

    If you disable or do not configure this policy setting, Microsoft Office Communicator attempts to send and receive RTP data using ports selected at random throughout the range of 1024 to 65535 inclusive."

     

    When you enable and set this setting to e.g. Min. port range: 5350, Max port range: 5353, and you apply this GP to some computer with Office Communicator 2007, then when this GP will be allayed to computer they will have registry key.

     

    I hope this will help you.

     

    Regards,

    Mario.

     

    Wednesday, May 16, 2007 6:31 AM
  • Hi Mario and many thanks.

    I have imported the communicator.adm then i have find inside my material of OCS 2007 beta. But the poli for port range not is present. I can't find "Specify dynamic port ranges".  Where i can find it?

    Luca

    Wednesday, May 16, 2007 8:34 AM
  • I have find the policy in internet and now the voice comunicaztion function.

    Thanks vey much

    Luca

    Wednesday, May 16, 2007 12:45 PM
  • My followup question is a little different.

     

    I have opened all of the above ports on the firewall but I am not using an A/V edge server. When I connect via VPN everything works. Connect directly [w/o VPN] I get as far as answering the call on the and then it disconnects with an error about audio.

     

    Is there a way to get a single server instance of OCS to accept calls [using domain user accounts] form the outside without the use of an edge server?

     

     

    Thursday, September 20, 2007 3:06 PM
  • So it appears most of our issues are with port forwarding at the user end and their Internet connection equipment (Linksys, Qwest M1000, etc.) and A/V not working.  Is there a solution for A/V that doesn't require us to upgrade firmware on Linksys and other end user equipment.  STUN and the NAT function on home LAN equipment appears to be an issue.
    Friday, March 20, 2009 11:19 PM