Edge Servers: Information on A/V Edge Ports and Public IP Addresses

The A/V edge server enables users to participate in audio and video connections from outside the corporate network, such as a point to point call, a conference, leaving a voicemail with Exchange UM, or making a PSTN call.  Contoso has deployed the A/V Edge server with two NICs in the perimeter network.  The “external” firewall […]

The A/V edge server enables users to participate in audio and video connections from outside the corporate network, such as a point to point call, a conference, leaving a voicemail with Exchange UM, or making a PSTN call.  Contoso has deployed the A/V Edge server with two NICs in the perimeter network.  The “external” firewall separates the edge server from the internet and the “internal” firewall separates the server from the corporate network.  In order for the A/V Edge server to function correctly, the internal firewall must allow traffic to UDP 3478, TCP 443, and TCP 5062 (A/V authentication port).  And the external firewall must allow bi-directional traffic to the following ports: UDP 3478, TCP 443, UDP 50,000-59,999, and TCP 50,000-59,999.  No NATing behavior is allowed on either firewall.  The external IP address must be publically routable and the internal IP address must be routable from within the corporate network.

The ports on the external edge tend to undergo greater scrutiny because they involve more ports open to the internet.  This sidebar first explains why are there are so many publically addressable ports and then how these ports are secured from an attack.

Why the A/V Edge has so many ports

Needing UDP ports: UDP connections are more resilient to packet loss than TCP.  When a UDP packet is lost, the transport delivers subsequent packets without delay.  When a TCP packet is lost, the transport holds all subsequent packets because TCP inherently must provide a reliable stream of data.  This results in increased audio latency as we wait for the lost packet to retransmit and the rest of the TCP stream to "catch up".

Needing TCP ports: Although UDP is a more efficient transport, some clients can only reach the internet via TCP, typically due to a corporate firewall policy.  OCS also supports a TCP media transport in case a UDP path is not available.  At the start of each call or conference, the two endpoints use the IETF's ICE protocol to dynamically choose the optimal media path available.  This protocol prefers direct media paths over those that go through a media relay, and UDP paths over TCP paths.

Full Article

Microsoft, Edge Servers, Internet Protocol, IP, Ports