Microsoft Lync - Ports for Remote Access
23/05/13 23:36 Filed in: Lync
Why 443 for remote access?
Most Lync implementors will fully understand what I’m about to talk about - so you’ll probably be bored by it - but it’s a question that comes up a fair number of times during workshops. Why is the Access Edge interface split between TCP 5061 for federation, and TCP 443 for remote access? Especially considering internal SIP connectivity is over TCP 5061? Also, why can’t we ‘just’ use one IP Address for the external side of the Access Edge?
It’s a simple one really - using TCP443 for remote access vastly increases your chances of being able to gain remote access from somebody else’s network. By way of example, I was at Microsoft the other day, and on their guest wireless network. I could browse & use the internet, get my mail etc. - everything was fine. I couldn’t however connect to a client’s Microsoft Lync topology as they’d chosen to share the federation and the remote access ports over TCP 5061. Microsoft’s guest network quite rightly allowed out TCP 443 (After all, it is common HTTPS) but did not allow out TCP 5061 - which is the SIP Common port. End game being I couldn’t connect.
It’s also one of the down-sides of collapsing all of your access edge interfaces on to one interface - you can limit accessibility to services. By having all of your services presented on a common TCP 443 port (and therefore requiring multiple IP address on the external side of your Edge) you increase the success rate of connectivity to external sessions. By collapsing on to a single interface using non-common ports, you increase the failure rate.
By way of example, consider this diagram where all three Edge services are split on to three different IP Addresses - note they’re on internal example addresses in the below, but the addresses aren’t really relevant.
Note how rules 3 for remote access, 5 for Web Conferencing and 7 for STUN/AV all run over TCP 443? A common port that will mostly likely be open on people’s firewalls. Now consider what happens if we collapse these services onto one IP address:
In the above example, you can see that TCP 5061 is being used for Access Edge (Remote access and federation), TCP 444 for Web Conferencing, and TCP 443 for AV STUN. In this scenario you can run in to remote access problems and issues with connecting to the conference service.
I completely understand why people want to collapse Access Edge roles on to a single IP address - Public addresses are becoming rarer by the day - but it’s worth considering the actual affect on service too.