I have never seen any port requirements for SBA which could make the engineers life easier. So, now here is my recommendation which ports should be opened between the appliance and the central site (absolutely based on my experiences and I never had problems):

SBA subnet <–> SBA Central Site:

  • UDP 1433-1434 (MS SQL)
  • http 80
  • TCP 135 (MS RPC)
  • TCP 389 (LDAP)
  • TCP 1801 (MSMQ)
  • TCP 2101-2105 (MSMQ)
  • https 443
  • TCP 444 (SNPP)
  • TCP 445 (SMB)
  • TCP 448
  • UDP 3478 (STUN)
  • TCP 5060-5100 (SIP)
  • TCP 6891-6901 (File Transfer)
  • TCP 8057-58 (PSOM)
  • http 8080 (Web service bridge)
  • https 4443 (Web service bridge)

 

SBA subnet <–> S4B clients:

  • TCP 49152-65535 (Media)
  • UDP 49152-65535 (Media)
  • TCP 5060-5061 (SIP)
  • TCP 5067-5068 (SIP)
  • https 443, 448
  • TCP 8057-58 (PSOM)
  • UDP 3478 (STUN)

A couple days ago I was wondering why our monitoring team did not receive any alerts about an outage. The problem was: one of our SBCs became unavailable for the Skype for Business environment, so the following events are generated:

So, the environment has recognised successfully the unavailable SBC, because there were no response for the SIP OPTION messages (Event 25051) and finally generated the 25061 event ID which means there were a major failure, because the failed OPTION messages has recorded 5 times in a row.

This led me to check the corresponding SCOM rules in the official Skype for Business SCOM Management Pack and I was surprised when I realised just the following events are collected and monitored by the SCOM for the Mediation Server role:

After all, I would recommend to everybody to create custom monitoring rules in SCOM to have the really important Events (especially 25061) monitored!

Skype for Business telephony is not a complete solution without having an integration with Exchange Unified Messaging. The Exchange UM server can provide many features like Call Answering, Outlook Voice Access, Auto Attendant and Fax Services, however the Fax services are not available with Exchange UM 2010 what I used for the integration below.

To do the integration you have to do the followings:

First of all, you have to make the UM server to communicate via TLS too not just via TCP by default:

Because the TLS has turned on you need a certificate for sure. This certificate must be from the Trusted Root CA and there are no other requirements for SANs or keys.

If the certificate is ready, then you have to assign it to the UM service on the server. The certificate could be valid just if the certificate revocation is working and the UM server is able to communicatio with the distribution server on port 80.

Just browse your UM server in the EMC (Exchange Management Console) and do the assignement using the GUI.

You can also do it via Powershell with the Enable-ExchangeCertificate commandlet.

The next should be the UM dial plan.

During the setup you hae to assign the UM server to the Dial Plan

After the UM Dial Plan has been created then you have to define the subscriber access for the service. Be careful, here you also have to add the phone numbersin E.164 format!

If everything is done you can customize your UM Mailbox policy also in the EMC like PIN policy etc. And be ready to switch to your Skype for Business Front-End server and launch the OcsUmUtil.exe which:

You can find it: C:\Program Files\Common Files\Skype for Business Server 2015\Support\OcsUmUitl.exe by default:

Depends ont he size of the environment the loading could take several minutes! Once it finished you should see your previously configured dial Plan.

And last but not least, the final step is run the ExchUCUtil.ps1 script ont he UM server which is located C:\Program Files\Microsoft\Exchange Server\V14\Scripts by default

Sometimes, you have to run it twice to get the proper result:

During my career I met with this issue several times and of course, the most recent case the misconfiguration of the firewall was the root cause. You have to carefully configure the media ports! Not only for the audio ports of course, but in this post I’d like to highlight the client audio port ranges, what you can easily check with the following command:

Get-CsConferencingConfiguration

The client ports has been correctly configured on the firewalls, but let me share my last experience with Checkpoint R77.30 where we also had half-way audio, however the UDP ports has been allowed for both directions. The the following error message was found: 

“message_info: Violated unidirectional connection”

Believe or not, the reply for the UDP packets also required in case of this CISCO device, so the following configuration was the solution to our problem:

Very common issue when the Skype for Business Edge servers are not replicating. 

To verify the replication just check it with the following command: Get-CsManagementStoreReplicationStatus

If the replication not working, the result will be: False

The topology builder’s ‘Topology’ menu will show also error for the replication:

 

Because these servers should not be joined to the Domain and should be deployed in the Perimeter network (DMZ), the necessary firewall ports could be easily blocked. To verify if the necessary port is open, just do a telnet on the port TCP 4443 from an elevated command prompt:

telnet edge.server.fqdn 4443

You can also check the Replication Web Service via browser (on eg. the Front-End server), typing the following: https://edge.server.fqdn:4443/ReplicationWebService

You should receive the metadata of the WCF service:

If your browser throw a warning for the certificate, than your replication error caused by a TLS issue and you should check your certificates on the Edge server.

If everything is working, than you just have to add the following Registry key to you Edge servers:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

new DWORD (32 bit) value:

  • name = ClientAuthTrustMode  (!!! Some blogs are referring to ClientAuthenticationTrustMode, but it should be in this ‘short form’ !!!)
  • Data = 2

After the registry modification, you should restart the Edge servers and if each services are up and running again, than you can force the replication as well with the following command: Invoke-CsManagementStoreReplication -Force