Topic Last Modified: 2013-02-15
The reverse proxy has minimal requirements for firewall and port/protocol.
-
External firewall requirements are the HTTPS/TCP/443 and the optional HTTP/TCP/80. HTTPS is used for SSL and TLS secure communications through the reverse proxy. HTTP is used if you choose to allow access to the Autodiscover Service when modifying certificates might prove difficult or not cost justified.
-
Clients expect to contact the Office Web Apps Server on HTTPS. The Office Web Apps Server expects communication from internal clients on HTTPS/TCP/443. The recommended configuration is to allow HTTPS/TCP/443 from the reverse proxy to the Office Web Apps Server.
-
Port 8080 is used to route traffic from the reverse proxy internal interface to the Front End Server, Front End pool virtual IP (VIP) or the optional Director or Director pool VIP. Port TCP 8080 is required for mobile devices running Lync to locate the Autodiscover Service in situations where modifying the external web service publishing rule certificate is undesirable (for example, if you have a large number of SIP domains). If you choose to acquire new certificates with the necessary SAN entries, the port TCP 8080 is not needed and is optional.
-
Port 4443 is used for traffic from the reverse proxy internal interface to the Front End Server, Front End pool virtual IP (VIP) or the optional Director or Director pool VIP
Caution: Do not confuse the 4443 over TCP from the reverse proxy to the internal deployment for the port 4443 over TCP traffic from the Standard Edition server or the Front End pool that manages the Central Management store role.
Port and Protocol Details
Firewall Details for Reverse Proxy Server: External Interface
Protocol/TCP or UDP/Port | Source IP Address | Destination IP Address | Notes |
---|---|---|---|
HTTP/TCP/80 |
Any |
Reverse proxy listener |
(Optional) Redirection to HTTPS if user enters http://<publishedSiteFQDN>. Also required if using Office Web Apps for conferencing and the Autodiscover Service for mobile devices running Lync in situations where the organization does not want to modify the external web service publishing rule certificate. |
HTTPS/TCP/443 |
Any |
Reverse proxy listener |
Address book downloads, Address Book Web Query service, Autodiscover, client updates, meeting content, device updates, group expansion, Office Web Apps for conferencing, dial-in conferencing, and meetings. |
Firewall Details for Reverse Proxy Server: Internal Interface
Protocol/TCP or UDP/Port | Source IP Address | Destination IP Address | Notes |
---|---|---|---|
HTTP/TCP/8080 |
Internal reverse proxy interface |
Front End Server, Front End pool, Director, Director pool |
Required if using the Autodiscover Service for mobile devices running Lync in situations where the organization does not want to modify the external web service publishing rule certificate. Traffic sent to port 80 on the reverse proxy external interface is redirected to a pool on port 8080 from the reverse proxy internal interface so that the pool Web Services can distinguish it from internal web traffic. |
HTTPS/TCP/4443 |
Internal reverse proxy interface |
Front End Server, Front End pool, Director, Director pool |
Traffic sent to port 443 on the reverse proxy external interface is redirected to a pool on port 4443 from the reverse proxy internal interface so that the pool web services can distinguish it from internal web traffic. |
HTTPS/TCP/443 |
Internal reverse proxy interface |
Office Web Apps for conferencing |