Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2011-05-09

Microsoft Exchange Server 2010 Unified Messaging (UM) requires that several TCP and User Datagram Protocol (UDP) ports be used to establish communication between servers running Exchange 2010 and other devices. By allowing access through these IP ports, you enable Unified Messaging to function correctly. This topic discusses the TCP and UDP ports used in Exchange 2010 Unified Messaging.

Unified Messaging Protocols and Services

Exchange 2010 Unified Messaging features and services rely on static and dynamic TCP and UDP ports to ensure correct operation of the computer running the Unified Messaging server role.When Exchange 2010 is installed, static Windows Firewall rules are added for Exchange. If you change the TCP ports that are used by the Unified Messaging server role, you may also need to reconfigure the Windows Firewall rules to allow Unified Messaging to work correctly.

Important:
On Exchange 2010 Unified Messaging servers, Exchange setup creates the SESWorker (TCP-In) and SESWorker (GFW) (TCP-In) rules which allow inbound communication without any TCP port restrictions. We recommend you disable these two rules after you’ve setup the Unified Messaging server, and create a new rule to allow only the ports required for the SESWorker process which include 5065 and 5067 for TCP (unsecured). 5066 and 5068 for mutual TLS (secured). For details, see Exchange Network Port Reference.

Session Initiation Protocol

Session Initiation Protocol (SIP) is a protocol used for initiating, modifying, and ending an interactive user session that involves multimedia elements such as video, voice, instant messaging, online games, and virtual reality. It's one of the leading signaling protocols for Voice over IP (VoIP), together with H.323. Most VoIP standards-based solutions use either H.323 or SIP. However, several proprietary designs and protocols also exist. The VoIP protocols typically support features such as call waiting, conference calling, and call transfer.

SIP clients such as IP gateways and IP Private Branch eXchanges (PBXs) can use TCP and UDP port 5060 to connect to SIP servers. SIP is used only for setting up and tearing down voice or video calls. All voice and video communications occur over Realtime Transport Protocol (RTP).

Realtime Transport Protocol

RTP defines a standard packet format for delivering audio and video over a specific network, such as the Internet. RTP carries only voice/video data over the network. Call setup and teardown are generally performed by the SIP protocol.

RTP doesn't require a standard or static TCP or UDP port to communicate with. RTP communications occur on an even number UDP port, and the next higher odd number port is used for TCP communications. Although there are no standard port range assignments, RTP is generally configured to use ports 1024 and 65535. It's difficult for RTP to traverse firewalls because it uses a dynamic port range.

Unified Messaging Web Services

The Unified Messaging Web services installed on a Client Access server use IP for network communication between a client, the Unified Messaging server, the Client Access server, and computers running other Exchange 2010 server roles. There are several Exchange 2010 Outlook Web App and Microsoft Office Outlook 2007 client features that rely on Unified Messaging Web services to operate correctly.

The following Unified Messaging client features rely on Unified Messaging Web services:

  • Voice mail options available with Exchange 2010 Outlook Web App, including the Play on Phone feature and the ability to reset a PIN.

  • Play on Phone feature found in the Outlook 2007 client.

Note:
When an organization uses the Play on Phone and other client features in Exchange 2010 Unified Messaging, a computer running the Client Access, Hub Transport, and Mailbox server roles within the same Active Directory site is required in addition to the computer or computers that have the Unified Messaging server role installed.

Port Assignments

The following table shows the IP ports that Unified Messaging uses for each protocol and whether the IP ports used for each protocol can be changed.

IP ports used for Unified Messaging protocols

Protocol TCP port UDP port Can ports be changed?

SIP (Microsoft Exchange Unified Messaging service)

5060 (unsecured)

5061 (secured) The service listens on both ports.

 

Ports can be changed in the msexchangeum.config configuration file. The msexchangeum.config file is located in the \Program Files\Microsoft\Exchange\V14\bin folder on an Exchange 2010 Unified Messaging server.

SIP (UM worker process)

5065 and 5067 for TCP (unsecured). 5066 and 5068 for mutual TLS (secured)

 

Ports can be changed in the msexchangeum.config configuration file. The msexchangeum.config file is located in the \Program Files\Microsoft\Exchange\V14\bin folder on an Exchange 2010 Unified Messaging server.

RTP

 

Ports between 1024 and 65535

Ports can be changed in the msexchangeum.config configuration file. The msexchangeum.config file is located in the \Program Files\Microsoft\Exchange\V14\bin folder on an Exchange 2010 Unified Messaging server.

Unified Messaging Web service

443

 

The port is configured on the Web site that hosts the Unified Messaging virtual directory. The port can be changed using IIS Manager.

Exchange 2010 Unified Messaging supports Network Address Translation (NAT) traversal and allows for the RTP media to be tunneled through a NAT firewall. However, for this to work, you must also have Microsoft Office Communications Server 2007 deployed in your environment. If you deploy both Exchange 2010 and Communications Server 2007 on your network, this deployment will enable Unified Messaging servers to communicate with endpoints outside a NAT firewall. The Unified Messaging server is associated with a Communications Server 2007 pool and obtains the appropriate authentication tokens from the Communications Server 2007 A/V Authentication Service on a computer serving that particular Communications Server 2007 pool.

The A/V Authentication Service is used to allow voice media to traverse NAT devices and firewalls. This is necessary because media gateways handle signaling only and cannot transport voice securely across a NAT device or firewall. When you configure a mediation server in Communications Server 2007, you specify the A/V Edge server on which the A/V Authentication Service is running so that the mediation server will know where to forward the incoming media packets.

For more information about how to deploy Communications Server 2007 and Exchange 2010 Unified Messaging, see the following: