The 50,000–59,999 Port Range

The final NAT caveat centers around the TCP/UDP 50,000–59,999 port range that was required to be open to A/V Edge IP addresses in Office Communications Server 2007. This requirement was removed in Office Communications Server 2007 R2, which introduced the capability for Edge Servers to relay media between each other, but since it was not possible to use NAT with multiple Edge Servers back then, it did not cause any issues.

Since Lync Server 2010 and 2013 both support NAT for Edge pools with multiple servers, there is an additional wrinkle to the inbound firewall rules that must be considered. Imagine a scenario in which an organization has two Edge Servers in a single Edge Server pool, both using NAT for the A/V Edge service. If a remote user has media relay IP addresses allocated for them on Edge Server A, and an internal user has media relay IP addresses allocated for them on Edge Server B, the users might be unable to establish a connection.

Normally, in this scenario Edge Server A and Edge Server B would communicate using each other’s public IP address, and the connection would work. When the Edge Servers are each hidden by NAT, though, they might be unable to communicate with each other’s public IP because of firewall restrictions. Most modern firewalls prevent “hairpinning” shown in Figure 31.6, or the capability for a server in one security zone to reach a public IP that has a NAT to another server in the same zone.

Figure 31.6. Edge Server NAT and hairpin.

Since the Edge Servers will relay media only through their public IP addresses, the call will fail when the firewall drops the connection due to a hairpinning attempt. There are two possible solutions to this issue if an organization insists on using NAT:

• Configure static NAT rules at the firewall to allow the Edge Servers to use hairpinning between each other’s A/V Edge public IP address.

• Open TCP and UDP 50,000–59,999 inbound to each A/V Edge public IP address.