Lync Point to Point Call Setup w/ Client Firewall On

As you know when you install the Lync 2013 client, a local Firewall rule gets created for the Lync.exe application to talk out and in on pretty much every port.  Well that’s all good if you work in an environment that doesn’t allow local Firewall rules.  In our environment, local firewall rules aren’t allowed….so how would 2 lync clients connect P2P given the windows 7 FW is a stateful firewall(thus the firewall must have an outgoing request to accept anything coming in).

It was a big mystery to me how two Lync 2013 clients would connect.  I could tell that the two internal endpoints could talk P2P by looking at the SDP and the candidate promotions revealed that the preferred candidate was “HOST” for each side.  I began talking to Microsoft and they were sure there was something wrong with our FW settings and that the local FW rules must be being honored as they couldn’t explain it either.  So i looked more and sure enough, I could not find anything wrong. with our FW configs.

Going back and forth with the Microsoft consultant I asked if we could get anyone else on the line to help shed some light on this scenario.  Before that, the consultant asked “are you sure you’re not going through Edge via a turn Candidate.  I provided ucappi logs to the consultant to show it was a P2P call (after all it would be a really bad thing if two end points needed to be proxied (turned) through the A/V edge interface of our Edge pool).  If that were the case, if our edge pool were to become unavailable all internal P2P calls could fail…..Not good.  I eventually convinced the consultant to get some higher power on the line and he lined up a call with Aaron Steele (Aaron if you read this thank you for taking the time).

So here’s the scoop.  When two clients exchange SDP (note it’s not the 2 clients saying “here’s my candidate now give me yours.  The SDP is provided through the Front ends…that is client 1 gives the SDP to the FE and the FE gives client 2 client 1’s SDP and vice verse), thus Client 1 knows what port and IP it’s expecting to hear from Client 2 from and vice verse). The lync client is pretty smart.  The lync client keeps those two ports open only for the IP and port of the other end.  Thus if client 1 says “hey client 2 come talk to me at IP 1.1.1.1 on port 50000 and client 2 says to client 1 come talk to me at 1.1.1.2 on port 50001″, the lync clients on each end open ports just for those 2 IPs.

Just with 5 minutes talking to Aaron, it all made sense.  The two lync clients opened and held open the local ports for just those two end points.  My next question was…”well, why does Microsoft code in that local firewall rule during the install”.  Aaron told me it make things easier.

So there you have it……that’s how 2 Lync clients talk even if the Windows Firewall is on and you don’t honor local FW rules.

Hope this helps others.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s