In Windows Server 2003 SP1,
Microsoft introduced an integrated firewall into the Windows operating
system. As with most Microsoft products, it has improved with each
iteration. Flash forward to Windows Server 2008 and you find that the
integrated firewall is quite good. Lync Server does an excellent job of
integrating into the Windows Server Firewall at the time of
installation.
Layering an operating system layer firewall with a
network layer firewall is an excellent way to improve overall security
of a system with minimal expense. By layering these two together, if the
network firewall becomes compromised, the attacker has to pierce the OS
layer firewall to compromise the systems. Similarly, given that many
attack vectors can come from within the company itself, the OS layer
firewall offers protection from trusted systems that might become
compromised.
Configuring the Windows Server 2008 Firewall for Lync Server
If the Windows Firewall is
enabled and started at the time of installation of Lync Server
components, the necessary exceptions will be created automatically.
Caution
Although many administrators are tempted to disable
the Windows Firewall, it is certainly worth leaving it in place with the
necessary rules configured. If you are convinced you don’t want to use
the Windows Firewall, and don’t plan to use a third-party operating
system layer firewall, leave the Windows Firewall service running, but
configure the rules to allow all traffic to pass unhindered. This
prevents possible problems interacting with the Windows Filtering
Platform.
For administrators who installed Lync Server without the firewall on and want to enable it and backfill the rules, Table 1 details the rules created to support various Lync Server roles.
Table 1. Lync Server 2010 Firewall Rules
| Name | Program | Protocol | Local Port | Remote Port |
|---|
| OCS SQL RTC Access | C:\Program Files\Microsoft SQL Server\MSSQL10.RTC\MSSQL\Binn\sqlservr.exe | TCP | Any | Any |
| OCS SQL RTC Access | C:\Program Files\Microsoft SQL Server\MSSQL10.RTC\MSSQL\Binn\sqlservr.exe | UDP | Any | Any |
| OCS SQL RTC Access | C:\Program Files\Microsoft SQL Server\MSSQL10.RTC\MSSQL\Binn\sqlservr.exe | TCP | Any | Any |
| OCS SQL RTC Access | C:\Program Files\Microsoft SQL Server\MSSQL10.RTC\MSSQL\Binn\sqlservr.exe | UDP | Any | Any |
| SQL Browser | Any | UDP | 1434 | Any |
| CS FTA | C:\Program Files\Microsoft Lync Server 2010\File Transfer Agent\FileTransferAgent.exe | Any | Any | Any |
| CS master | C:\Program Files\Microsoft Lync Server 2010\Master Replicator Agent\MasterReplicatorAgent.exe | Any | Any | Any |
| CS OcsAppServer Host.exe | C:\Program Files\Microsoft Lync Server 2010\Application Host\OcsAppServerHost.exe | Any | Any | Any |
| CS Replica | C:\Program Files\Microsoft Lync Server 2010\Server\Replica Replicator Agent\ReplicaReplicatorAgent.exe | Any | Any | Any |
| CS rtcappsrv | C:\Program Files\Microsoft Lync Server 2010\Application Host\OcsAppServerMaster.exe | Any | Any | Any |
| CS rtcasmcu | C:\Program Files\Microsoft Lync Server 2010\OCSMCU\Application Sharing\ASMCUSvc.exe | Any | Any | Any |
| CS rtcavmcu | C:\Program Files\Microsoft Lync Server 2010\OCSMCU\AV Conferencing\AVMCUSvc.exe | Any | Any | Any |
| CS rtcdatamcu | C:\Program Files\Microsoft Lync Server 2010\Web Conferencing\DataMCUSvc.exe | Any | Any | Any |
| CS rtcimmcu | C:\Program Files\Microsoft Lync Server 2010\OCSMCU\IM Conferencing\IMMCUSvc.exe | Any | Any | Any |
| CS rtcmedsrv | C:\Program Files\Microsoft Lync Server 2010\Mediation Server\MediationServerSvc.exe | Any | Any | Any |
| CS rtcmeetingmcu | C:\Program Files\Microsoft Lync Server 2010\OCSMCU\Web Meeting Conferencing\MeetingMCUSvc.exe | Any | Any | Any |
| CS rtcsrv | C:\Program Files\Microsoft Lync Server 2010\Server\Core\RTCSrv.exe | Any | Any | Any |
| CS TCP13457 | Any | TCP | 13457 | Any |
| CS TCP135 | Any | TCP | 135 | Any |
| CS TCP443 | Any | TCP | 443 | Any |
| CS TCP444 | Any | TCP | 444 | Any |
| CS TCP4443 | Any | TCP | 4443 | Any |
| CS TCP445 | Any | TCP | 445 | Any |
| CS TCP80 | Any | TCP | 80 | Any |
| CS TCP8060 | Any | TCP | 8060 | Any |
| CS TCP8061 | Any | TCP | 8061 | Any |
| CS TCP8080 | Any | TCP | 8080 | Any |
| Remote Administration (NP-In) | System | TCP | 445 | Any |
| Remote Administration (RPC) | %SystemRoot%\system32\svchost.exe | TCP | RPC Dynamic Ports | Any |
| Remote Administration (RPC-EPMAP) | %SystemRoot%\system32\svchost.exe | TCP | RPC Endpoint Mapper | Any |
| Remote Desktop (TCP-In) | System | TCP | 3389 | Any |
| Remote Service Management (NP-In) | System | TCP | 445 | Any |
| Remote Service Management (RPC) | %SystemRoot%\system32\services.exe | TCP | RPC Dynamic Ports | Any |
| Remote Service Management (RPC-EPMAP) | %SystemRoot%\system32\svchost.exe | TCP | RPC Endpoint Mapper | Any |
| Secure Socket Tunneling Protocol (SSTP-In) | System | TCP | 443 | Any |
| World Wide Web Services (HTTPS Traffic-In) | System | TCP | 443 | Any |
| Windows Firewall Remote Management (RPC) | %SystemRoot%\system32\svchost.exe | TCP | RPC Dynamic Ports | Any |
| Windows Firewall Remote Management (RPC-EPMAP) | %SystemRoot%\system32\svchost.exe | TCP | RPC Endpoint Mapper | Any |
| Windows Remote Management - Compatibility Mode (HTTP-In) | System | TCP | 80 | Any |
| Windows Remote Management (HTTP-In) | System | TCP | 5985 | Any |
| World Wide Web Services (HTTP Traffic-In) | System | TCP | 80 | Any |
