If they had the other Harry Caray, a whole lot of Budweiser would be missing too.
We had an issue where users were able to sign in with Lync mobility but were unable to send and receive IM’s. There are 2 things to note about this scenario:
1. The users are homed on an SBA
2. There are firewalls between the SBA and the parent pool.
So if you don’t have this scenario then you can quit reading now as you won’t ever have this problem.
In order to troubleshoot why our users were unable to successfully use Lync mobility, we jumped into the logs. We reviewed the log from the mobile phone and it showed nothing useful. We enabled the Lync Logging tool on the SBA and had a user log in and try to send an instant message.
Reviewing this log, we saw a request for port 5088 form the SBA to the parent pool. The request was to a specific server in the parent pool and it was from our Survivable Branch Appliance.
If you look at the image below you’ll see this in the Snooper view of the collected log file. The ms-diagnostics line pretty much spells this out as clearly as you could expect.
Look at the circle. It’s 5088!
Port 5088 does not currently exist on the Lync Ports and Protocols page on TechNet. Searching for this port turns up very little outside of this one TechNet article. That article points to the set-cswebserver PowerShell cmdlet which is used to define the web server settings in Lync. If you expand the Parameters section in the article and scroll down to the UcwaSipExternalListeningPort section you will see that this is set to use 5088/tcp by default. This is incorrect as this is the port used by UcwaSipPrimaryListeningPort. This TechNet article has the two ports switched in their documentation (The same error is seen when running get-help set-cswebserver -detailed).
Run get-csservice -Webserver and you will see the default ports. Note that they don’t match the documentation.
In other words, even when Microsoft has documented this port in TechNet, they got it wrong. We didn’t see port 5089 in any of our traces so we couldn’t figure out when this port gets used.
After we updated the firewalls in front of our parent pool Lync servers, the problem immediately disappeared and our SBA users were able to successfully IM via their mobile clients.
Our contact at Microsoft has forwarded this omission to the relevant teams so hopefully at some point this will be added to the Lync ports and protocols page.
Credit to figuring this out goes to Antwan who is resurrecting his UC Playa blog. I’m just the one who wrote the article.
8 comments
4 pings
Skip to comment form
Is it a service port used since the Lync 2010 days, or new to the lync 2013 edition? If its there since 2010, then its an embarassing 4-year old documentation bug that nobody from the MS Lync team noticed. While there is a chance freelancer Lync MVPs or big companies who have their own security and lync experts, have already noticed that, and their internal documents already include the correct ports. But as we dont benefit from private investigations, we can consider that its still a not known defect for the public.
By the way, this issue shows clearly how low quality is the job of the LYNC documentation team, or nobody made the quality assurance against their deliverable. Would recommend to hire some 3rd party firewall consultants / experts, who could audit the real firewall port requirements of this product. I am pissed of, as we are not talking about some exotic feature, we are talking about a damn key part of the product, that every big companies will ask MS: “tell me the damn list of ports your product uses, so we can restrict the firewall to only allow those ports, and block everything else”.
This is new as of 2013 as Lync 2010 didn’t have UCWA. But it’s been a year and half since release and it was a new port to us as of a few weeks ago.
It seems either MS rejected this bugreport, or they are working hell slow to update the damn Technet site and the offline .CHM file… Not impressed how that company performs in the recent 3-4 years.
Hey, as a Lync Support Escalation Engineer at Microsoft, I will note that your article is correct – I will make sure our docs team is aware that the TechNet article that covers port summary is updated. In the interim, there is this document that directly discusses UCWA port requirements that directly apply to this scenario
http://technet.microsoft.com/en-us/library/hh690030.aspx
This is important for any UCWA application (Web App Conf AV, mobility, etc). I like your blog though. Keep up the good work!
Thanks! ~Andrew
Andrew:
Greatly appreciated that you, as an employee of MS also reported the issue to the relevant people. However, you should understand how awkward it is for us outsiders to experience, that a hefty 1,5 yrs has already passed still without resolution. UCWA support was introduced in 2013 February update, and today ts 2014 November, still without proper firewall port-list update on Technet.
Its nice, that the technet article you linked talks about these ports. But its quite buried deep down in the mobility section, and not in the main network ports planning section. The primary reason of the Firewall ports section is to be the single main source of information for all network planning related jobs. The mobility team knows this port number, but the network planning team doesnt. So, for me its obvious, that those different teams inside the Lync document group dont communicate to each other. Or there had to be an independent auditor, who can oversee what these different teams put together, and notice these discrepancies. The port list should be far the most important deliverable of the network security team, so the Lync team should focus on this part with high priority!
This port has not been added to the ports and protocols documentation for Skype for Business or the recently released Protocols and Workloads poster for Skype4B. hhhhhhhhhhh.
Good catch and thank you for sharing this information.
Todaywhile i was working on a different issue and checking the client logs found that, my mobile client is using 5088. In my case my account is present on a FE server but not on a SBA. So, though my account is not present on a SBA i could find that my mobile client is using 5088 in order to communicate with the FE servers. Like mentioned earlier, this is not noticed and not documented correctly in any of the lync / sfb work load poster or other articles.
Amazing, its 2017 February, and these schmucks in Redmond still failed to list those 2 bloody ports on Technet (neither for Lync 2013 nor for Skype 2015!). Have all prior Lync document teammembers been fired and replaced by brainless monkeys??
[…] Port 5088 Missing from Lync 2013 Documentation – […]
[…] Port 5088 Missing from Lync 2013 Documentation – […]
[…] Port 5088 Missing from Lync 2013 Documentation – […]
[…] Port 5088 Missing from Lync 2013 Documentation (Michael Tressler aka Flinchbot) […]