You can't connect to Lync Online, or certain features don't work, because an on-premises firewall blocks the connection

Article translations Article translations
Article ID: 2409256 - View products that this article applies to.

Not sure what release of Office 365 you're using? Go to the following Microsoft website:
Am I using Office 365 after the service upgrade?
Expand all | Collapse all

PROBLEM

You experience one or more of the following symptoms in Microsoft Lync Online:
  • You can't connect to Lync Online.
  • The following features don't work in Lync Online:
    • Presence updates, and this includes contact pictures
    • Microsoft Outlook integration
    • File transfers
    • Audio and video

SOLUTION

To resolve this issue, configure an exception for Microsoft Office 365 URLs and applications from the proxy or firewall.

To resolve this issue for Microsoft Internet Security and Acceleration (ISA) Server 2006, create an allow rule. The allow rule should meet the following criteria. These criteria are highly recommended:
  • Allow outgoing connections to the following destination: *.microsoftonline.com
  • Allow outgoing connections to the following destination: *.microsoftonline-p.com
  • Allow outgoing connections to the following destination: *.onmicrosoft.com
  • Allow outgoing connections to the following destination: *.sharepoint.com
  • Allow outgoing connections to the following destination: *.outlook.com
  • Allow outgoing connections to the following destination: *.lync.com
  • Allow outgoing connections to the following destination: evsecure-ocsp.verisign.com
  • Allow outgoing connections to the following destination: evsecure-aia.verisign.com
  • Allow outgoing connections to the following destination: evsecure-crl.verisign.com
  • Allow outgoing connections to the following destination: sa.symcb.com

    Note This is the certification revocation library for microsoftonline.com.
  • Protocols TCP and HTTPS
  • Rule must apply to all users
  • HTTPS/SSL time-out set to 8 hours
Take the following actions:
  • Review the following Office 365 blog post:

    Set up your network for Lync Online
  • Exclude the IP address ranges that are used by Lync Online. To view these IP address ranges, go to the following Microsoft TechNet website:

    Lync Online URLs and IP Address Ranges
  • Exclude the IP address ranges used by other Office 365 services, especially the IP ranges for Microsoft Online Services Sign In. If you're using Exchange Online, make sure that you exclude outgoing IP addresses for Exchange Online.
    Office 365 URLs and IP address ranges
  • Use the Office 365 Custom Domain Name Settings Test for Lync Online:
    Lync Remote Connectivity Analyzer
  • See the following article in the Microsoft Knowledge Base to create an exception in your firewall for the Microsoft Azure AD authentication system:
    2769142 Lync 2013 or Lync 2010 can't connect to the Lync Online service because a proxy is blocking connections from MSOIDSVC.exe
Additionally, the following ports must be open in the external firewall.
Collapse this tableExpand this table
PortProtocolDirectionUsage
443STUN/TCPOutboundAudio, video, application sharing sessions
443PSOM/TLSOutboundData sharing sessions
3478STUN/UDPOutboundAudio, video sessions
5223TCPOutboundLync Mobile push notifications
50000 – 50019RTP/UDPOutboundAudio
50020 – 50039RTP/UDPOutboundVideo
50040 – 50059TCPOutboundFile Transfer and Application Sharing

Note The same rule concepts can be applied to other firewalls. Additionally, your firewall server may require a firewall client to be installed on the end-user's computer.

For more information about how to configure ISA 2006 firewall rules, go to the following Microsoft TechNet website:

Configuring ISA Server 2006 Firewall Rules

MORE INFORMATION

This issue occurs if an on-premises firewall blocks the communication flow.


How to verify that all network requirements for Lync Online are met

Collapse this imageExpand this image
assets folding start collapsed
In a web browser, browse to one of the following Lync Online Transport Reliability IP Probe (TRIPP) tool URLs. (Browse to the URL that's closest to the user's physical location.)Then, click Start Test.

If any of the tests that are performed by the TRIPP tool fail, take the necessary actions to resolve the failure, and then rerun the TRIPP tool to verify that the connectivity issue is resolved. Use the references earlier in this article for information about ports, IP ranges, and URLs that should be allowed through an on-premises firewall or proxy.
Collapse this imageExpand this image
assets folding end collapsed

The Client Access and Media Access tests

Collapse this imageExpand this image
assets folding start collapsed
Two of the more important tests to consider are the Client Access test and the Media Access test. If these tests fail, Lync Online connectivity will be unable to log on to or to connect to media or collaboration sessions.
Collapse this imageExpand this image
Screen shot of the Client Access, Federation Access, Media  Access test page, showing the Connection Successful
Collapse this imageExpand this image
assets folding end collapsed

The Route test

Collapse this imageExpand this image
assets folding start collapsed
The Route test performs diagnostics on a packet's journey from the client computer to the Lync Online servers and displays information and statistics about each hop in the transmission. If a single point on the chart displays decreased functionality, it means that the device at that location could be causing the connectivity issue. If the device is in the on-premises environment, verify that it's operating correctly and that all software is up to date. If the device is outside the network and is owned by upstream providers, you may have to contact your Internet service provider (ISP) to resolve the conflict.

Collapse this imageExpand this image
Screen shot of the route test result
To view more information and statistics about an endpoint, pause on a point in the graph on the Performance Graph page of the Route tab:

Collapse this imageExpand this image
Screen shot of route point statistics

The Connection Summary page of the Summary tab gives you a quick view of the tests that failed and of the tests that succeeded.

Collapse this imageExpand this image
Screen shot of the conection summary page
Collapse this imageExpand this image
assets folding end collapsed

Still need help? Go to the Office 365 Community website.

Properties

Article ID: 2409256 - Last Review: June 24, 2014 - Revision: 59.0
Applies to
  • Microsoft Office 365 for enterprises (pre-upgrade)
  • Microsoft Office 365 for small businesses  (pre-upgrade)
  • Microsoft Office 365 for education  (pre-upgrade)
  • Microsoft Lync Online
Keywords: 
o365 o365a o365e kbgraphxlink o365062011 pre-upgrade o365022013 after upgrade o365m o365p kbgraphic KB2409256

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com