You can't connect to Skype for Business Online, or certain features don't work, because an on-premises firewall blocks the connection

Applies to: Skype for Business Online

PROBLEM


You experience one or more of the following symptoms in Skype for Business Online (formerly Lync Online): 
  • You can't connect to Skype for Business Online.
  • The following features don't work in Skype for Business Online:
    • Presence updates, and this includes contact pictures
    • Outlook integration
    • File transfers
    • Audio and video

SOLUTION


To resolve this issue, configure an exception for Office 365 URLs and applications from the proxy or firewall.

To resolve this issue for Internet Security and Acceleration (ISA) Server 2006, create an allow rule. The allow rule should meet the following criteria. These criteria are highly recommended:
  • Allow outgoing connections to the following destination: *.microsoftonline.com
  • Allow outgoing connections to the following destination: *.microsoftonline-p.com
  • Allow outgoing connections to the following destination: *.onmicrosoft.com
  • Allow outgoing connections to the following destination: *.sharepoint.com
  • Allow outgoing connections to the following destination: *.outlook.com
  • Allow outgoing connections to the following destination: *.lync.com
  • Allow outgoing connections to the following destination: *.verisign.com
  • Allow outgoing connections to the following destination: *.verisign.net
  • Allow outgoing connections to the following destination: *.public-trust.com
  • Allow outgoing connections to the following destination: sa.symcb.com

    Note This is the certification revocation library for microsoftonline.com.
  • Protocols TCP and HTTPS
  • Rule must apply to all users
  • HTTPS/SSL time-out set to 8 hours
Take the following actions:
  • Review the following Office 365 website: 
     
  • Exclude the IP address ranges used by Skype for Business Online and other Office 365 services, especially the IP ranges for Office 365 portal and identity. If you're using Exchange Online, make sure that you exclude outgoing IP addresses for Exchange Online.
  • Use the Office 365 Custom Domain Name Settings Test for Skype for Business Online:
  • See the following article in the Microsoft Knowledge Base to create an exception in your firewall for the Microsoft Azure AD authentication system:
  • 2769142 Lync 2013 or Lync 2010 can't connect to the Skype for Business Online service because a proxy is blocking connections from MSOIDSVC.exe
  • See the "HTTP Proxies" topic in section 4.2.1.1.6 of the Network Planning, Monitoring, and Troubleshooting with Lync Server white paper. It speaks to problems with proxy servers performing deep-packet-inspection. Also review the following Microsoft Knowledge Base article:
    2690045 Using WAN Optimization Controller or Traffic/Inspection devices with Office 365
Additionally, the following ports must be open in the external firewall.
Purpose Source IP Destination IP Source Port Destination Port
Session Initiation Protocol (SIP) Signaling Client Office 365 Ephemeral ports TCP 443 TCP
Persistent Shared Object Model (PSOM) Web Conferencing Client Office 365 Ephemeral ports TCP 443 TCP
HTTPS downloads Client Office 365 Ephemeral ports TCP 443 TCP
Audio Client Office 365 50000 - 50019 UDP and TCP

443 TCP,
3478 & 3479 UDP,
50000 - 59999 UDP and TCP (optional)

Video Client Office 365 50020 - 50039 UDP and TCP

443 TCP,
3478 & 3480 UDP, 
50000 - 59999 UDP and TCP (optional)

Desktop Sharing Client Office 365 50040 - 50059 UDP and TCP

443 TCP, ​​​​​
3478 & 3481 UDP,
50000 - 59999 UDP and TCP (optional)

Lync Mobile push notifications for Lync Mobile 2010 on iOS and Windows Phone 7.5 devices Client Office 365 Ephemeral ports TCP 5223 TCP

Note Office 365 Skype for Business Online Edge Servers listen on the whole range of TCP and UDP ports 50000 - 59999 for Lync client audio, video, and Desktop Sharing sessions. Network traces will show client source ports in the 50000 - 50059 range connecting to destination ports on the Skype for Business Online Edge Servers in the 50000 - 59999 range.

For more information about how to configure ISA 2006 firewall rules, go to the following Microsoft TechNet website:
 

MORE INFORMATION


This issue occurs if an on-premises firewall blocks the communication flow.

Still need help? Go to Microsoft Community.