Wednesday, July 15, 2009

Undocumented ports for load balancing OCS 2007 R2?

Well it might not be "undocumented" exactly if you're reading the right documentation. Download the .chm file from Microsoft ( and you'll be okay whereas some of the online documentation I've seen seems to leave out a few critical ports. For those of you load balancing OCS 2007 R2 Enterprise Edition pools, here is the difinitive port list:
  • 5060 (Client to server SIP communication over TCP. Not required typically.)
  • 5061 (Client to Front End Server SIP communication over TLS)
  • 5065 (Used for incoming SIP listening requests for application sharing over TCP)
  • 5069 (Used by QoE Agent on Front End Servers, needs to be open only if this pool sends QoE data to Monitoring Server)
  • 5071 (SIP requests to Response Group service)
  • 5072 (SIP requests to Conferencing Attendant)
  • 5073 (SIP requests to Conferencing Attendant Announcement Server)
  • 5074 (SIP requests for Outside Voice Control)
  • 135 (To move users and perform other pool level Windows Management Instrumentation (WMI) operations over DCOM)
  • 444 (Communication between the internal components that manage conferencing and the conferencing servers)
  • 443 (HTTPS traffic to the pool URLs)
  • 80 (Used by Tanjay update process. This port is undocumented but required.)

Also the following attributes/settings must be in place:

  • The load balancer must provide TCP-level affinity. This means that the load balancer must ensure that TCP connections can be established with one Office Communications Server 2007 R2 in the pool and all traffic on that connection destined for that same Office Communications Server 2007 R2.
  • The load balancer must provide a configurable TCP idle-timeout interval with a maximum value greater than or equal to the minimum of the REGISTER refresh or SIP Keep-Alive interval of 30 minutes.
  • The load balancer should support a rich set of metrics (round robin, least connections, weighted, and so forth). A weighted least connections-based load balancing mechanism is recommended for the load balancer. This means that the load balancer will rank all Office Communications Servers 2007 R2 based on the weight assigned to them and the number of outstanding connections. This rank will then be used to pick the Office Communications Server 2007 R2 to be used for the next connection request.
  • The load balancer must be able to detect Office Communications Server 2007 R2 availability by establishing TCP connections to either port 5060 or 5061, depending on which is active (often called a heartbeat or monitor). The polling interval must be a configurable value with a minimum value of at least five seconds. The load balancer must not select an Office Communications Server 2007 R2 that shuts down until a successful TCP connection (heartbeat) can be established again.
  • Every Office Communications Server 2007 R2 must have exactly one network adapter. Multihoming an Office Communications Server 2007 R2 is not supported.
  • The network adapter must have exactly one static IP address. This IP address will be used for the incoming load-balanced traffic.
  • The computer must have a registered FQDN. The IP address registered for this FQDN must be publicly accessible from within the enterprise.



  1. According to a Radware document coming from 2009.11.09, only half of the ports visible in this list are included as loadbalanced ports.

    It lists only 5060,5061,443,444,5065,135.

    Is there any reason to put the additional ports into the webfarm list?

  2. Yes. If you want things like the conferencing attendant and response groups to work you will need to load balance them. I've been through the pain of not having these and scratching my head as to why the features don't work.

  3. It just turned out, that I am missing the TCP port 80 configured on the loadbalancer, and that is why the Tanjay was not able to download the new firmware from the Front end servers sitting behind the load balancer.

    1,5 years since ocs r2 came out, but still MS did not put that f*king rule into the most recent version of the documentation. I cannot believe that nobody sent them feedback, or all of their in-house OCS experts are so idiot that none of them knows this bug?