Our topology
fig 1. Skype for Business resource forest topology
One-way or Two-way trust relationship?
| One-way trust | Two-way trust | |
|---|---|---|
| Add users | Manual | Automatically |
| Security | Optimal | Sub-Optimaal, softapp can read users from your domain |
Security
Open the following ports in the firewall towards 192.168.184.0/24
| Client Port (s) | Server Port | Service |
|---|---|---|
| 49152 -65535 / UDP | 123 / UDP | W32Time |
| 49152 -65535 / TCP | 135 / TCP | RPC Endpoint Mapper |
| 49152 -65535 / TCP | 464 / TCP / UDP | Kerberos password change |
| 49152 -65535 / TCP | 49152-65535 / TCP | RPC for LSA, SAM, Netlogon (*) |
| 49152 -65535 / TCP / UDP | 389 / TCP / UDP | LDAP |
| 49152 -65535 / TCP | 636 / TCP | LDAP SSL |
| 49152 -65535 / TCP | 3268 / TCP | LDAP GC |
| 49152 -65535 / TCP | 3269 / TCP | LDAP GC SSL |
| 53, 49152 -65535 / TCP / UDP | 53 / TCP / UDP | DNS |
| 49152 -65535 / TCP | 49152 -65535 / TCP | FRS RPC (*) |
| 49152 -65535 / TCP / UDP | 88 / TCP / UDP | Kerberos |
| 49152 -65535 / TCP / UDP | 445 / TCP | SMB (**) |
| 49152 -65535 / TCP | 49152-65535 / TCP | DFSR RPC (*) |
(*) For information about how to define RPC server ports that are used in the LSA RPC services, see the following Microsoft Knowledge Base articles:
- 224196: Restricting Active Directory replication traffic and client RPC traffic to a specific port
- "Domain controllers and Active Directory" section in 832017: Service overview and network port requirements for the Windows Server system
(**) For the operation of the trust this port is not required, it is used for trust creation only.
| Info |
|---|
Note: External trust 123 / UDP is only required if the Windows Time Service is set to Sync with a server across the external trust. |