Firewall configuration for Microsoft Teams recording deployments

This chapter summarizes the required firewall configuration for Microsoft Teams recording deployments.

Inbound rules

Server

Server RoleService nameSource

Port

Protocol

Notes

SQL Server--All Verba Servers1433TCPSQL connection

All Verba Servers-Verba Node Manager AgentVerba Media Repository4433TCPCentral configuration from Verba Web Application

Verba Media Repository ServerMedia Repository 

  
Verba Web ApplicationAny80TCPUsed for HTTP-based web access
Verba Web ApplicationAny443TCPUsed for HTTPS-based web access
Verba Media Streamer and Content Server ServiceAny10105TCPMedia port for playback via HTTP
Verba Media Streamer and Content Server ServiceAny10106TCPMedia port for playback via HTTPS
Verba Storage Management ServiceVerba Recording Server20111TCPCommunication with Verba Storage Management services, used for secure file upload
SQL Server (if co-located on Verba Media Repository)All Verba Servers1433TCP

SQL connection


Verba Recording ServerRecording Server

Verba Microsoft Teams Bot Service

Any

It can be only restricted to Azure networks, Microsoft cannot restrict the Teams side to specific IP ranges at the moment. To download Azure IP ranges, see https://www.microsoft.com/en-us/download/details.aspx?id=56519

Make sure that the IP addresses of the VMs running the bot service are allowed.

8445TCPMedia control port for Teams
Recording ServerVerba Microsoft Teams Bot Service

Any

It can be only restricted to Azure networks, Microsoft cannot restrict the Teams side to specific IP ranges at the moment. To download Azure IP ranges, see https://www.microsoft.com/en-us/download/details.aspx?id=56519

Make sure that the IP addresses of the VMs running the bot service are allowed.

9440TCP
  • Call invite from Teams
  • HTTPS health probe for Azure Traffic Manager and Application Gateway
Recording ServerVerba Microsoft Teams Bot Service

Any

It can be only restricted to Azure networks, Microsoft cannot restrict the Teams side to specific IP ranges at the moment. To download Azure IP ranges, see https://www.microsoft.com/en-us/download/details.aspx?id=56519

Make sure that the IP addresses of the VMs running the bot service are allowed.

10100TCPCall control port for Teams
Recording ServerVerba Microsoft Teams Bot ServiceVerba Recording Server / Verba Unified Call Recorder Service10501 TCPRecording Director connection (it is recommended to deploy the bot and the recording service on the same VM)
Recording ServerVerba Microsoft Teams Bot ServiceVerba Recording Server / Verba Unified Call Recorder Service10502TCP

Media Recorder connection (it is recommended to deploy the bot and the recording service on the same VM)

Recording ServerVerba Microsoft Teams Bot Service
13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15, 2603:1063::/39

The above IP ranges can be changed by Microsoft and it is possible that this Knowledge Base is not in sync with Microsoft's documentation. Please double-check the currently needed IP ranges on the Microsoft Documentation:

https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams

16384 - 65535UDPMedia port range
Recording ServerVerba Microsoft Teams Bot ServiceAny10038TCPBot service API port
Recording ServerVerba Unified Call Recorder ServiceAll Verba Servers
All Verba Desktop Agents (if used)
(plus all playback stations if silent monitoring is used)
10031TCPService API port

Outbound rules

The Microsoft Teams Bot Service is considered as a standard Microsoft Teams endpoint and the standard firewall rules can be applied.

The following Microsoft documentation contains all the required endpoints and ports which has to be accessible for a Teams endpoint: Office 365 URLs and IP address ranges (section Skype for Business Online and Microsoft Teams)

In addition, the Microsoft Teams Bot Service uses Microsoft Graph API via the https://graph.microsoft.com/v1.0 endpoint for sending requests to Microsoft Teams (e.g.: Call answer, Microsoft Entra (formerly Azure AD) queries)

Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP)

Make sure that the Microsoft Teams Bot Service can reach the Certificate Revocation Lists (CRL) and use Online Certificate Status Protocol (OCSP) to validate the certificates issued by a public CA. The used SDKs check the certificate validity from time to time. It is necessary to allow the bot to connect the public certificate services over OCSP.

For a complete list of CRL and OCSP URLs used in Azure, see the Azure Certificate Authority details. The list of CRLs and OCSP endpoints can change in the future please make sure that the firewall configuration is in sync with the Microsoft documentation.