Firewall configuration for Microsoft Teams recording deployments
This chapter summarizes the required firewall configuration for Microsoft Teams recording deployments.
Inbound rules
Server | Server Role | Service name | Source | Port | Protocol | Notes |
|---|---|---|---|---|---|---|
| SQL Server | - | - | All Verba Servers | 1433 | TCP | SQL connection |
| All Verba Servers | - | Verba Node Manager Agent | Verba Media Repository | 4433 | TCP | Central configuration from Verba Web Application |
| Verba Media Repository Server | Media Repository | Verba Web Application | Any | 80 | TCP | Used for HTTP-based web access |
| Verba Web Application | Any | 443 | TCP | Used for HTTPS-based web access | ||
| Verba Media Streamer and Content Server Service | Any | 10105 | TCP | Media port for playback via HTTP | ||
| Verba Media Streamer and Content Server Service | Any | 10106 | TCP | Media port for playback via HTTPS | ||
| Verba Storage Management Service | Verba Recording Server | 20111 | TCP | Communication with Verba Storage Management services, used for secure file upload | ||
| SQL Server (if co-located on Verba Media Repository) | All Verba Servers | 1433 | TCP | SQL connection | ||
| Verba Recording Server | Recording Server | Verba Microsoft Teams Bot Service | Any It can be only restricted to Azure networks, Microsoft cannot restrict the Teams side to specific IP ranges at the moment. To download Azure IP ranges, see https://www.microsoft.com/en-us/download/details.aspx?id=56519 Make sure that the IP addresses of the VMs running the bot service are allowed. | 8445 | TCP | Media control port for Teams |
| Recording Server | Verba Microsoft Teams Bot Service | Any It can be only restricted to Azure networks, Microsoft cannot restrict the Teams side to specific IP ranges at the moment. To download Azure IP ranges, see https://www.microsoft.com/en-us/download/details.aspx?id=56519 Make sure that the IP addresses of the VMs running the bot service are allowed. | 9440 | TCP |
| |
| Recording Server | Verba Microsoft Teams Bot Service | Any It can be only restricted to Azure networks, Microsoft cannot restrict the Teams side to specific IP ranges at the moment. To download Azure IP ranges, see https://www.microsoft.com/en-us/download/details.aspx?id=56519 Make sure that the IP addresses of the VMs running the bot service are allowed. | 10100 | TCP | Call control port for Teams | |
| Recording Server | Verba Microsoft Teams Bot Service | Verba Recording Server / Verba Unified Call Recorder Service | 10501 | TCP | Recording Director connection (it is recommended to deploy the bot and the recording service on the same VM) | |
| Recording Server | Verba Microsoft Teams Bot Service | Verba Recording Server / Verba Unified Call Recorder Service | 10502 | TCP | Media Recorder connection (it is recommended to deploy the bot and the recording service on the same VM) | |
| Recording Server | Verba Microsoft Teams Bot Service | 13.107.64.0/18, 52.112.0.0/14, 52.122.0.0/15, 2603:1063::/39 The above IP ranges can be changed by Microsoft and it is possible that this Knowledge Base is not in sync with Microsoft's documentation. Please double-check the currently needed IP ranges on the Microsoft Documentation: | 16384 - 65535 | UDP | Media port range | |
| Recording Server | Verba Microsoft Teams Bot Service | Any | 10038 | TCP | Bot service API port | |
| Recording Server | Verba Unified Call Recorder Service | All Verba Servers All Verba Desktop Agents (if used) (plus all playback stations if silent monitoring is used) | 10031 | TCP | Service API port | |
Outbound rules
The Microsoft Teams Bot Service is considered as a standard Microsoft Teams endpoint and the standard firewall rules can be applied.
The following Microsoft documentation contains all the required endpoints and ports which has to be accessible for a Teams endpoint: Office 365 URLs and IP address ranges (section Skype for Business Online and Microsoft Teams)
The Microsoft Teams Bot Service has to acquire a token from Microsoft Entra to authenticate the outbound requests to the Microsoft Graph API. The following Microsoft documentation contains the Microsoft Entra authentication endpoints: Microsoft Entra authentication endpoints
In addition, the Microsoft Teams Bot Service uses Microsoft Graph API via the https://graph.microsoft.com/v1.0 endpoint for sending requests to Microsoft Teams (e.g.: Call answer, Microsoft Entra (formerly Azure AD) queries)
Considerations for Microsoft Teams Bot service version 9.9.10 or newer
The general recommendation from Microsoft is that servers running the Microsoft Teams Bot service should allow outbound TCP connectivity to all ports within the IP ranges 52.112.0.0/14 and 52.112.0.0/15.
Allowing port 10701 is currently sufficient, but the port number or the recommendations of Microsoft can change in the future.
Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP)
Make sure that the Microsoft Teams Bot Service can reach the Certificate Revocation Lists (CRL) and use Online Certificate Status Protocol (OCSP) to validate the certificates issued by a public CA. The used SDKs check the certificate validity from time to time. It is necessary to allow the bot to connect the public certificate services over OCSP.
For a complete list of CRL and OCSP URLs used in Azure, see the Azure Certificate Authority details. The list of CRLs and OCSP endpoints can change in the future please make sure that the firewall configuration is in sync with the Microsoft documentation.