Windows-itpro-docs: Clarify which *inbound* port(s) need to be open

From reading the document page and searching for "port" or "ports", it looks to me as if it is pretty well described in the FAQ section:
https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization#frequently-asked-questions

Which ports does Delivery Optimization use?:
For peer-to-peer traffic, it uses 7680 for TCP/IP or 3544 for NAT traversal (optionally Teredo). For client-service communication, it uses HTTP or HTTPS over port 80/443.

This tells me that only HTTP or HTTPS over port 80/443 is required for client-service communication.
Port 7680 for TCP/IP (or 3544 for NAT traversal) can be used for P2P traffic (faster download via sharing).

That's very much not clear to me.

First, is 7680 inbound? Outbound? I guess by "TCP/IP," you mean it's a TCP port? These are all things I need to know when making a firewall rule. I do not want to open more than I need, but I want to open enough.

For 3544: again, inbound or outbound? TCP or UDP? If I don't have NAT traversal, does that mean that Delivery Optimization simply won't cross subnets? Or does it mean something else?

What happens if I open 7680 and not 3544? What's the disadvantage in regards to Delivery Optimization? Will it work with 3544 but not 7680?

What is client-service communication? Does that mean intra-device communication? Or does that mean mean communication from the client to the cloud service? And it uses 80/443? Okay, inbound or outbound? And I assume TCP?

@officedocsbot assign @mypil

Fair enough. I agree that it should be clearer regarding inbound vs. outbound traffic, although I presume that it would have to be inbound, because (like you wrote) "We allow all outbound traffic" which is pretty much what is used by most companies / enterprises. Also, regarding ports, the document should be more specific and point out that the ports are TCP as opposed to UDP (TCP/IP is pretty much the main amount of regular traffic and not port specific).

I can also see that the document does not say anything about whether opening the inbound port should target only the local Delivery Optimization service server or if it should use a scope large enough for all client computers as well, although I guess it would make sense to target the subnet for inbound peer-to-peer traffic on port 7680 to increase the data delivery from outside. In my mind, 3544 for NAT traversal can be ignored when you are not using NAT or Teredo, but I agree that the document should describe this topic well enough to resolve any questions regarding the use of these settings.

The main things I need to know:

Where the port needs to be opened (client vs firewall)
Inbound or outbound
TCP or UDP
What are the repercussions from not opening the port

Example: what does NAT traversal mean in this context? Almost every organization uses NAT. So does this mean the port has to be open for the Delivery Optimization service to find Microsoft's servers (since they're on the other side of NAT)? Or does it mean that the service can't find peers that are on the other side of NAT (but still able to find peers in the local subnet)? Or does it mean something completely different?

I can only make educated guesses based on using personal firewall software in routers. To get straight answers, we need to wait for follow-up from the author, owner or manager of the document page(s) in question.

I presume this is mainly about the outer firewall between internet and your organization's intranet. I also presume it will be only about inbound traffic. The only part I am uncertain about, is if port forwarding enters into this at all -- if it is required, recommended or discouraged by the authors.

@greg-lindsay - Can you please share your insights on this issue?

Thank you.

Let me double-check with the PM on this.

Thanks for this great feedback, we will update the docs accordingly to clarify this further.
Let me try to answer your questions here first:

Delivery Optimization (DO) uses port 7680 to listen for incoming requests from other peers. These requests will be using TCP for the peer-to-peer communication between devices.
On the device DO registers and opens the port on its own, so you need to open the port on your Firewall for inbound traffic only.

DO's peer-to-peer can be configured to create peer groups from devices across NATs. For this to work, NAT traversal is used. DO leverages Teredo for this functionality (Teredo needs inbound TCP traffic to be allowed via port 3544.

If you don't want peer-to-peer to occur across NATs, then you don't need to allow the Teredo port.

If you don't allow the inbound traffic using port 7680, then DO's peer-to-peer won't work. You would still be able to download successfully from HTTP sources (DO would fall back to a simple download from HTTP).

I'll crank out an update to this topic reflecting these added details.

Thanks for the clarification.

"On the device DO registers and opens the port on its own, so you need to open the port on your Firewall for inbound traffic only."

On end-point devices, we close all inbound ports and then reopen them as needed. So, it sounds like our endpoints will need TCP 7680 inbound explicitly opened.

"DO's peer-to-peer can be configured to create peer groups from devices across NATs. For this to work, NAT traversal is used. DO leverages Teredo for this functionality (Teredo needs inbound TCP traffic to be allowed via port 3544."

When you say "across NATs," do you mean across internal subnets, or do you mean crossing from private, internal traffic to public traffic (i.e., actual NAT translation)? If it's the latter, is this where the option for "PCs on my local network, and PCs on the Internet" is coming in?

"If you don't allow the inbound traffic using port 7680, then DO's peer-to-peer won't work. You would still be able to download successfully from HTTP sources (DO would fall back to a simple download from HTTP)."

What do you mean by "download from HTTP?" Do you mean that DO still does peer-to-peer sharing but uses the HTTP protocol rather than its normal protocol? Or, by "download from HTTP," are you saying that peer-to-peer doesn't work at all but that regular, non-peer updating (from Microsoft, WSUS, etc.) continues working (which happens to use HTTP)?

"On the device DO registers and opens the port on its own, so you need to open the port on your Firewall for inbound traffic only."

On end-point devices, we close all inbound ports and then reopen them as needed. So, it sounds like our endpoints will need TCP 7680 inbound explicitly opened.

That is correct, as long as you want to allow Delivery Optimization to increase data throughput for direct download from the internet (in addition to the default HTTP download).

"DO's peer-to-peer can be configured to create peer groups from devices across NATs. For this to work, NAT traversal is used. DO leverages Teredo for this functionality (Teredo needs inbound TCP traffic to be allowed via port 3544."

When you say "across NATs," do you mean across internal subnets, or do you mean crossing from private, internal traffic to public traffic (i.e., actual NAT translation)? If it's the latter, is this where the option for "PCs on my local network, and PCs on the Internet" is coming in?

Across NAT is to allow inbound traffic from the internet to private (LAN) IP addresses, regardless of local range (full NAT private network range). Most Firewall configurations contain a rule setting named "NAT traversal" (or similar) as target for a rule to allow inbound packets. We assume that your local network does not block any TCP or UDP traffic between LAN clients. If you use any form of internal subnetting with gateways or firewalls between subnets, those may count as NAT traversal points too, depending on your network configuration.

"If you don't allow the inbound traffic using port 7680, then DO's peer-to-peer won't work. You would still be able to download successfully from HTTP sources (DO would fall back to a simple download from HTTP)."

What do you mean by "download from HTTP?" Do you mean that DO still does peer-to-peer sharing but uses the HTTP protocol rather than its normal protocol? Or, by "download from HTTP," are you saying that peer-to-peer doesn't work at all but that regular, non-peer updating (from Microsoft, WSUS, etc.) continues working (which happens to use HTTP)?

HTTP (TCP port 80) is used for default Windows Update packet data, since many private networks only allow inbound HTTP and HTTPS traffic for web browsing. Peer-to-peer functionality should be fully functional between computers on your local network, given that you don't block Teredo port 3544 between LAN computers. If you want to allow for peer-to-peer between your LAN and the internet, to include other computers as source for faster data sharing and transfer of Windows 10 Updates, you need to open TCP port 3544 in your Firewall for inbound traffic.

@loosus456 - From our understanding, the issue you raised has been answered by the doc owner @jaimeo where he mentioned that he will be updating the topic. If you feel it hasn't been answered, please re-open this issue.

Thank you for your contribution to make the docs better! Much appreciated!

Rewrote to try to clarify the port situation in PR #1118, which is merged.