After seeing several posts regarding additional port requirements, I decided to investigate further. There are TWO port requirements for this functionality. (there is not a "Consolidated Edge Port Summary for S4B Server yet, but here is the Lync 2013 article)
- TCP/4443 from the FE pools to the Edges. This should already be open in your environment for the failback A/V path and replication of CMS.
- TCP/443 from the Access Edge service to the Internet. Now, in most environments, TCP/443 outbound for HTTPS is not blocked for things like Windows Updates and Web browsing, but if you did have an environment that was extremely locked down, this would be a new port requirement.
This shows the only additional port requirements externally are TCP/443 from the Access Edge. On the internal side, the TCP/4443 from FE to Edge is represented, but was already there in Lync 2013.
Now, looking at an actual S4B Edge server and running a netstat -ano I can see that it is indeed listening on both the internal and external NICs on TCP/4443. A telnet test and test-netconnection confirm that there is indeed a listener on both inside and outside interfaces.
So there is a slight discrepancy here that the port is listening, but is not documented as needed in S4B Server. I also checked against a recently patched Lync 2013 Edge server - and the same configuration of listening on TCP/4443 is in place there as well.