This is a brief list of the Xbox´s port usage:
| Xbox Live ports | |||||
| Protocol | Soure addreess | Source port | Destination address | Destination Port | Service |
| UDP | Internet/any IP | * | Xbox IP | 88 | Xbox Live |
| UDP | Internet/any IP | * | Xbox IP | 3074 | Xbox Live |
| TCP | Internet/any IP | * | Xbox IP | 3074 | Xbox Live |
| UDP | Xbox IP | * | Internet/any IP | 88 | Xbox Live |
| UDP | Xbox IP | * | Internet/any IP | 3074 | Xbox Live |
| TCP | Xbox IP | * | Internet/any IP | 3074 | Xbox Live |
| UDP | Xbox IP | * | Internet/any IP | 3544 | Xbox Live |
| TCP | Xbox IP | * | Internet/any IP | 80 | Xbox Live / HTTP |
| TCP | Xbox IP | * | Internet/any IP | 443 | Xbox Live / HTTPS |
| UDP | Internet/any IP | * | Xbox | 500 | ISAKMP (VPN related) |
| UDP | Internet/any IP | * | Xbox | 3544 | Teredo Tunneling (IPv6 related) |
| UDP | Internet/any IP | * | Xbox | 4500 | IPsec NAT traversal (VPN related) |
| UDP | Xbox IP | * | Internet/any IP | 53 | DNS |
| UDP | Xbox IP | * | Internet/any IP | 500 | ISAKMP (VPN related) |
| UDP | Xbox IP | * | Internet/any IP | 4500 | IPsec NAT traversal (VPN related) |
I getting status OPEN NAT adding only the first nine lines to the ruleset and adding NAT for the inbound traffic. This should be sufficient. Outbound http and https traffic is usually allready allowed and not nessesary to add to the ruleset.
| Destiny additions | |||||
| Protocol | Soure | Destination | Port | Service | |
| UDP | Internet/any IP | * | Xbox IP | 1200 | Destiny |
| UDP | Internet/any IP | * | Xbox IP | 1001 | Destiny |
| UDP | Xbox IP | * | Internet/any IP | 1200 | Destiny |
| UDP | Xbox IP | * | Internet/any IP | 1001 | Destiny |
| TCP | Xbox IP | * | Internet/any IP | 7500-17899 | Destiny |
| TCP | Xbox IP | * | Internet/any IP | 30000-40399 | Destiny |
| UDP | Xbox IP | 1200 | Internet/any IP | * | Destiny* |
*) UDP is a connectionless protocol. I most situations the firewall “remembers” for some time the IP adress and port pairing between source and destination. If the firewall allows outbound traffic from 10.10.10.10 on any port to 20.20.20.20 on port 1200, it should allow traffic back from 20.20.20.20 port 1200 to 10.10.10.10 on the dynamic port. But in this instance, I had to specify a outbound UDP rule with source port 1200 and any destination port. Destiny is very messy portwise.
You can find a more in depth article about the Xbox Live service here: https://www.schie.com/xbox-one-firewall-ports-and-nat-english/
– Pål Schie
