| < Day Day Up > |
|
It is common to encounter a requirement to allow access to mailboxes on Exchange servers through a firewall, perhaps to accommodate the needs of traveling users who wish to connect across the public Internet without a VPN. In this scenario, you have a front-end server placed in the DMZ to accept incoming requests from clients and relay them onward to the mailbox server. Firewalls are in place to control external traffic into the DMZ and from the DMZ to the internal network. To make this all work, you need to understand the ports used by Exchange and other associated components in order to define what ports to open on each firewall. In most cases, you use Outlook Web Access as the client, although you can take the same approach with Outlook 2003 when it connects to Exchange over HTTP.
The situation is simple enough on the external-facing firewall, since all you have to open are ports 80 and 443 to allow HTTP and HTTP-SSL traffic.
Many more ports are involved when communicating from the Exchange front-end server to the mailbox server through the firewall from the DMZ to the internal network, as shown in the following chart.
Source | Destination | Port/Protocol | Description |
---|---|---|---|
Exchange Front-End Server | Exchange Mailbox Server | 80/TCP (HTTP-basic) | Relayed HTTP traffic. Note that even if the client connection is secured by the means of SSL, the front-end server communicates with the back-end server in clear mode (no use of SSL). |
Exchange Front-End Server | Active Directory Domain Controller | 389/TCP (LDAP) | Access required for the front-end server to access the DC (required to retrieve Exchange configuration information queries). |
Exchange Front-End Server | Global Catalog | 3268/TCP (LDAP) | Access required for the front-end server to access the GC (required to determine on which back-end server a user's mailbox is located). |
Exchange Front-End Server | Global Catalog | 88/TCP (Kerberos) | Access required for the front-end server for mailbox access authentication. |
Exchange 2000 Front-End Server | Global Catalog | 88/UDP (Kerberos) | Access required for the front-end server for mailbox access authentication. |
Exchange Front-End Server | DNS Server | 53/TCP (DNS Lookup) | Access required for the front-end server to resolve names for back-end server, DCs, GCs, etc. |
Exchange Front-End Server | DNS Server | 53/UDP (DNS Lookup) | Access required for the front-end server to resolve names for back-end server, DCs, GCs, etc. |
Exchange Front-End Server | Global Catalog | 135/TCP (RPC Port Mapper) | RPC end-point mapper for the front- end server to query the AD services. This connection will return the RPC service port used by the AD service upon startup of the DC or GC. |
Exchange Front-End Server | Global Catalog | 1127/TCP (Active Directory service) | This is a fixed IP port, which the AD uses to advertise its service for replication and logon. Windows normally assigns the port dynamically in the upper 1,024–65,365 range. In a DMZ environment, you can hardcode the port to force Windows to always use a fixed port. |
Exchange Front-End Server | Global Catalog | 445/TCP (SMB for NetLogon) | SMB traffic for the NetLogon service, required for communication and authentication of the services. |
Exchange Front-End Server | Global Catalog | 123/TCP (NTP) | Network Time Protocol required for synchronizing the time between the various machines. You can use the GC as the time source to synchronize all the servers. |
To define a specific port for the AD to use for the logon service on DCs and GCs, set the following key in the registry on the DCs and GCs that serve the mailbox servers:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters Value name: TCP/IP Port Value type: REG_DWORD Value data: 1127 (or whatever port you elect to use)
| < Day Day Up > |
|