Go Premium for a chance to win a PS4. Enter to Win


DMZ Exchange client needs to log onto Exchange sitting on inside LAN

Posted on 2003-11-11
Medium Priority
Last Modified: 2010-04-09
I have a PIX 520 configured with three interfaces, inside, DMZ1 and outside.

The inside interface naturally routes off to my internal LAN where I've an Exchange 5.5 server handling Exchange client requests.  I've recently also purchased a new smtp relay server (ServerX) that I'm testing at the moment on the LAN and have now got it configured to restrict spam messages, as well as providing pass-through NTLM authentication for my users to relay should they want to use it whilst on the road etc with the Windows 2000 servers.

At the moment, I've got an old anti-spam server (ServerM) sitting on the DMZ, that's the MX record for the company, and (at the moment) that passes mail to ServerX which checks for spam, and then it, in turn, passes the mail to my Exchange server.

I'm going to be moving ServerX from the LAN to the DMZ and probably replacing ServerM with it, so my final set up will be ServerX (MX record) on DMZ checks for spam and relaying, if ok, passes mail to Exchange server on inside LAN.  In order to test this all out beforehand though, I have a dummy machine on the DMZ configured with the IP address that the relocated ServerX will be working on.

What I'm having major difficulties with is getting this dummy machine on the DMZ to authenticate with the LAN servers, and therefore with the Exchange service.  I need both.  

At this point in time I'm not sure how much config I should post etc, but I can supply a shortened version on request should it be deemed appropriate
Question by:davemonk
LVL 57

Accepted Solution

Pete Long earned 700 total points
ID: 9721406
Hi davemonk,
Knowledge Base  

XCCC: Exchange 2000 Windows 2000 Connectivity Through FirewallsPSS ID Number: 280132

Article Last Modified on 5/19/2003

The information in this article applies to:

Microsoft Outlook Web Access 5.5 SP 1
Microsoft Outlook Web Access 5.5 SP 2
Microsoft Outlook Web Access 5.5 SP 3
Microsoft Exchange 2000 Server


This article was previously published under Q280132
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry

This article describes how to install Exchange 2000 Server and Outlook Web Access 5.5 on computers that are isolated from their Microsoft Windows 2000 networks by a firewall and are in a demilitarized zone (DMZ) Ethernet environment. Before any Exchange 2000 connectivity can be attempted, the firewall must be configured to allow Windows 2000 logon and networking traffic.

NOTE: This article discusses Windows 2000 traffic and connectivity only.
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To install Exchange 2000 and Outlook Web Access 5.5 on computers that are isolated from their Microsoft Windows 2000 networks by a firewall and are in a demilitarized zone (DMZ) Ethernet environment:
Enable Windows 2000 Server-based computers to log on to the domain through the firewall by opening the following ports for inbound traffic:
53 (Transmission Control Protocol [TCP], User Datagram Protocol [UDP]) - Domain Name System (DNS).
80 (TCP) - Required for Outlook Web Access 5.5 access for communication between Exchange front-end and back-end servers.
88 (Transmission Control Protocol [TCP], UDP) - Kerberos authentication.
123 (TCP) - Windows Time Synchronization Protocol (NTP). Note that this is not necessary for Windows 2000 logon capability, but may be configured or required by the network administrator.
135 (TCP) - EndPointMapper.
389 (TCP, UDP) - Lightweight Directory Access Protocol (LDAP).
445 (TCP) - Server message block (SMB) for Netlogon, LDAP conversion and distributed file system (Dfs) discovery.
3268 (TCP) - LDAP to global catalog servers.
One port for the Active Directory logon and directory replication interface (universally unique identifiers [UUIDs] 12345678-1234-abcd-ef00-01234567cffb and e3514235-4b06-11d1-ab04-00c04fc2dcd2), which is typically assigned port 1025 or 1026 during startup. This value is not set in the DSProxy or System attendant (MAD) source code, so you must map the port in the registry on any domain controllers that the Exchange 2000 computer must contact through the firewall to process logons, and then open the port on the firewall.

To map the port in the registry:
Start Registry Editor (Regedt32.exe).
Locate the following key in the registry:

On the Edit menu, click Add Value, and then add the following registry value:
Value Name: TCP/IP Port
Data Type: REG_DWORD
Radix: Decimal
Value: greater than 1024

Quit Registry Editor.
Make sure that the slash in "TCP/IP" is a forward slash, and that the value that you assign is greater than 1024, in decimal format. That number is the extra port that you need to open (TCP, UDP) on the firewall. Setting this registry value on every domain controller inside the firewall does not impact performance, and covers any logon request redirects that occur as a result of servers that are down, roles that change, or bandwidth needs.
NOTE: For the server inside the firewall to communicate back through the firewall to the external server, you also need to have ports 1024 through 65535 configured for outbound communications. Computers that initiate the communication through the firewall use a client-side port that is dynamically assigned and cannot be configured.
Install Exchange 2000 on the external computer. You do not need any additional ports open to install Exchange 2000 on the external computer.
Install Outlook Web Access 5.5 on the external computer. To install Outlook Web Access 5.5 on the external computer, directed at a Microsoft Exchange Server 5.5 computer that is running inside the DMZ and firewall, you need the Windows 2000 ports discussed previously, plus static mappings for the Exchange Server 5.5 directory service (UUID f5cc5a18-4264-101a-8c59-08002b2f8426), information store (UUID a4f1db00-ca47-1067-b31f-00dd010662da), and system attendant (UUID 469d6ec0-0d87-11ce-b13f-00aa003bac6c).For additional information about setting up these static mappings, click the article numbers below to view the articles in the Microsoft Knowledge Base:
155831 XADM: Setting TCP/IP Ports for Exchange and Outlook Client Connections Through a Firewall

245273 XWEB: OWA Setup Error Message: There Are No More Endpoints Available from the Endpoint Mapper

Configure Exchange 2000 front-end and back-end connectivity. Exchange 2000 front-end and back-end connectivity only requires that additional ports be open as needed for whatever communication is desired (for example, Web client front-end and back-end connectivity requires port 80 [TCP] open, IMAP 143 [TCP], and so on). Additionally, any connectivity by secure protocols such as IPSec or Secure Sockets Layer (SSL)-secured Hypertext Transfer Protocol (HTTP), Internet Message Access Protocol (IMAP), or Post Office Protocol version 3 (POP3) that you need requires additional configuration that is not specified in this article.

In a DMZ Ethernet environment, you also need to define TCP\IP routes from the computer in the DMZ Ethernet to every computer in the internal network that you need to communicate with.
Networking white papers are located at the following Web site:

Additional query words: FE BE DC AD OWA

Keywords: kbinfo KB280132
Technology: kbExchange2000Search kbExchange2000Serv kbExchange2000ServSearch kbExchangeSearch kbOutlookSearch kbOWA550 kbOWA550SP1 kbOWA550SP2 kbOWA550SP3


Send feedback to Microsoft

© 2003 Microsoft Corporation. All rights reserved.

LVL 79

Assisted Solution

lrmoore earned 700 total points
ID: 9722494
One alternative on your pix is to create a specific host-host rule and not use nat
(assuming you are using acls not conduits)
DMZ host -
Exchange Host -

access-list nonat permit ip host host
nat(inside) 0 access-list nonat
access-list dmz_inside permit ip host host
access-group dmz_inside in interface dmz1

As Pete has shown, there are so many ports to open, it's like swiss cheese. Might as well make it simple and lock it down to specific hosts only, full IP.
Alternatively, you can use the full spectrum of ports in the acl, or create a group..
access-list dmz_inside permit tcp host host eq 135
access-list dmz_inside permit tcp host host eq 445
access-list dmz_inside permit tcp host host eq 389
access-list dmz_inside permit tcp host host eq 88
access-list dmz_inside permit tcp host host eq 3268

Notice that in above you are not specifying source port on source host, only destination ports.
If you follow the KB article, you can lock down those source ports, and refine the access-list even more...


Author Comment

ID: 9722914
Thanks for your replies here, but I'm wondering if the Exchange server and the Domain Controllers *have* to have public addresses?  I'm using NAT for both...

I have added specific hosts accessing the services as listed above - TBH, I hadn't tried full IP, host to host - but again, can I only do this with non-NAT'd addresses??
LVL 23

Expert Comment

by:Tim Holman
ID: 10976455
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

--> Split between PeteLong and lrmoore.

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

EE Cleanup Volunteer

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question