DMZ Exchange client needs to log onto Exchange sitting on inside LAN

I have a PIX 520 configured with three interfaces, inside, DMZ1 and outside.

The inside interface naturally routes off to my internal LAN where I've an Exchange 5.5 server handling Exchange client requests.  I've recently also purchased a new smtp relay server (ServerX) that I'm testing at the moment on the LAN and have now got it configured to restrict spam messages, as well as providing pass-through NTLM authentication for my users to relay should they want to use it whilst on the road etc with the Windows 2000 servers.

At the moment, I've got an old anti-spam server (ServerM) sitting on the DMZ, that's the MX record for the company, and (at the moment) that passes mail to ServerX which checks for spam, and then it, in turn, passes the mail to my Exchange server.

I'm going to be moving ServerX from the LAN to the DMZ and probably replacing ServerM with it, so my final set up will be ServerX (MX record) on DMZ checks for spam and relaying, if ok, passes mail to Exchange server on inside LAN.  In order to test this all out beforehand though, I have a dummy machine on the DMZ configured with the IP address that the relocated ServerX will be working on.

What I'm having major difficulties with is getting this dummy machine on the DMZ to authenticate with the LAN servers, and therefore with the Exchange service.  I need both.  

At this point in time I'm not sure how much config I should post etc, but I can supply a shortened version on request should it be deemed appropriate
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
Hi davemonk,
Knowledge Base  

XCCC: Exchange 2000 Windows 2000 Connectivity Through FirewallsPSS ID Number: 280132

Article Last Modified on 5/19/2003

The information in this article applies to:

Microsoft Outlook Web Access 5.5 SP 1
Microsoft Outlook Web Access 5.5 SP 2
Microsoft Outlook Web Access 5.5 SP 3
Microsoft Exchange 2000 Server


This article was previously published under Q280132
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry

This article describes how to install Exchange 2000 Server and Outlook Web Access 5.5 on computers that are isolated from their Microsoft Windows 2000 networks by a firewall and are in a demilitarized zone (DMZ) Ethernet environment. Before any Exchange 2000 connectivity can be attempted, the firewall must be configured to allow Windows 2000 logon and networking traffic.

NOTE: This article discusses Windows 2000 traffic and connectivity only.
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To install Exchange 2000 and Outlook Web Access 5.5 on computers that are isolated from their Microsoft Windows 2000 networks by a firewall and are in a demilitarized zone (DMZ) Ethernet environment:
Enable Windows 2000 Server-based computers to log on to the domain through the firewall by opening the following ports for inbound traffic:
53 (Transmission Control Protocol [TCP], User Datagram Protocol [UDP]) - Domain Name System (DNS).
80 (TCP) - Required for Outlook Web Access 5.5 access for communication between Exchange front-end and back-end servers.
88 (Transmission Control Protocol [TCP], UDP) - Kerberos authentication.
123 (TCP) - Windows Time Synchronization Protocol (NTP). Note that this is not necessary for Windows 2000 logon capability, but may be configured or required by the network administrator.
135 (TCP) - EndPointMapper.
389 (TCP, UDP) - Lightweight Directory Access Protocol (LDAP).
445 (TCP) - Server message block (SMB) for Netlogon, LDAP conversion and distributed file system (Dfs) discovery.
3268 (TCP) - LDAP to global catalog servers.
One port for the Active Directory logon and directory replication interface (universally unique identifiers [UUIDs] 12345678-1234-abcd-ef00-01234567cffb and e3514235-4b06-11d1-ab04-00c04fc2dcd2), which is typically assigned port 1025 or 1026 during startup. This value is not set in the DSProxy or System attendant (MAD) source code, so you must map the port in the registry on any domain controllers that the Exchange 2000 computer must contact through the firewall to process logons, and then open the port on the firewall.

To map the port in the registry:
Start Registry Editor (Regedt32.exe).
Locate the following key in the registry:

On the Edit menu, click Add Value, and then add the following registry value:
Value Name: TCP/IP Port
Data Type: REG_DWORD
Radix: Decimal
Value: greater than 1024

Quit Registry Editor.
Make sure that the slash in "TCP/IP" is a forward slash, and that the value that you assign is greater than 1024, in decimal format. That number is the extra port that you need to open (TCP, UDP) on the firewall. Setting this registry value on every domain controller inside the firewall does not impact performance, and covers any logon request redirects that occur as a result of servers that are down, roles that change, or bandwidth needs.
NOTE: For the server inside the firewall to communicate back through the firewall to the external server, you also need to have ports 1024 through 65535 configured for outbound communications. Computers that initiate the communication through the firewall use a client-side port that is dynamically assigned and cannot be configured.
Install Exchange 2000 on the external computer. You do not need any additional ports open to install Exchange 2000 on the external computer.
Install Outlook Web Access 5.5 on the external computer. To install Outlook Web Access 5.5 on the external computer, directed at a Microsoft Exchange Server 5.5 computer that is running inside the DMZ and firewall, you need the Windows 2000 ports discussed previously, plus static mappings for the Exchange Server 5.5 directory service (UUID f5cc5a18-4264-101a-8c59-08002b2f8426), information store (UUID a4f1db00-ca47-1067-b31f-00dd010662da), and system attendant (UUID 469d6ec0-0d87-11ce-b13f-00aa003bac6c).For additional information about setting up these static mappings, click the article numbers below to view the articles in the Microsoft Knowledge Base:
155831 XADM: Setting TCP/IP Ports for Exchange and Outlook Client Connections Through a Firewall

245273 XWEB: OWA Setup Error Message: There Are No More Endpoints Available from the Endpoint Mapper

Configure Exchange 2000 front-end and back-end connectivity. Exchange 2000 front-end and back-end connectivity only requires that additional ports be open as needed for whatever communication is desired (for example, Web client front-end and back-end connectivity requires port 80 [TCP] open, IMAP 143 [TCP], and so on). Additionally, any connectivity by secure protocols such as IPSec or Secure Sockets Layer (SSL)-secured Hypertext Transfer Protocol (HTTP), Internet Message Access Protocol (IMAP), or Post Office Protocol version 3 (POP3) that you need requires additional configuration that is not specified in this article.

In a DMZ Ethernet environment, you also need to define TCP\IP routes from the computer in the DMZ Ethernet to every computer in the internal network that you need to communicate with.
Networking white papers are located at the following Web site:

Additional query words: FE BE DC AD OWA

Keywords: kbinfo KB280132
Technology: kbExchange2000Search kbExchange2000Serv kbExchange2000ServSearch kbExchangeSearch kbOutlookSearch kbOWA550 kbOWA550SP1 kbOWA550SP2 kbOWA550SP3


Send feedback to Microsoft

© 2003 Microsoft Corporation. All rights reserved.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
One alternative on your pix is to create a specific host-host rule and not use nat
(assuming you are using acls not conduits)
DMZ host -
Exchange Host -

access-list nonat permit ip host host
nat(inside) 0 access-list nonat
access-list dmz_inside permit ip host host
access-group dmz_inside in interface dmz1

As Pete has shown, there are so many ports to open, it's like swiss cheese. Might as well make it simple and lock it down to specific hosts only, full IP.
Alternatively, you can use the full spectrum of ports in the acl, or create a group..
access-list dmz_inside permit tcp host host eq 135
access-list dmz_inside permit tcp host host eq 445
access-list dmz_inside permit tcp host host eq 389
access-list dmz_inside permit tcp host host eq 88
access-list dmz_inside permit tcp host host eq 3268

Notice that in above you are not specifying source port on source host, only destination ports.
If you follow the KB article, you can lock down those source ports, and refine the access-list even more...

davemonkAuthor Commented:
Thanks for your replies here, but I'm wondering if the Exchange server and the Domain Controllers *have* to have public addresses?  I'm using NAT for both...

I have added specific hosts accessing the services as listed above - TBH, I hadn't tried full IP, host to host - but again, can I only do this with non-NAT'd addresses??
Tim HolmanCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

--> Split between PeteLong and lrmoore.

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

EE Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.