Solved

Exchange OWA ports to open on internal firewall(s)

Posted on 2007-03-28
13
158 Views
Last Modified: 2010-04-11
Hi
We are using Exchange 2003 on windows 2003.
We are setting up OWA using a front end server in the DMZ and a back end server on the LAN.  I have configured the ports on our external firewall to allow only ports 80, 443 and NAT'd the public IP to the front end server IP but my question is regarding the communication beween the front end server and back end server and exactly which ports I need to open for all this to work.  This should include any ports for global catalog and AD reference and of course exchange front end/back end communication.

Can someone supply an exact list of the ports to open.

Thanks in advance
0
Comment
Question by:dazzler1971
13 Comments
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 18807258
You will find all necessary ports here:

http://support.microsoft.com/kb/270836

Just search for "front-end".
0
 
LVL 6

Expert Comment

by:sjepson
ID: 18807326
This looks like a comprehensive list
http://technet.microsoft.com/en-us/library/bb125069.aspx

To summarise,inbound you require:
Basic
******
HTTP 80
IMAP 143
POP 110
SMTP 25
Link State 691

AD
***
LDAP 389 T/U
LDAP to GC 3268
Kerberos 88 T/U
DNS
****
DNS 53 T/U
RPC
****
RPC 135

plus you need to fix a port that your back end server uses for RPC connections or open a whole raft of ports above 1024.
All ports are TCP only unless marked T/U when they are TCP & UDP

Steve
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18807390
Why do you want to put an Exchange server in the DMZ? It does nothing for your security and makes your firewall swiss cheese.

No one has given me a good reason to put an Exchange server in the DMZ and it is something I strongly advise you to reconsider.

See my blog here:
http://www.sembee.co.uk/archive/2006/02/23/7.aspx

If the number of ports that you have to open doesn't scare you, then you need to look at your network security.

Simon.
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 18807578
Sembee, before reacting I would like to read your take on this. But your blog seems to be down.

J.
0
 

Author Comment

by:dazzler1971
ID: 18808166
well agreed there are some positives and negatives to each scenario.  For my scenario and out of the ports listed above I would say I only need to open ports 80, 3268 and maybe 389 so thats only 3 ports.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18809144
My host is having some routing issues apparently. It works for me. Try going in on the root (http://www.sembee.co.uk) and then finding the article.

If you are putting an Exchange server in the DMZ you cannot get away with just the three ports you have outlined. The Exchange server needs to communicate with the domain controllers, plus you have to change ports on the Exchange org as well.

If you want to put something in the DMZ and have limited ports then you need to use an ISA that is NOT a member of the domain.

Simon.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:dazzler1971
ID: 18809182
we already have a firewall  though between the dmz and internal network so are you saying we should replace this with ISA?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18809247
No.
I am not talking about using an ISA as a firewall. I would never deploy ISA as a firewall.
What I am talking about is using ISA as a reverse proxy. That machine can sit in the DMZ, it only requires a small number of ports to be opened (I can usually get it down to two if ISA is doing email as well - 25 and 443 - just the one if it is OWA only).

The point is that a DMZ is not the place for any domain member. The usual show stopper is that you need port 135 open between the two interfaces. Anyone who is serious about network security will not allow that to happen under any circumstances.

Simon.
0
 

Author Comment

by:dazzler1971
ID: 18809539
OK that sounds like the best solution then.  we only have 1 spare server so if we use it for ISA we wont be able to install a front end server on the lan.  Can you lead me to a document that shows how to configure ISA to publish the exchange back end server on the lan for OWA only.  
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18809835
There is a ton of stuff on this on isaserver.org - there is also lots on microsoft.com in Technet as it is Microsoft's preferred way of doing things.

Simon.
0
 

Author Comment

by:dazzler1971
ID: 18815879
ok thanks.  one last comment on this.  will we need a certificate for the isa server and the owa server on the LAN?? or just for the ISA server?
0
 
LVL 104

Accepted Solution

by:
Sembee earned 250 total points
ID: 18818244
Debatable.
You can have the certificate on the ISA server or on OWA or both. I have seen all three combinations used.

Simon.
0
 

Author Comment

by:dazzler1971
ID: 18818276
i have seen an article on isaserver.org where we ill install a verisign certificate on the OWA server website in IIS and then import it onto the ISA server certificate store.  I think this is what we are going to do.  Does this sound ok to you?
0

Featured Post

Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

Join & Write a Comment

Suggested Solutions

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now