Solved

Exchange OWA ports to open on internal firewall(s)

Posted on 2007-03-28
13
163 Views
Last Modified: 2010-04-11
Hi
We are using Exchange 2003 on windows 2003.
We are setting up OWA using a front end server in the DMZ and a back end server on the LAN.  I have configured the ports on our external firewall to allow only ports 80, 443 and NAT'd the public IP to the front end server IP but my question is regarding the communication beween the front end server and back end server and exactly which ports I need to open for all this to work.  This should include any ports for global catalog and AD reference and of course exchange front end/back end communication.

Can someone supply an exact list of the ports to open.

Thanks in advance
0
Comment
Question by:dazzler1971
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 18807258
You will find all necessary ports here:

http://support.microsoft.com/kb/270836

Just search for "front-end".
0
 
LVL 6

Expert Comment

by:sjepson
ID: 18807326
This looks like a comprehensive list
http://technet.microsoft.com/en-us/library/bb125069.aspx

To summarise,inbound you require:
Basic
******
HTTP 80
IMAP 143
POP 110
SMTP 25
Link State 691

AD
***
LDAP 389 T/U
LDAP to GC 3268
Kerberos 88 T/U
DNS
****
DNS 53 T/U
RPC
****
RPC 135

plus you need to fix a port that your back end server uses for RPC connections or open a whole raft of ports above 1024.
All ports are TCP only unless marked T/U when they are TCP & UDP

Steve
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18807390
Why do you want to put an Exchange server in the DMZ? It does nothing for your security and makes your firewall swiss cheese.

No one has given me a good reason to put an Exchange server in the DMZ and it is something I strongly advise you to reconsider.

See my blog here:
http://www.sembee.co.uk/archive/2006/02/23/7.aspx

If the number of ports that you have to open doesn't scare you, then you need to look at your network security.

Simon.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 18

Expert Comment

by:PowerIT
ID: 18807578
Sembee, before reacting I would like to read your take on this. But your blog seems to be down.

J.
0
 

Author Comment

by:dazzler1971
ID: 18808166
well agreed there are some positives and negatives to each scenario.  For my scenario and out of the ports listed above I would say I only need to open ports 80, 3268 and maybe 389 so thats only 3 ports.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18809144
My host is having some routing issues apparently. It works for me. Try going in on the root (http://www.sembee.co.uk) and then finding the article.

If you are putting an Exchange server in the DMZ you cannot get away with just the three ports you have outlined. The Exchange server needs to communicate with the domain controllers, plus you have to change ports on the Exchange org as well.

If you want to put something in the DMZ and have limited ports then you need to use an ISA that is NOT a member of the domain.

Simon.
0
 

Author Comment

by:dazzler1971
ID: 18809182
we already have a firewall  though between the dmz and internal network so are you saying we should replace this with ISA?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18809247
No.
I am not talking about using an ISA as a firewall. I would never deploy ISA as a firewall.
What I am talking about is using ISA as a reverse proxy. That machine can sit in the DMZ, it only requires a small number of ports to be opened (I can usually get it down to two if ISA is doing email as well - 25 and 443 - just the one if it is OWA only).

The point is that a DMZ is not the place for any domain member. The usual show stopper is that you need port 135 open between the two interfaces. Anyone who is serious about network security will not allow that to happen under any circumstances.

Simon.
0
 

Author Comment

by:dazzler1971
ID: 18809539
OK that sounds like the best solution then.  we only have 1 spare server so if we use it for ISA we wont be able to install a front end server on the lan.  Can you lead me to a document that shows how to configure ISA to publish the exchange back end server on the lan for OWA only.  
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18809835
There is a ton of stuff on this on isaserver.org - there is also lots on microsoft.com in Technet as it is Microsoft's preferred way of doing things.

Simon.
0
 

Author Comment

by:dazzler1971
ID: 18815879
ok thanks.  one last comment on this.  will we need a certificate for the isa server and the owa server on the LAN?? or just for the ISA server?
0
 
LVL 104

Accepted Solution

by:
Sembee earned 250 total points
ID: 18818244
Debatable.
You can have the certificate on the ISA server or on OWA or both. I have seen all three combinations used.

Simon.
0
 

Author Comment

by:dazzler1971
ID: 18818276
i have seen an article on isaserver.org where we ill install a verisign certificate on the OWA server website in IIS and then import it onto the ISA server certificate store.  I think this is what we are going to do.  Does this sound ok to you?
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ready for our next Course of the Month? Here's what's on tap for June.
Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
This video discusses moving either the default database or any database to a new volume.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question