• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 168
  • Last Modified:

Exchange OWA ports to open on internal firewall(s)

Hi
We are using Exchange 2003 on windows 2003.
We are setting up OWA using a front end server in the DMZ and a back end server on the LAN.  I have configured the ports on our external firewall to allow only ports 80, 443 and NAT'd the public IP to the front end server IP but my question is regarding the communication beween the front end server and back end server and exactly which ports I need to open for all this to work.  This should include any ports for global catalog and AD reference and of course exchange front end/back end communication.

Can someone supply an exact list of the ports to open.

Thanks in advance
0
dazzler1971
Asked:
dazzler1971
1 Solution
 
The_KirschiCommented:
You will find all necessary ports here:

http://support.microsoft.com/kb/270836

Just search for "front-end".
0
 
sjepsonCommented:
This looks like a comprehensive list
http://technet.microsoft.com/en-us/library/bb125069.aspx

To summarise,inbound you require:
Basic
******
HTTP 80
IMAP 143
POP 110
SMTP 25
Link State 691

AD
***
LDAP 389 T/U
LDAP to GC 3268
Kerberos 88 T/U
DNS
****
DNS 53 T/U
RPC
****
RPC 135

plus you need to fix a port that your back end server uses for RPC connections or open a whole raft of ports above 1024.
All ports are TCP only unless marked T/U when they are TCP & UDP

Steve
0
 
SembeeCommented:
Why do you want to put an Exchange server in the DMZ? It does nothing for your security and makes your firewall swiss cheese.

No one has given me a good reason to put an Exchange server in the DMZ and it is something I strongly advise you to reconsider.

See my blog here:
http://www.sembee.co.uk/archive/2006/02/23/7.aspx

If the number of ports that you have to open doesn't scare you, then you need to look at your network security.

Simon.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
PowerITCommented:
Sembee, before reacting I would like to read your take on this. But your blog seems to be down.

J.
0
 
dazzler1971Author Commented:
well agreed there are some positives and negatives to each scenario.  For my scenario and out of the ports listed above I would say I only need to open ports 80, 3268 and maybe 389 so thats only 3 ports.
0
 
SembeeCommented:
My host is having some routing issues apparently. It works for me. Try going in on the root (http://www.sembee.co.uk) and then finding the article.

If you are putting an Exchange server in the DMZ you cannot get away with just the three ports you have outlined. The Exchange server needs to communicate with the domain controllers, plus you have to change ports on the Exchange org as well.

If you want to put something in the DMZ and have limited ports then you need to use an ISA that is NOT a member of the domain.

Simon.
0
 
dazzler1971Author Commented:
we already have a firewall  though between the dmz and internal network so are you saying we should replace this with ISA?
0
 
SembeeCommented:
No.
I am not talking about using an ISA as a firewall. I would never deploy ISA as a firewall.
What I am talking about is using ISA as a reverse proxy. That machine can sit in the DMZ, it only requires a small number of ports to be opened (I can usually get it down to two if ISA is doing email as well - 25 and 443 - just the one if it is OWA only).

The point is that a DMZ is not the place for any domain member. The usual show stopper is that you need port 135 open between the two interfaces. Anyone who is serious about network security will not allow that to happen under any circumstances.

Simon.
0
 
dazzler1971Author Commented:
OK that sounds like the best solution then.  we only have 1 spare server so if we use it for ISA we wont be able to install a front end server on the lan.  Can you lead me to a document that shows how to configure ISA to publish the exchange back end server on the lan for OWA only.  
0
 
SembeeCommented:
There is a ton of stuff on this on isaserver.org - there is also lots on microsoft.com in Technet as it is Microsoft's preferred way of doing things.

Simon.
0
 
dazzler1971Author Commented:
ok thanks.  one last comment on this.  will we need a certificate for the isa server and the owa server on the LAN?? or just for the ISA server?
0
 
SembeeCommented:
Debatable.
You can have the certificate on the ISA server or on OWA or both. I have seen all three combinations used.

Simon.
0
 
dazzler1971Author Commented:
i have seen an article on isaserver.org where we ill install a verisign certificate on the OWA server website in IIS and then import it onto the ISA server certificate store.  I think this is what we are going to do.  Does this sound ok to you?
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now