Ports that need to be opened for IMAP clients to access Exchange 2007 through firewall.

I have DSL users from remote sites that need to access their mailboxes sitting at headoffice using Outlook. I have two mailbox clusters, CAS and HUB servers. Currently for the first cluster I have port 3012 and 3053 opened - all users are able to connect. The same rules are applied to the second mailbox cluster but dsl users are not able to connect. Definately a firewall issue, because if I move those users mailbox to the first cluster it works. I have also spoken to the firewall guys and have checked that the firewall is dropping connection on 2112 for the second cluster.

When does exchange use these "dynamic" ports to connect? Is it Outlook(IMAP) that uses these ports? I jave searched for the range so I could aske the FW guys to open the range - no luck. A freind has suggested that I get them to open anything greater then 1023?? Should I make the ports static for both clusters since they would maybe change if exchange services are restarted or we failover?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Exchange IMAP also uses the following ports:

993 /TCP IMAP over SSL

You may have to open these ports on the firewall as well.

Also have a look at this article for Exchange 2003; I am not sure if this can also apply to Exchange 2007.
Rick FeeMessaging Engineer - Disaster Recovery EngineerCommented:
bmatumbura is correct about the IMAP ports but it sounds like your attempting to get the IMAP clients to talk to your cluster/mailbox servers?    The CAS role takes care of IMAP, POP, Active Sync, OWA, etc...   Your firewall need to redirect the IMAP traffic to the CAS server and not Mailbox servers.
Nelesh_NAuthor Commented:
This is the thing, if I'm on the lan (TCP Connection) and do a netstat, I see that I am connecting directly to the mailbox machines on 2153, I configuration issue??

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    NXN1804:1076           lib-dc6-jhb.mydomain.net:1025  ESTABLISHED
  TCP    NXN1804:1078           lib-dc6-jhb.mydomain.net:1025  ESTABLISHED
  TCP    NXN1804:1094           lib-dc6-jhb.mydomain.net:1025  ESTABLISHED
  TCP    NXN1804:1113           lexmbxpd1wc2.mydomain.net:2153  ESTABLISHED
  TCP    NXN1804:1115           lexmbxpd1wc2.mydomain.net:2153  ESTABLISHED
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

Nelesh_NAuthor Commented:
Hi guys, please help with this. Project has been put on hold until we can find a solution to this.
Nelesh_NAuthor Commented:
Okay, so if users access their mailboxes internally (on the LAN) they will connect driectly to their mailboxes. If they are using rpc over http or owa they will be directed to the CAS boxes, correct?
Nelesh_NAuthor Commented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.