vegas588
asked on
Why Change Exchange 2010 Ports to Static?
A client has purchased an F5 Load Balancer for use with Exchange 2010. IN reading the documentation and a number of websites, almost all recommend setting the RPC and Address Book ports to static. I found the great PowerShell script that MS has provided to do this as well. What I am not finding is WHY I really need to change the ports to static. Can someone please explain the negative points for keeping dynamic port ranges for these services? Also, what about SSL offloading? Thanks.
Busbar
if you don't use static ports then you will need to load balance the hall range of ports starting from 1204 to 65xxx. does that makes sense
ASKER
It does, but we tested it and Outlook still connects without the static ports. We did not specifically allow the whole range. Perhaps F5 and MS have come up with a new software/firmware that makes this possible?
ok you are talking now from the server side, well, I can understand that.
from my point it depends on your infrastructure, if you have a firewall between CAS and NLB that will matter to have a static port, if not then it won't matter you don't need static port. unless I missed something serious
from my point it depends on your infrastructure, if you have a firewall between CAS and NLB that will matter to have a static port, if not then it won't matter you don't need static port. unless I missed something serious
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The architecture goes like this:
Internally, they have 2 CAS/HUB servers and 2 MB servers in a DAG. One AD Site and one physical Site. The F5 is on the same subnet as the Exchange servers. They have a Cisco ASA firewall, but no DMZ. So connections from Outlook Anywhere will go to firewall and then be routed directly to the F5. Persons using Outlook Anywhere now work, as the firewall rule points directly to one of the CAS/HUB servers. We did not specifically allow all of the dynamic port ranges through the firewall. So, I don't see this functionality changing when we point the firewall rule to the F5.
Given this information, does it change anything?
Internally, they have 2 CAS/HUB servers and 2 MB servers in a DAG. One AD Site and one physical Site. The F5 is on the same subnet as the Exchange servers. They have a Cisco ASA firewall, but no DMZ. So connections from Outlook Anywhere will go to firewall and then be routed directly to the F5. Persons using Outlook Anywhere now work, as the firewall rule points directly to one of the CAS/HUB servers. We did not specifically allow all of the dynamic port ranges through the firewall. So, I don't see this functionality changing when we point the firewall rule to the F5.
Given this information, does it change anything?
nope.
If the F5 is in the same subnet than your CAS servers and since it seems you have no issues with having NLB configured with all ports (which might add load on the F5) then leave it as is
Just note that there is no technical restriction for enabling static ports it is just a best practice
Just note that there is no technical restriction for enabling static ports it is just a best practice
ASKER
Thanks for the info. I would personally set the static ports, but the client is not convinced that it is needed. I'll continue to work on them...