We help IT Professionals succeed at work.

Why Change Exchange 2010 Ports to Static?

vegas588
vegas588 asked
on
A client has purchased an F5 Load Balancer for use with Exchange 2010. IN reading the documentation and a number of websites, almost all recommend setting the RPC and Address Book ports to static. I found the great PowerShell script that MS has provided to do this as well. What I am not finding is WHY I really need to change the ports to static. Can someone please explain the negative points for keeping dynamic port ranges for these services? Also, what about SSL offloading? Thanks.
Comment
Watch Question

BusbarSolutions Architect

Commented:
if you don't use static ports then you will need to load balance the hall range of ports starting from 1204 to 65xxx. does that makes sense

Author

Commented:
It does, but we tested it and Outlook still connects without the static ports. We did not specifically allow the whole range. Perhaps F5 and MS have come up with a new software/firmware that makes this possible?
BusbarSolutions Architect

Commented:
ok you are talking now from the server side, well, I can understand that.
from my point it depends on your infrastructure, if you have a firewall between CAS and NLB that will matter to have a static port, if not then it won't matter you don't need static port. unless I missed something serious
Solutions Architect
CERTIFIED EXPERT
Commented:
Busbar is right, it depends on your network infrastructure and security settings

If your network guys doesn't have any problem in opening all the ports then you can keep it as is, if you are running in a more strict environment then you might need to define ports to be opened  

Author

Commented:
The architecture goes like this:
Internally, they have 2 CAS/HUB servers and 2 MB servers in a DAG. One AD Site and one physical Site. The F5 is on the same subnet as the Exchange servers. They have a Cisco ASA firewall, but no DMZ. So connections from Outlook Anywhere will go to firewall and then be routed directly to the F5. Persons using Outlook Anywhere now work, as the firewall rule points directly to one of the CAS/HUB servers. We did not specifically allow all of the dynamic port ranges through the firewall. So, I don't see this functionality changing when we point the firewall rule to the F5.
Given this information, does it change anything?
BusbarSolutions Architect

Commented:
nope.
AkhaterSolutions Architect
CERTIFIED EXPERT

Commented:
If the F5 is in the same subnet than your CAS servers and since it seems you have no issues with having NLB configured with all ports (which might add load on the F5) then leave it as is

Just note that there is no technical restriction for enabling static ports it is just a best practice

Author

Commented:
Thanks for the info. I would personally set the static ports, but the client is not convinced that it is needed. I'll continue to work on them...

Explore More ContentExplore courses, solutions, and other research materials related to this topic.