[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 261
  • Last Modified:

Advice configuring Firewall/router for Direct MAPI connection

I am moving a company over to a hosted Exchange. The hosting company is asking us to set up a direct MAPI connection to our server. Their instructions suggest :

"Your company Network Administrator should adjust firewall settings to allow connections from Intermedia IP ranges for ALL ports. Also, please make sure the traffic coming in from those ranges is properly NAT-ed to the back-end server"

Th router is an older Draytek device - Vigor 2600. IT doesnt seem to have the option to specify specific ip ranges. How can I therefore NAT their ip range to our Exchange server.

Do I just open the whole range of ports up to the ip address of the server?

Do I put the server in a DMZ? Unlikely I would imagine.

The port redirection table allows me to specify individual ports, but allowing ALL ports would take forever.

Any suggestions?
  • 2
1 Solution
AkinsdNetwork AdministratorCommented:
Not exactly familiar with your type of firewall but the following are a standard way of specifying a port range in an access list.

All you need is appending  the appropriate wild card mask for the range in mind eg
permit .............. .................... will cover the range to
permit .............. .................... will cover the range to
permit .............. .................... will cover the range to

• A wildcard mask bit 0 means check the corresponding bit value; they must match.
• A wildcard mask bit 1 means ignore that corresponding bit value; they need not match.

For port range
Permitting the whole IP without specifying ports automatically allows all ports for the IP specified

Hope this helps
The port redirection page should have a dropdown menu for Single and Range. You want this Range of course.
The problem is worse though, after you input that, EVERYONE has FULL access to your Exchange server on ALL levels.
You now have to start closing your firewall for everything and slowly build up exceptions (Intermedia IP range to your server). If InterMedia said only port 5000 through 5500, then it would be much easier, only adding this exception was enough.
roy_battyAuthor Commented:
My Draytek router didnt seem to have the option suggested by Kimputer. In the end I had to put the whole server into the DMZ for a short period whilst the the hosted exchange company exported the required data. Not ideal but it did the job.
roy_battyAuthor Commented:
The suggestions made did not resolve the issue

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now