OUTLOOK 2010, Exchange 2010, Server 2008R2

We have Exchange 2010 Server running Multirole for CAS,HT,MB.   We have clients that are both local and remote.   We are using Outlook 2010 for client applications.   All of the clients that are on Same LAN work with no issues.   We have other clients that are on our WAN that has a firewall at remote side.  Originally the remote clients could not setup their Outlook client at all.  Then we added passthroughs on firewall for TCP ports 443 and 135.  At that point the outlook would autoconfigure but would not actually get any mail in the remote client mailboxes.  The mailbox say it is disconnected all the time.   I am sure this is a firewall issue but not sure what ports are gong to be needed so that the outlook clients can commuicate to the CAS/MB Exchange and get and send email.  What ports do i have to have opened on firewall to allow remote clients to reach back?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
It really all depends on how the client is connecting to Exchange. If they are using straight MAPI then client will connect using port 587. If they are using ActiveSync, Outlook anywhere, OWA they are all using 443 (https).

techbnjcompAuthor Commented:
I just know the client is Outlook 2013 version.   Is there a setting for MAPI or something else in outlook?   It is just standard install whatever that is using to try to connect to the Exchange 2010 servers.
Will SzymkowskiSenior Solution ArchitectCommented:
Exchange/Outlook client will connect using MAPI by default if no other settings are configured within Outlook (Outlook Anywhere).

Another thing does the Test Email Auto Configuration for from the Clients Outlook? Have you checked on your firewall to see what ports are being blocked if any?

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

techbnjcompAuthor Commented:
Firewall is controlled by a different person so no i have not checked it.  They will alter and open additional ports after I tell them what I want open.  That is what I am seeking is exactly what ports I need without using any extras.  As i said in write up I had them do ports 135 and 443 and that allowed autodiscover to configure outlook but it does not allow it to actually connect and get mail.
Will SzymkowskiSenior Solution ArchitectCommented:
You also need to take in to consideration for DNS as well (53). Outlook clients using MAPI use port 587 as I have stated already .

David Johnson, CD, MVPOwnerCommented:
you should use https://testconnectivity.microsoft.com/ to check your network settings
Simon Butler (Sembee)ConsultantCommented:
You don't need port 135 open to an external network, so get that closed. That is a major security risk.

Outlook Anywhere is designed to work over port 443 only, that is the only port that you need.
Ensure the host name you are using for the Exchange server does NOT resolve on the internet, and the host name for Outlook Anywhere does. Check you have Outlook Anywhere enabled as well.

techbnjcompAuthor Commented:
I see a lot of statements here that just don't apply but that is my fault for not being clearer on my particular layout.

Regarding Mr. Johnson on using testconnectivity.microsoft.com.  Wish i could but that is blocked by our firewall and Blue Coat staff and they won't budge.

Regarding Mr. Butler and port 135 security risk.  I am using the OUTLOOK client which I "believe"  is different than Outlook Anywhere.   I do think I need port 135 to make OUTLOOK work but that is answers I am seeking.  Also although my remote users are outside of a firewall they are still my users having thier own firewall.  I am not that concerned about "risk" from that sense as they are all company baseline machines also.  Of course if I really did not need it I would not open it regardless of who they were as I consider it sloppy.  I am just trying to get what I need.

Regarding Mr. Szymkowski and DNS.  The people have their own AD DC there and it is on same domain.  That DC has firewall ports open so it is properly talking to other DC's.  With that knowledge I assume I don't need to open TCP/UDP port 53 for Exchange Purposes as they will talk to their own DC in their own AD site.   Regarding  port 587 the diagram I have says Outlook Anywhere uses 587, 25, 80 and 443 but OUTLOOK only uses  135 and 443 TCP.

Adding to this I had my firewall guys run a traffic sniff and all they seen was port 135 from the outlook client querying across firewall to my client access server.   That was trying to send/receive email.  They already had the profile setup so not sure if it needs more ports than just 135 when they do initial auto-discover and initial setup.  I am still hunting for all the right answers for this given situation.
Simon Butler (Sembee)ConsultantCommented:
" Regarding Mr. Butler and port 135 security risk.  I am using the OUTLOOK client which I "believe"  is different than Outlook Anywhere."

You are incorrect there.
Outlook Anywhere is not a client, it is a protocol, used by the Outlook client.
You are probably thinking of OWA.

There is no part of Exchange 2010 Outlook Anywhere that requires port 135 to be open.

Having port 135 open is the cause of your problems. For Outlook Anywhere to kick in it needs to fail to connect to Exchange via TCP/IP so it fails over to HTTPS. With port 135 open it makes Outlook think it is connecting to Exchange with TCP traffic and therefore doesn't fail over to HTTPS.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.