Exchange DAG replication between firewalls - ports needed

A site that I am visiting has three Exchange server

Two at their corporate office and one at a remote office (this last one is a new setup)

Their two at the corporate office cooperate within a DAG.

The client is looking to get the DAG connected up with the new Exchange box at the remote office

They connect to their remote office with a point-to-point tunnel across a pair of Cisco ASAs
The DAG traffic between their Exchange systems would go along this tunnel.

Reviewing Exchange Server Pro (port diagram posting) it appears the following ports are required for all three to communicate with each other across their DAG:

tcp/135 - RPC
tcp/64327 - Log Shipping
udp/3343 - Node Communication

Looking just at the DAG communication - not any of the other ports which are required - is this correct?

The posting as well makes reference to a tcp dynamic range for DAG communication between the two
What is this dynamic range for Exchange 2010?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If you have a tunnel between the ASAs, aren't you defining subnets that are allowed to pass through the tunnel? Given that, all ports would be passed; there should be no firewalling between locations.
You might also want to check the configuration with the various cmdlets, as described at The default replication port is 64327, but it's easy enough to have been changed by someone prior to you.
sectortechAuthor Commented:
Yes, subnets are in place to allow traffic pass between sites, however only those required for specific traffic between sites are opened as controlled by ACLs

The replication port is confirmed at 64327.
Prior to bringing that new box on I'm trying to ensure nothing is missed prior to staring at Wireshark and Syslog to figure out what's missing.
I'm not aware of a specific dynamic range. This document talks about a high range of ports for server communications - - could be up there.
That document also talks about Microsoft's preference to not limit communications between internal hosts. In the spirit of security, how about just having the two DAGs with complete access to each other via IP, rather than restricting by port? This way, any random/dynamic port will not fall over, nor will you have to worry about it working this week, but not next week when it chooses a different dynamic range.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sectortechAuthor Commented:
Had a chance to speak with my client and proceeded with your solution
You solution was dead on
It was nearly insane-making to trace all the ports that Exchange was using

The DAGs have free access to each other and are communicating properly across the L2L VPN
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.