Solved

Ports to open for exchange servers to talk to one another from different AD Sites with a FW between.

Posted on 2016-08-18
5
93 Views
Last Modified: 2016-08-19
ok we currently have an exchange 2010 env. and are adding new AD sites in another country.  we need to deploy Exchange 2016 in those new AD sites.  I understand they will be in the same org which is great, but we have a firewall between the two sites.  What ports do I have to have open between the sites so that the exchange servers will communicate and route mail.

obviously port 25 for mail flow but what else?

Thanks in advance!
0
Comment
Question by:cdshreve
  • 3
  • 2
5 Comments
 
LVL 40

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41761548
https://technet.microsoft.com/en-us/library/bb331973(v=exchg.150).aspx has port information. You should especially note this:
We do not support restricting or altering network traffic between internal Exchange servers, between internal Exchange servers and internal Lync or Skype for Business servers, or between internal Exchange servers and internal Active Directory domain controllers in any and all types of topologies. If you have firewalls or network devices that could potentially restrict or alter this kind of network traffic, you need to configure rules that allow free and unrestricted communication between these servers (rules that allow incoming and outgoing network traffic on any port—including random RPC ports—and any protocol that never alter bits on the wire).

The reason for this is that Exchange servers communicate with one another using RPC (*not* port 25), which utilizes random virtual ports for communication. If you *have* to have a firewall between Exchange servers, all ports need to be open between them to prevent communication failures.
1
 

Author Comment

by:cdshreve
ID: 41762447
Thanks!  I had looked at that article already and apparently skimmed past that part .  

We originally planned on having separate forests and orgs that is why 25 was in my head still.. ugh.


So I am still being pushed to find and open Only the "Really Necessary" ports.  I know, ugh.

So other than the full range of RPC ports is there a list somewhere for the other needed ports?.   I'll fight to just get all ports open but I want to be sure I cover all bases.

Thanks!
0
 
LVL 40

Expert Comment

by:Adam Brown
ID: 41762506
Fun. Well, you can tell them that if they close down any ports, Microsoft will not support the Exchange environment, and if things break badly, you're SOL on support from them unless every port is open between the two Exchange IPs (it's a perfectly acceptable Firewall practice to open all ports between specific IPs if necessary).

Microsoft's current recommendation for Exchange architecture is actually to keep all servers in the same AD site. Multiple sites are supported, but because of how Exchange servers communicate with one another it isn't technically a good idea for them to be separated by firewalls.

Anyway, aside from the full RPC range (which is 40000 ports anyway, and if you're going to have those open you might as well open the rest), the ports listed in that article are all required as well, including the ones for Edge to CAS/MBX.
0
 

Author Comment

by:cdshreve
ID: 41762539
Exactly what I just told them :)  That seemed to bring it home for them.

I have requested it to be wide open :)

Thanks!!
0
 

Author Closing Comment

by:cdshreve
ID: 41762542
Thanks!  Thank you for bearing with me.  Good stuff!
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question