Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 266
  • Last Modified:

Ports to open for exchange servers to talk to one another from different AD Sites with a FW between.

ok we currently have an exchange 2010 env. and are adding new AD sites in another country.  we need to deploy Exchange 2016 in those new AD sites.  I understand they will be in the same org which is great, but we have a firewall between the two sites.  What ports do I have to have open between the sites so that the exchange servers will communicate and route mail.

obviously port 25 for mail flow but what else?

Thanks in advance!
0
cdshreve
Asked:
cdshreve
  • 3
  • 2
1 Solution
 
Adam BrownSr Solutions ArchitectCommented:
https://technet.microsoft.com/en-us/library/bb331973(v=exchg.150).aspx has port information. You should especially note this:
We do not support restricting or altering network traffic between internal Exchange servers, between internal Exchange servers and internal Lync or Skype for Business servers, or between internal Exchange servers and internal Active Directory domain controllers in any and all types of topologies. If you have firewalls or network devices that could potentially restrict or alter this kind of network traffic, you need to configure rules that allow free and unrestricted communication between these servers (rules that allow incoming and outgoing network traffic on any port—including random RPC ports—and any protocol that never alter bits on the wire).

The reason for this is that Exchange servers communicate with one another using RPC (*not* port 25), which utilizes random virtual ports for communication. If you *have* to have a firewall between Exchange servers, all ports need to be open between them to prevent communication failures.
1
 
cdshreveAuthor Commented:
Thanks!  I had looked at that article already and apparently skimmed past that part .  

We originally planned on having separate forests and orgs that is why 25 was in my head still.. ugh.


So I am still being pushed to find and open Only the "Really Necessary" ports.  I know, ugh.

So other than the full range of RPC ports is there a list somewhere for the other needed ports?.   I'll fight to just get all ports open but I want to be sure I cover all bases.

Thanks!
0
 
Adam BrownSr Solutions ArchitectCommented:
Fun. Well, you can tell them that if they close down any ports, Microsoft will not support the Exchange environment, and if things break badly, you're SOL on support from them unless every port is open between the two Exchange IPs (it's a perfectly acceptable Firewall practice to open all ports between specific IPs if necessary).

Microsoft's current recommendation for Exchange architecture is actually to keep all servers in the same AD site. Multiple sites are supported, but because of how Exchange servers communicate with one another it isn't technically a good idea for them to be separated by firewalls.

Anyway, aside from the full RPC range (which is 40000 ports anyway, and if you're going to have those open you might as well open the rest), the ports listed in that article are all required as well, including the ones for Edge to CAS/MBX.
0
 
cdshreveAuthor Commented:
Exactly what I just told them :)  That seemed to bring it home for them.

I have requested it to be wide open :)

Thanks!!
0
 
cdshreveAuthor Commented:
Thanks!  Thank you for bearing with me.  Good stuff!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now