Solved

Ports to open for exchange servers to talk to one another from different AD Sites with a FW between.

Posted on 2016-08-18
5
68 Views
Last Modified: 2016-08-19
ok we currently have an exchange 2010 env. and are adding new AD sites in another country.  we need to deploy Exchange 2016 in those new AD sites.  I understand they will be in the same org which is great, but we have a firewall between the two sites.  What ports do I have to have open between the sites so that the exchange servers will communicate and route mail.

obviously port 25 for mail flow but what else?

Thanks in advance!
0
Comment
Question by:cdshreve
  • 3
  • 2
5 Comments
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41761548
https://technet.microsoft.com/en-us/library/bb331973(v=exchg.150).aspx has port information. You should especially note this:
We do not support restricting or altering network traffic between internal Exchange servers, between internal Exchange servers and internal Lync or Skype for Business servers, or between internal Exchange servers and internal Active Directory domain controllers in any and all types of topologies. If you have firewalls or network devices that could potentially restrict or alter this kind of network traffic, you need to configure rules that allow free and unrestricted communication between these servers (rules that allow incoming and outgoing network traffic on any port—including random RPC ports—and any protocol that never alter bits on the wire).

The reason for this is that Exchange servers communicate with one another using RPC (*not* port 25), which utilizes random virtual ports for communication. If you *have* to have a firewall between Exchange servers, all ports need to be open between them to prevent communication failures.
1
 

Author Comment

by:cdshreve
ID: 41762447
Thanks!  I had looked at that article already and apparently skimmed past that part .  

We originally planned on having separate forests and orgs that is why 25 was in my head still.. ugh.


So I am still being pushed to find and open Only the "Really Necessary" ports.  I know, ugh.

So other than the full range of RPC ports is there a list somewhere for the other needed ports?.   I'll fight to just get all ports open but I want to be sure I cover all bases.

Thanks!
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 41762506
Fun. Well, you can tell them that if they close down any ports, Microsoft will not support the Exchange environment, and if things break badly, you're SOL on support from them unless every port is open between the two Exchange IPs (it's a perfectly acceptable Firewall practice to open all ports between specific IPs if necessary).

Microsoft's current recommendation for Exchange architecture is actually to keep all servers in the same AD site. Multiple sites are supported, but because of how Exchange servers communicate with one another it isn't technically a good idea for them to be separated by firewalls.

Anyway, aside from the full RPC range (which is 40000 ports anyway, and if you're going to have those open you might as well open the rest), the ports listed in that article are all required as well, including the ones for Edge to CAS/MBX.
0
 

Author Comment

by:cdshreve
ID: 41762539
Exactly what I just told them :)  That seemed to bring it home for them.

I have requested it to be wide open :)

Thanks!!
0
 

Author Closing Comment

by:cdshreve
ID: 41762542
Thanks!  Thank you for bearing with me.  Good stuff!
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now