Need to know the ports that need to be opened on the firewall between the Front End OWA and the Back End Exchange 2003 (internal LAN)
Hi,
We are running an Exchange 2003 server a OWA front end and a back end that runs the mailbox server.
We are trying to identify the ports that need to be open between the front-end (OWA) which is on the DMZ and the back-end mailbox server (protected LAN) for the users to be able to access to their mail.
The current rule is ANY and we need to narrow this down to the ports are needed.
Thank you.
March 22nd, 2011 10:32am
According to the following article
http://www.msexchange.org/tutorials/OWA_Exchange_Server_2003.html
The following needs to be done. Are all these steps necessary?
On the intranet firewall (which connects the DMZ and the internal network) we have to open the following ports:
For Exchange Communication:
Port 80 for HTTP Port 691 for Link State Algorithm routing protocol
For Active Directory communication:
Port 389 for LDAP (TCP and UDP) Port 3268 for Global Catalog Server LDAP (TCP) Port 88 for Kerberos Authentication (TCP and UDP)
Note: You should now configure the DSAccess service for perimeter networks on your Frontend Server. At first you should disable the check for available disk space at netlogon by using RPC. This
can be done by changing the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeDSAccess
Registry Value: DisableNetlogonCheck
Value Type: REG_DWORD
Value Data: 1
In addition to this you should prevent DSAccess from pinging domain controllers. This can be done by creating the following key on your Frontend Server:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeDSAccess
Registry Value: LdapKeepAliveSecs
Value Type: REG_DWORD
Value Data: 0
Then you should configure your Exchange Frontend Server to connect to the DC and GC you want by editing the server properties in Exchange System Manager.
For DNS communication:
Port 53 for DNS (TCP and UDP)
For RPC communication:
Port 135 – RPC endpoint mapper (TCP) Ports 1024 and higher for RPC services
Note: You can limit RPCs across the firewall by editing the registry of all your DCs. You should now change the registry setting of the following key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Registry Value: TCP/IP Port
Value Type: REG_DWORD
Value Data: (available port)
Free Windows Admin Tool Kit Click here and download it now
March 22nd, 2011 10:38am
On the intranet firewall (which connects the DMZ and the internal network) we have to opened the following ports: For Exchange Communication: Port 80 for HTTP Port 691 for Link State Algorithm routing protocol For Active Directory communication: Port 389
for LDAP (TCP and UDP) Port 3268 for Global Catalog Server LDAP (TCP) Port 88 for Kerberos Authentication (TCP and UDP) DNS 137 UDP 53 TCP,UDP These ports seem to be fine and OWA works fine. I have found and article that specifies the following ports: OWA
box: 53 TCP,UDP; 88 TCP, UDP; 123 TCP; 135 TCP; 389 TCP, UDP; 445 TCP; 3268 TCP; 137 UDP; 138 UDP; and 139 TCP. I have not included the following ports on my firewall but I was wondering if they need to be opened 123 TCP;135 TCP;445 TCP;138 UDP; and 139 TCP
March 22nd, 2011 11:14am
You can follow the guidance here, it has all the ports you need to open.
Implementing Outlook Web Access with Exchange Server 2003
http://www.msexchange.org/tutorials/OWA_Exchange_Server_2003.htmlJames Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
March 22nd, 2011 12:54pm
James’s link has mentioned all the needed ports when using OWA in Exchange 2003 server. Regarding to port 135 TCP, you should enable it to connect to the DC
and GC you want by editing the server properties in Exchange System Manager.
Regarding to other port, you need not enable them if there is no other application on the server which requires the port.
Thanks.
Novak Wu
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
March 23rd, 2011 4:06am