Hi, We are running an Exchange 2003 server a OWA front end and a back end that runs the mailbox server. We are trying to identify the ports that need to be open between the front-end (OWA) which is on the DMZ and the back-end mailbox server (protected LAN) for the users to be able to access to their mail. The current rule is ANY and we need to narrow this down to the ports are needed. Thank you.

According to the following article http://www.msexchange.org/tutorials/OWA_Exchange_Server_2003.html The following needs to be done. Are all these steps necessary? On the intranet firewall (which connects the DMZ and the internal network) we have to open the following ports: For Exchange Communication: Port 80 for HTTP Port 691 for Link State Algorithm routing protocol For Active Directory communication: Port 389 for LDAP (TCP and UDP) Port 3268 for Global Catalog Server LDAP (TCP) Port 88 for Kerberos Authentication (TCP and UDP) Note: You should now configure the DSAccess service for perimeter networks on your Frontend Server. At first you should disable the check for available disk space at netlogon by using RPC. This can be done by changing the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeDSAccess Registry Value: DisableNetlogonCheck Value Type: REG_DWORD Value Data: 1 In addition to this you should prevent DSAccess from pinging domain controllers. This can be done by creating the following key on your Frontend Server: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeDSAccess Registry Value: LdapKeepAliveSecs Value Type: REG_DWORD Value Data: 0 Then you should configure your Exchange Frontend Server to connect to the DC and GC you want by editing the server properties in Exchange System Manager. For DNS communication: Port 53 for DNS (TCP and UDP) For RPC communication: Port 135 – RPC endpoint mapper (TCP) Ports 1024 and higher for RPC services Note: You can limit RPCs across the firewall by editing the registry of all your DCs. You should now change the registry setting of the following key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters Registry Value: TCP/IP Port Value Type: REG_DWORD Value Data: (available port)

On the intranet firewall (which connects the DMZ and the internal network) we have to opened the following ports: For Exchange Communication: Port 80 for HTTP Port 691 for Link State Algorithm routing protocol For Active Directory communication: Port 389 for LDAP (TCP and UDP) Port 3268 for Global Catalog Server LDAP (TCP) Port 88 for Kerberos Authentication (TCP and UDP) DNS 137 UDP 53 TCP,UDP These ports seem to be fine and OWA works fine. I have found and article that specifies the following ports: OWA box: 53 TCP,UDP; 88 TCP, UDP; 123 TCP; 135 TCP; 389 TCP, UDP; 445 TCP; 3268 TCP; 137 UDP; 138 UDP; and 139 TCP. I have not included the following ports on my firewall but I was wondering if they need to be opened 123 TCP;135 TCP;445 TCP;138 UDP; and 139 TCP

You can follow the guidance here, it has all the ports you need to open. Implementing Outlook Web Access with Exchange Server 2003 http://www.msexchange.org/tutorials/OWA_Exchange_Server_2003.htmlJames Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

James’s link has mentioned all the needed ports when using OWA in Exchange 2003 server. Regarding to port 135 TCP, you should enable it to connect to the DC and GC you want by editing the server properties in Exchange System Manager. Regarding to other port, you need not enable them if there is no other application on the server which requires the port. Thanks. Novak Wu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.