When your advanced firewall server (for example, ISA) is not also your intranet firewall (there is an additional firewall between the advanced firewall and the front-end server), you must open the required protocol ports in your intranet firewall to allow the advanced firewall server to forward the requests.

Protocol ports required to allow advanced firewall server to forward requests

Additional ports may be required if the advanced firewall is performing tasks such as authenticating users. See your advanced firewall documentation for more information.

Note:
Other firewall vendors might recommend that you make additional configuration settings to their individual products for IP fragmentation.

If positioned in a perimeter network, the front-end server must be able to initiate connections to back-end servers and Active Directory® directory service servers. Therefore, you would configure the internal firewall with a rule that allows inbound port 80 traffic from the perimeter network into the corporate network. This rule will not allow outbound port 80 traffic from inside the corporate network to the front-end server. All the port discussions that follow refer to inbound ports carrying traffic from the server in the perimeter network to the back-end servers.

Note:
The preferred method of deployment is for the front-end server to be on the intranet with the back-end servers and to use an advanced firewall as your perimeter network. You only need to follow this section if you have certain requirements where you must position the Exchange front-end server in the perimeter network.

In every case, all the supported protocol ports must be open on the inner firewall. The SSL ports do not need to be open, because SSL is not used in communication between the front-end server and the back-end servers. The following table lists the ports required for the intranet firewall. These ports are specific to inbound traffic (from the front-end server to the back-end servers).

Protocol ports required for the intranet firewall

Note:

In this table, "inbound" means that the firewall should be configured to allow computers in the perimeter network, such as the advanced firewall server, to initiate connections to the front-end server on the corporate network. The front-end server never has to initiate connections to the computers in the perimeter network. The front-end server responds only to connections initiated by the computers in the perimeter network.

To communicate with Active Directory, the Exchange front-end server requires LDAP ports to be open. Both TCP and UDP are required: Windows on the front-end server will send a 389/UDP LDAP request to a domain controller to check if it is available for use; the LDAP traffic after that uses TCP. Windows Kerberos authentication is also used; therefore, the Kerberos ports must also be open. Both TCP and UDP are required for Kerberos as well: Windows uses UDP/88 by default, but when the data is larger than the maximum packet size for UDP, it uses TCP. The following table lists the ports that are required for communicating with Active Directory and Kerberos.

Ports required for Active Directory communication and Kerberos

There are two sets of optional ports that can be opened in the firewall. The decision to open them depends on the policies of the corporation. Each decision involves tradeoffs in the areas of security, ease of administration, and functionality.

The front-end server needs access to a DNS server to correctly look up server names (for example, to convert server names to IP addresses). The following table lists the ports required for access.

If you do not want to open these ports, you must install a DNS server on the front-end server and enter the appropriate name to IP mappings for all the servers it might need to contact. Additionally, you must also configure all the Active Directory SRV records because the front-end must be able to locate domain controllers. If you choose to install a DNS server, be sure to keep these mappings up-to-date when changes are made to the organization.

Ports required for access to DNS server

Note:
Most services use UDP for DNS lookups and use TCP only when the query is larger than the maximum packet size. The Exchange SMTP service, however, uses TCP by default for DNS lookups. For more information, see Microsoft Knowledge Base article 263237, "XCON: Windows 2000 and Exchange 2000 SMTP Use TCP DNS Queries."

The following table lists the requirements for allowing IPSec traffic across the intranet firewall. You only need to enable the port that applies to the protocol you configure; for example, if you choose to use ESP, you only need to allow IP protocol 50 across the firewall.

Ports required for IPSec

DSAccess no longer uses RPCs to do Active Directory service discovery. However, because your front-end server is configured to authenticate requests, IIS must still have RPC access to Active Directory to authenticate the requests. Therefore, you must open the RPC ports that are listed in the "RPC ports required for authentication" table below.

If you have a locked-down perimeter network in which it is impossible for the front-end server to authenticate users, you might not be allowed to open the RPC ports that are listed in the "RPC ports required for authentication" table below. Without these RPC ports, the front-end server cannot do authentication. You can configure the front-end server to allow anonymous access, but you should understand the risks of doing so. For more information, see Authentication Mechanisms for HTTP.

Instead of stopping all RPC traffic, it is recommended that you restrict RPC traffic by opening one port (as described in the next section).

If you want the features that require RPCs, such as authentication or implicit logon, but do not want to open the wide range of ports above 1024, you can configure your domain controllers and global catalog servers to use a single known port for all RPC traffic. For more information about how to restrict RPC traffic, see Microsoft Knowledge Base article 224196, "Restricting Active Directory Replication Traffic to a Specific Port."

To authenticate clients, the registry key (described in the above knowledge base article and listed below) must be set on any server that the front-end server may contact with RPCs such as a global catalog server. Set the following registry key to a specific port, such as 1600:

HKEY_LOCAL_MACHINE\CurrentControlSet\Services\NTDS\Parameters

Registry Value: TCP/IP Port Value Type: REG_DWORD Value Data: (available port)

On the firewall between the perimeter network and your intranet, you need to open only two ports for RPC communication — the RPC portmapper (135) and the port you specify (port 1600, as listed in the following table). The front-end server first attempts to contact back-end servers with RPCs over port 135, and the back-end server responds with the RPC port it is actually using.

Note:

Exchange System Administrator uses RPCs to administer Exchange servers. It is recommended that you do not use Exchange System Administrator on a front-end server to administer back-end servers because this requires configuring RPC access from the front-end to each back-end server. Instead, you should use Exchange System Administrator from an Exchange client computer or a back-end server to administer back-end servers. You can still use Exchange System Administrator on the front-end server to administer the front-end server itself.

RPC ports required for authentication