Configuring an Intranet Firewall
This topic discusses the use of a perimeter network in which you use both an external and internal firewall. The following sections describe how to configure your perimeter network, intranet firewall, and ISA server to allow Exchange to function correctly.
New in SP2 With the release of Microsoft® Exchange Server 2003 Service Pack 2 (SP2), Microsoft has introduced Direct Push technology which allows Exchange ActiveSync® to deliver e-mail messages immediately to the mobile device as soon as they arrive on the server. With Direct Push technology, whenever the back-end server receives e-mail or data to be transmitted to a mobile device, it sends a UDP notification to the front-end server. This transmission requires that UDP port 2883 be open on the firewall to allow one-way traffic from the back-end server to the front-end server.
For more information about the deployment of Direct Push technology and its effect on firewall configuration, see the following Exchange Server blog article:
Direct Push is just a heartbeat away.
Note
The content of each blog and its URL are subject to change without notice.
Advanced Firewall Server in the Perimeter Network
When your advanced firewall server (for example, ISA) is not also your intranet firewall (there is an additional firewall between the advanced firewall and the front-end server), you must open the required protocol ports in your intranet firewall to allow the advanced firewall server to forward the requests.
Protocol ports required to allow advanced firewall server to forward requests
| Destination port number/transport | Protocol |
|---|---|
443/TCP inbound or 80/TCP inbound |
HTTPS (SSL-secured HTTP) or HTTP, depending on whether the advanced firewall (such as ISA) is offloading the SSL decryption |
993/TCP inbound |
SSL-secured IMAP |
995/TCP inbound |
SSL-secured POP |
25/TCP inbound |
SMTP |
Additional ports may be required if the advanced firewall is performing tasks such as authenticating users. See your advanced firewall documentation for more information.
Note
Other firewall vendors might recommend that you make additional configuration settings to their individual products for IP fragmentation.
Front-end Server in Perimeter Network
If positioned in a perimeter network, the front-end server must be able to initiate connections to back-end servers and Active Directory® directory service servers. Therefore, you would configure the internal firewall with a rule that allows inbound port 80 traffic from the perimeter network into the corporate network. This rule will not allow outbound port 80 traffic from inside the corporate network to the front-end server. All the port discussions that follow refer to inbound ports carrying traffic from the server in the perimeter network to the back-end servers.
Note
The preferred method of deployment is for the front-end server to be on the intranet with the back-end servers and to use an advanced firewall as your perimeter network. You only need to follow this section if you have certain requirements where you must position the Exchange front-end server in the perimeter network.
Basic Protocols
In every case, all the supported protocol ports must be open on the inner firewall. The SSL ports do not need to be open, because SSL is not used in communication between the front-end server and the back-end servers. The following table lists the ports required for the intranet firewall. These ports are specific to inbound traffic (from the front-end server to the back-end servers).
Protocol ports required for the intranet firewall
| Port number/transport | Protocol |
|---|---|
80/TCP inbound |
HTTP |
143/TCP inbound |
IMAP |
110/TCP inbound |
POP |
25/TCP inbound 691/TCP |
SMTP Link State-Algorithm Routing |
Note
In this table, "inbound" means that the firewall should be configured to allow computers in the perimeter network, such as the advanced firewall server, to initiate connections to the front-end server on the corporate network. The front-end server never has to initiate connections to the computers in the perimeter network. The front-end server responds only to connections initiated by the computers in the perimeter network.
Active Directory Communication
To communicate with Active Directory, the Exchange front-end server requires LDAP ports to be open. Both TCP and UDP are required: Windows on the front-end server will send a 389/UDP LDAP request to a domain controller to check if it is available for use; the LDAP traffic after that uses TCP. Windows Kerberos authentication is also used; therefore, the Kerberos ports must also be open. Both TCP and UDP are required for Kerberos as well: Windows uses UDP/88 by default, but when the data is larger than the maximum packet size for UDP, it uses TCP. The following table lists the ports that are required for communicating with Active Directory and Kerberos.
Ports required for Active Directory communication and Kerberos
| Port number/transport | Protocol |
|---|---|
389/TCP |
LDAP to Directory Service |
389/UDP |
|
3268/TCP |
LDAP to Global Catalog Server |
88/TCP |
Kerberos Authentication |
88/UDP |
|
There are two sets of optional ports that can be opened in the firewall. The decision to open them depends on the policies of the corporation. Each decision involves tradeoffs in the areas of security, ease of administration, and functionality.
Domain Name Service (DNS)
The front-end server needs access to a DNS server to correctly look up server names (for example, to convert server names to IP addresses). The following table lists the ports required for access.
If you do not want to open these ports, you must install a DNS server on the front-end server and enter the appropriate name to IP mappings for all the servers it might need to contact. Additionally, you must also configure all the Active Directory SRV records because the front-end must be able to locate domain controllers. If you choose to install a DNS server, be sure to keep these mappings up-to-date when changes are made to the organization.
Ports required for access to DNS server
| Port number/transport | Protocol |
|---|---|
53/TCP |
DNS Lookup |
53/UDP |
|
Note
Most services use UDP for DNS lookups and use TCP only when the query is larger than the maximum packet size. The Exchange SMTP service, however, uses TCP by default for DNS lookups. For more information, see Microsoft Knowledge Base article 263237, "XCON: Windows 2000 and Exchange 2000 SMTP Use TCP DNS Queries."
IPSec
The following table lists the requirements for allowing IPSec traffic across the intranet firewall. You only need to enable the port that applies to the protocol you configure; for example, if you choose to use ESP, you only need to allow IP protocol 50 across the firewall.
Ports required for IPSec
| Port number/transport | Protocol |
|---|---|
IP protocol 51 |
Authentication Header (AH) |
IP protocol 50 |
Encapsulating Security Payload (ESP) |
500/UDP |
Internet Key Exchange (IKE) |
88/TCP |
Kerberos |
88/UDP |
|
Remote Procedure Calls (RPCs)
DSAccess no longer uses RPCs to do Active Directory service discovery. However, because your front-end server is configured to authenticate requests, IIS must still have RPC access to Active Directory to authenticate the requests. Therefore, you must open the RPC ports that are listed in the "RPC ports required for authentication" table below.
Stopping RPC Traffic
If you have a locked-down perimeter network in which it is impossible for the front-end server to authenticate users, you might not be allowed to open the RPC ports that are listed in the "RPC ports required for authentication" table below. Without these RPC ports, the front-end server cannot do authentication. You can configure the front-end server to allow anonymous access, but you should understand the risks of doing so. For more information, see Authentication Mechanisms for HTTP.
Instead of stopping all RPC traffic, it is recommended that you restrict RPC traffic by opening one port (as described in the next section).
Restricting RPC Traffic
If you want the features that require RPCs, such as authentication or implicit logon, but do not want to open the wide range of ports above 1024, you can configure your domain controllers and global catalog servers to use a single known port for all RPC traffic. For more information about how to restrict RPC traffic, see Microsoft Knowledge Base article 224196, "Restricting Active Directory Replication Traffic to a Specific Port."
To authenticate clients, the registry key (described in the above knowledge base article and listed below) must be set on any server that the front-end server may contact with RPCs such as a global catalog server. Set the following registry key to a specific port, such as 1600:
HKEY_LOCAL_MACHINE\CurrentControlSet\Services\NTDS\Parameters
Registry Value: TCP/IP Port Value Type: REG_DWORD Value Data: (available port)
On the firewall between the perimeter network and your intranet, you need to open only two ports for RPC communication — the RPC portmapper (135) and the port you specify (port 1600, as listed in the following table). The front-end server first attempts to contact back-end servers with RPCs over port 135, and the back-end server responds with the RPC port it is actually using.
Note
Exchange System Administrator uses RPCs to administer Exchange servers. It is recommended that you do not use Exchange System Administrator on a front-end server to administer back-end servers because this requires configuring RPC access from the front-end to each back-end server. Instead, you should use Exchange System Administrator from an Exchange client computer or a back-end server to administer back-end servers. You can still use Exchange System Administrator on the front-end server to administer the front-end server itself.
RPC ports required for authentication
| Port number/transport | Protocol |
|---|---|
135/TCP |
RPC port endpoint mapper |
1024+/TCP Or 1600/TCP |
Random service ports (Example) Specific RPC service port, if restricted |