Configuring an Internet Firewall


Topic Last Modified: 2005-05-26

In Internet scenarios, a firewall is usually placed between the corporate network and the Internet. This firewall controls the connections that are allowed between computers on the Internet and computers in the corporate network. When you configure this firewall, it is important to consider the direction of traffic. For a detailed discussion about port direction, see "Port Filtering" in Using Firewalls in a Front-End and Back-End Topology.

You must configure the firewall to allow requests to certain IP addresses and over certain TCP/IP ports. The following table lists the ports required for different services. These ports are specific to inbound traffic (from the Internet to the front-end server).

Ports that must be open on the Internet firewall

Destination port number/transport Protocol

443/TCP inbound

HTTPS (SSL-secured HTTP)

993/TCP inbound

SSL-secured IMAP

995/TCP inbound

SSL-secured POP

25/TCP inbound


In this table, "Inbound" means that you should configure the firewall to allow computers outside (on the Internet, in this case) to initiate connections to the front-end server. The front-end server never has to initiate connections to the computers on the Internet; the front-end server responds only to connections initiated by computers on the Internet.

If you are using ISA Server, you must configure it as follows. (These are general guidelines. For detailed information about how to configure ISA Server, see the ISA Server product documentation.)

  1. Configure a listener for SSL.

  2. Create a destination set that contains the external IP address of the ISA server. This destination set will be used in the Web publishing rule.

  3. Create a Web publishing rule that redirects requests to the internal front-end server

  4. Create protocol rules to open ports in ISA Server for outgoing traffic.

  5. Configure the ISA server for Outlook Web Access. For information about how to configure an ISA Server for Outlook Web Access, see Microsoft Knowledge Base article 307347, "Secure OWA Publishing Behind ISA Server May Require Custom HTTP Header."


Community Additions