Re: Exch2003 front-end questions
From: Marlon Brown (marlon_brown_at_hotmail.com)
Date: 11/30/04
- Next message: - Steve -: "ISA 2004 Network Config"
- Previous message: Andrei Ungureanu: "Re: 5783 netlogon event"
- Next in thread: Thomas W Shinder [MVP]: "Re: Exch2003 front-end questions"
- Reply: Thomas W Shinder [MVP]: "Re: Exch2003 front-end questions"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 30 Nov 2004 07:12:20 -0800
BBII think the article confirms that. Never mind.
Basic Protocols
In all cases, all the supported protocol ports must be open on the inner
firewall. The SSL ports do not need to be open because SSL is not used in
communication between the front-end server and the back-end servers. Table 3
lists the ports required for the intranet firewall. These ports are specific
to inbound traffic (from the front-end server to the back-end servers).
Table 3 Protocol ports required for the intranet firewall
Intranet Firewall-Mail Protocols
Port number/transport
Protocol
80/TCP inbound
HTTP
143/TCP inbound
IMAP
110/TCP inbound
POP
25/TCP inbound
691/TCP
SMTP
Link State Algorithm routing
Note
In Table 3, "Inbound" means that the firewall should be configured to allow
computers in the perimeter network, such as the advanced firewall server, to
initiate connections to the front-end server on the corporate network. The
front-end server never has to initiate connections to the computers in the
perimeter network; the front-end server only responds to connections
initiated by the computers in the perimeter network.
Active Directory Communication
To communicate with Active Directory, the Exchange front-end server requires
LDAP ports to be open. Both TCP and UDP are required: Windows on the
front-end server will send a 389/UDP LDAP request to a domain controller to
check if it is available for use; the LDAP traffic after that uses TCP.
Windows Kerberos authentication is also used; therefore, the Kerberos ports
must also be open. Both TCP and UDP are required for Kerberos as well:
Windows uses UDP/88 by default, but when the data is larger than the maximum
packet size for UDP, it uses TCP. Table 4 lists the ports required for
communicating with Active Directory.
Table 4 Ports required for Active Directory communication and Kerberos
Intranet Firewall-Active Directory Communication
Port number/transport
Protocol
389/TCP
LDAP to Directory Service
389/UDP
3268/TCP
LDAP to Global Catalog Server
88/TCP
Kerberos authentication
88/UDP
There are two sets of optional ports that can be opened in the firewall. The
decision to open them depends on the policies of the corporation. Each
decision involves tradeoffs in the areas of security, ease of
administration, and functionality.
Domain Name Service (DNS)
The front-end server needs access to a DNS server to correctly look up
server names (for example, to convert server names to IP addresses) Table 5
lists the ports required for access.
If you do not want to open these ports, you must install a DNS server on the
front-end server and enter the appropriate name to IP mappings for all of
the servers it might need to contact. If you choose to install a DNS server,
be sure to keep these mappings up-to-date when changes are made to the
organization.
Table 5 Ports required for access to DNS server
Intranet Firewall-DNS
Port number/transport
Protocol
53/TCP
DNS Lookup
53/UDP
Note
Most services use UDP for DNS lookups and only use TCP when the query is
larger than the maximum packet size. The Exchange SMTP service, however,
uses TCP by default for DNS lookups. For more information, see Microsoft
Knowledge Base article 263237, "XCON: Windows 2000 and Exchange 2000 SMTP
Use TCP DNS Queries"
(http://go.microsoft.com/fwlink/?LinkID=3052&kbID=263237).
IPSec
Table 6 lists the requirements for allowing IPSec traffic across the
intranet firewall. You only need to allow the port that applies to the
protocol you configure; for example, if you choose to use ESP, it is only
necessary to allow IP protocol 50 across the firewall.
Table 6 Ports required for IPSec
Intranet Firewall-IPSec
Port number/transport
Protocol
IP protocol 51
Authentication Header (AH)
IP protocol 50
Encapsulating Security Payload (ESP)
500/UDP
Internet Key Exchange (IKE)
88/TCP
Kerberos ()
88/UDP
Remote Procedure Calls (RPCs)
DSAccess no longer uses RPCs to perform Active Directory service discovery.
However, if your front-end server is configured to authenticate requests,
IIS must still have RPC access to Active Directory in order to authenticate
the requests. Therefore, you must open the RPC ports that are listed in
Table
"Marlon Brown" <marlon_brown@hotmail.com> wrote in message
news:e2jv1dl1EHA.1300@TK2MSFTNGP14.phx.gbl...
> I had a network security folk today that told me something that I am not
> sure if it is correct and I would like to confirm:
>
> Imagine you have a OWA 2003 (front-end) server in the DMZ. As far as I
know,
> in order to allow the communication from the OWA 2003 to the back-end
> Exchange 2003 servers (that are in the internal network), I would need to
> open ports 3268, 389 and 53.
>
> Then the network security guy is saying that on Exchange 2003, the
front-end
> configuration with the OWA in the DMZ shouldn't require such need to open
> the ports to allow communication to the internal back-end servers. He said
> that should be the case only in Exchange 2000. I think that is incorrect,
> but I would like to confirm that to make sure.
>
>
- Next message: - Steve -: "ISA 2004 Network Config"
- Previous message: Andrei Ungureanu: "Re: 5783 netlogon event"
- Next in thread: Thomas W Shinder [MVP]: "Re: Exch2003 front-end questions"
- Reply: Thomas W Shinder [MVP]: "Re: Exch2003 front-end questions"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
|
