home-Windows-Exchange Network Ports Reference. Connecting email clients to Microsoft Exchange Server Mailbox servers

Exchange Network Ports Reference. Connecting email clients to Microsoft Exchange Server Mailbox servers

Recently I had to cut a Microsoft Exchange server and then write rules on the firewall for its ports. So, before this, I had to figure out for a long time what ports Microsoft Exchange uses to work. I managed to find out some things on the forums, but I had to check and find out some things myself, so if I missed any used exchange port, write in the comments.

SMTP TCP: 25
The SMTP service uses TCP port 25.

DNS TCP/UDP: 53
DNS listens on port 53. Domain controllers use this port.

HTTP TCP: 80
HTTP Server Port.

POP3 TCP: 110
Post Office Protocol version 3 (POP3).

NNTP TCP: 119
Network News Transfer Protocol (NNTP).

MSRPC TCP/UDP: 135
Microsoft RPC and Locator service - LOC-SRV

IMAP4 TCP: 143
Internet Message Access Protocol (IMAP).

LDAP TCP/UDP: 379
The Site Replication Service (SRS).

LDAP TCP/UPD: 389
Lightweight directory access protocol (LDAP) used by Microsoft Active Directory® directory service, Active Directory Connector, and the Microsoft Exchange Server 5.5 directory.

LDAP TCP/UDP: 390
This is the recommended alternate port to configure the Exchange Server 5.5 LDAP protocol when Exchange Server 5.5 is running on an Active Directory domain controller.

HTTP/SSL TCP: 443
HTTP over SSL.

SMTP/SSL:465
SMTP over SSL. TCP port 465 is reserved by common industry practice for secure SMTP communication using the SSL protocol.

NNTP/SSL TCP: 563
NNTP over SSL.

LDAP/SSL TCP/UDP: 636
LDAP over Secure Sockets Layer (SSL).

LSA TCP: 691
The Microsoft Exchange Routing Engine service (RESvc) listens for routing link state information on this port.

IMAP4/SSL TCP: 993
IMAP4 over SSL.

POP3/SSL TCP: 995
POP3 over SSL.

LDAP TCP: 3268
Global catalog. The Windows 2000 and Windows Server 2003 Active Directory global catalog (a domain controller “role”) listens on TCP port 3268.

LDAP/SSLPort TCP: 3269
Global catalog over SSL. Applications that connect to TCP port 3269 of a global catalog server can transmit and receive SSL encrypted data.

In this article, we will look at how to configure static RPC ports for RPC Client Access, Exchange Address Book and Public Folder Access services in Exchange 2010.

Let's imagine that we have a complex organization with Exchange Server 2010 SP1 (or higher), which also has . CAS servers are typically located on a network that is separated by firewalls from the networks from which users are expected to access (Outlook networks). The Outlook client connects to the CAS server via RPC, which means that any port from a free range of ports can be used at the network level. It is no secret that in Windows Server 2008 and 2008 R2, the range 49152-65535 is used as a dynamic range of ports for RPC connections (in previous versions of Windows Server, RPC ports in the range 1025-65535 were used).

To avoid turning firewalls into a sieve, it is advisable to narrow the range of RPC ports used, ideally by making them static on each Client Access Server in the Client Access array. In addition, the use of static RPC ports can reduce memory consumption on load balancing devices (especially HLB) and simplify their configuration (there is no need to specify large ranges of ports).

In Exchange 2010, you can set static ports for the RPC Client Access service and the Exchange Address Book service. Outlook communicates with these services through the MAPI interface.

Static port for Exchange 2010 RPC Client Access service

The Exchange 2010 RPC Client Access virtual service is associated with the RPC Client Access service, to which Outlook MAPI clients connect in Exchange 2010. When an Outlook client connects to Exchange, on an Exchange 2010 Client Access server, the RPC Client Access service uses the TCP End Point Mapper port (TCP/135) and a random port from the dynamic range of RPC ports (6005-59530) for incoming connections.

To set a static port for the RPC Client Access service in Exchange 2010, you need to open the following section in the Registry Editor:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC

Create a new key named ParametersSystem, inside which create a type parameter REG_DWORD With name TCP/IP Port. The TCP/IP Port parameter specifies a static port for the RPC Client Access service. Microsoft documentation recommends selecting a port in the range 59531 - 60554, and using this value on all CAS servers (we specified port 59532, of course, it should not be used by any other software).

After setting a static port, the Microsoft Exchange RPC Client Access service must be restarted for the changes to take effect.

Restart-Service MSExchangeRPC

Static port for Exchange 2010 Address Book service

In Exchange 2010 prior to SP1, a special configuration file was used to set the static port for the Exchange 2010 Address Book service Microsoft.exchange.addressbook.service.exe.config. After the release of Exchange 2010 SP1, you can set a static port for this service through the registry. To do this, open the registry editor and go to the branch:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters

Create a new parameter RpcTcpPort(type REG_SZ) and give it the port number that you want to fix for the Exchange Address Book service. It is recommended to use any free port in the range 59531-60554 and then use it on all Exchange 2010 Client Access servers in the domain. We will set RpcTcpPort=59533

After this you need to restart the Microsoft Exchange Address Book service

Restart-Service MSExchangeAB

Important: When migrating from Exchange 2010 RTM to SP1, this key must be set manually; it is not automatically inherited.

Configuring a static port to connect to shared folders

Public folders are accessed from the Outlook client directly through the RPC Client Access service on the server running the Mailbox role. This setup must be done on all servers with the Mailbox role that contain a database of public folders (similar to CAS servers). Open the registry editor and go to the branch

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC

Create a new key named ParametersSystem, inside which create a parameter of type REG_DWORD with the name TCP/IP Port. Set its value: TCP/IP Port = 59532.

Having statically set the port for public folders, you need to restart the Microsoft Exchange RPC Client Access service on each mailbox server.

Checking the use of static ports between Outlook and Exchange 2010

After making the changes, let's check that Outlook connects to the static RPC ports we specified. To do this, restart Outlook on the client machine, and then run the command at the command line:

Netstat -na

Exchange Server and Firewalls

Firewalls for mail servers (Exchange Server), mail server ports, front-end and back-end mail servers, SMTP, POP3, IMAP4 virtual servers

Like any computer connected to the Internet, the computer running the mail server must be protected with a firewall. However, the options for installing a mail server in terms of network configuration can be very different:

· the simplest option is to install a mail server on a computer that is also a proxy server/firewall, and then open the necessary ports on the interface that faces the Internet. Typically, this scheme is used in small organizations;

· Another option is to install a mail server on the local network and configure it to work through a proxy server. To do this, you can bind a public ip to the mail server and pass it through a proxy, or use tools like port mapping on a proxy server. Many proxy servers have special wizards or pre-prepared rules for organizing such a solution (for example, ISA Server). This option is used in most organizations.

· another fundamental possibility is to create a DMZ and place a front-end Exchange Server in it (this option has appeared since version 2000) or SMTP Relay based on another Exchange Server or, for example, sendmail on *nix. Typically used in networks of large organizations.

In any case, the mail server must communicate at least on port TCP 25 (SMTP) and UDP 53 (DNS). Other ports that Exchange Server may require depending on your network configuration (all TCP):

· 80 HTTP - for access to the Web interface (OWA)

· 88 Kerberos authentication protocol - if Kerberos authentication is used (rarely);

· 102 MTA .X .400 connector over TCP /IP (if the X .400 connector is used for communication between routing groups);

· 110 Post Office Protocol 3 (POP 3) - for client access;

· 119 Network News Transfer Protocol (NNTP) - if newsgroups are used;

· 135 Client /server communication RPC Exchange administration - standard RPC port for remote administration of Exchange using standard System Manager tools;

· 143 Internet Message Access Protocol (IMAP) - for client access;

· 389 LDAP - to access the directory service;

· 443 HTTP (Secure Sockets Layer (SSL)) (and below) - the same protocols protected by SSL.

· 563 NNTP (SSL)

636 LDAP (SSL)

· 993 IMAP4 (SSL)

· 995 POP3 (SSL)

· 3268 and 3269 - queries to the global catalog server (search in Active Directory and checking membership in universal groups).

There is no point in covering the Exchange Server interface facing the inside of the organization with a firewall - it will be used to interact with domain controllers, administration utilities, backup systems, etc. For an interface exposed to the Internet, it is recommended to leave ports 53 (if Exchange will resolve host names itself, and not redirect requests to the local DNS server) and 25. Very often, clients need to access their mailboxes from outside (from home, while on a business trip, etc.) etc.). The best solution in this situation is to configure OWA (Web interface for access to Exchange Server, which is installed by default, available at http://server_name/exchange) to work over SSL and open access only on port 443. In addition to solving issues with secure authentication and encryption of messages automatically resolves the issue with SMTP Relay (more on this later) and the situation when a user accidentally downloads work email into the mail client folders on his home computer, and then at work cannot find these messages (not to mention that keeping work email at home is a security violation).

A new feature that has appeared in Exchange Server. starting from version 2000, the ability to use several virtual SMTP and POP3 servers with different security settings. For example, the SMTP server that interacts with the Internet can be configured with increased security mode and strict delivery restrictions, and the SMTP server that users within the organization use can be configured with the most powerful and user-friendly settings.

It is also necessary to mention a certain confusion in terminology - very often firewalls for Exchange are called message filtering systems, which will be discussed below.

What TCP and UDP ports does my Exchange 2000/2003 Server use?

For purposes of configuring firewalls or for troubleshooting communications issues, it may be useful to know what TCP/UDP ports Exchange 2000 Server and Exchange 2000 Conferencing Server are using. This article is also true for Exchange Server 2003 installations.

Protocol:LDAP

  • Port (TCP/UDP): 389 (TCP)
  • Description: Lightweight Directory Access Protocol (LDAP), used by Active Directory, Active Directory Connector, and the Microsoft Exchange Server 5.5 directory.

Protocol: LDAP/SSL

  • Port (TCP/UDP): 636 (TCP)
  • Description: LDAP over Secure Sockets Layer (SSL). When SSL is enabled, LDAP data that is transmitted and received is encrypted.
  • To enable SSL, you must install a Computer certificate on the domain controller or Exchange Server 5.5 computer.

Protocol:LDAP

  • Port (TCP/UDP): 379 (TCP)
  • Description: The Site Replication Service (SRS) uses TCP port 379.

Protocol:LDAP

  • Port (TCP/UDP): 390 (TCP)
  • Description: While not a standard LDAP port, TCP port 390 is the recommended alternate port to configure the Exchange Server 5.5 LDAP protocol when Exchange Server 5.5 is running on a Microsoft Windows 2000 Active Directory domain controller.

Protocol:LDAP

  • Port (TCP/UDP): 3268 (TCP)
  • Description: Global catalog. The Windows 2000 Active Directory global catalog (which is really a domain controller “role”) listens on TCP port 3268. When you are troubleshooting issues that may be related to a global catalog, connect to port 3268 in LDP.

Protocol: LDAP/SSL

  • Port (TCP/UDP): 3269 (TCP)
  • Description: Global catalog over SSL. Applications that connect to TCP port 3269 of a global catalog server can transmit and receive SSL encrypted data. To configure a global catalog to support SSL, you must install a Computer certificate on the global catalog.

Protocol: IMAP4

  • Port (TCP/UDP): 143 (TCP)
  • Description: Internet Message Access Protocol version 4, may be used by “standards-based” clients such as Microsoft Outlook Express or Netscape Communicator to access the e-mail server. IMAP4 runs on top of the Microsoft Internet Information Service (IIS) Admin Service (Inetinfo.exe), and enables client access to the Exchange 2000 information store.

Protocol: IMAP4/SSL

  • Port (TCP/UDP): 993 (TCP)
  • Description: IMAP4 over SSL uses TCP port 993. Before an Exchange 2000 server supports IMAP4 (or any other protocol) over SSL, you must install a Computer certificate on the Exchange 2000 server.

Protocol: POP3

  • Port (TCP/UDP): 110 (TCP)
  • Description: Post Office Protocol version 3, enables “standards-based” clients such as Outlook Express or Netscape Communicator to access the e-mail server. As with IMAP4, POP3 runs on top of the IIS Admin Service, and enables client access to the Exchange 2000 information store.

Protocol: POP3/SSL

  • Port (TCP/UDP): 995 (TCP)
  • Description: POP3 over SSL. To enable POP3 over SSL, you must install a Computer certificate on the Exchange 2000 server.

Protocol: NNTP

  • Port (TCP/UDP): 119 (TCP)
  • Description: Network News Transport Protocol, sometimes called Usenet protocol, enables “standards-based” client access to public folders in the information store. As with IMAP4 and POP3, NNTP is dependent on the IIS Admin Service.

Protocol: NNTP/SSL

Port (TCP/UDP): 563 (TCP)

Description: NNTP over SSL. To enable NNTP over SSL, you must install a Computer certificate on the Exchange 2000 Server.

Protocol: HTTP

  • Port (TCP/UDP): 80 (TCP)
  • Description: Hyper-Text Transfer Protocol is the protocol used primarily by Microsoft Outlook Web Access (OWA), but also enables some administrative actions in Exchange System Manager. HTTP is implemented through the World Wide Web Publishing Service (W3Svc), and runs on top of the IIS Admin Service.

Protocol: HTTP/SSL

  • Port (TCP/UDP): 443 (TCP)
  • Description: HTTP over SSL. To enable HTTP over SSL, you must install a Computer certificate on the Exchange 2000 server.

Protocol: SMTP

  • Port (TCP/UDP): 25 (TCP)
  • Description: Simple Mail Transfer Protocol, is the foundation for all e-mail transport in Exchange 2000. The SMTP Service (SMTPSvc) runs on top of the IIS Admin Service. Unlike IMAP4, POP3, NNTP, and HTTP, SMTP in Exchange 2000 does not use a separate port for secure communication (SSL), but rather, employs an “in-band security sub-system” called Transport Layer Security (TLS).

Protocol: SMTP/SSL

  • Port (TCP/UDP): 465 (TCP)
  • Description: SMTP over SSL. TCP port 465 is reserved by common industry practice for secure SMTP communication using the SSL protocol. However, unlike IMAP4, POP3, NNTP, and HTTP, SMTP in Exchange 2000 does not use a separate port for secure communication (SSL), but rather, employs an “in-band security sub-system” called Transport Layer Security (TLS) . To enable TLS to work on Exchange 2000, you must install a Computer certificate on the Exchange 2000 server.

Protocol: SMTP/LSA

  • Port (TCP/UDP): 691 (TCP)
  • Description: The Microsoft Exchange Routing Engine (also known as RESvc) listens for routing link state information on TCP port 691. Exchange 2000 uses routing link state information to route messages and the routing table is constantly updated. The Link State Algorithm (LSA) propagates outing status information between Exchange 2000 servers. This algorithm is based on the Open Shortest Path First (OSPF) protocol from networking technology, and transfers link state information between routing groups by using the X-LSA-2 command verb over SMTP and by using a Transmission Control Protocol (TCP) connection to port 691 in a routing group.

Protocol: RVP

  • Port (TCP/UDP): 80 (TCP)
  • Description: RVP is the foundation for Instant Messaging in Exchange 2000. While RVP communication begins with TCP port 80, the server quickly sets up a new connection to the client on an ephemeral TCP port above 1024. Because this port is not known in advance, issues exist when you enable Instant Messaging through a firewall.

Protocol: IRC/IRCX

  • Port (TCP/UDP): 6667 (TCP)
  • Description: Internet Relay Chat (IRC) is the chat protocol. IRCX is the extended version offered by Microsoft. While TCP port 6667 is the most common port for IRC, TCP port 7000 is also very frequently used.

Protocol: IRC/SSL

  • Port (TCP/UDP): 994 (TCP)
  • Description: IRC (or Chat) over SSL. IRC or IRCX over SSL is not supported in Exchange 2000.

Protocol: X.400

  • Port (TCP/UDP): 102 (TCP)
  • Description: ITU-T Recommendation X.400 is really a series of recommendations for what an electronic message handling system (MHS) should look like. TCP port 102 is defined in IETF RFC-1006, which describes OSI communications over a TCP/IP network. In brief, TCP port 102 is the port that the Exchange message transfer agent (MTA) uses to communicate with other X.400-capable MTAs.

Protocol: MS-RPC

  • Port (TCP/UDP): 135 (TCP)
  • Description: Microsoft Remote Procedure Call is a Microsoft implementation of remote procedure calls (RPCs). TCP port 135 is actually only the RPC Locator Service, which is like the registrar for all RPC-enabled services that run on a particular server. In Exchange 2000, the Routing Group Connector uses RPC instead of SMTP when the target bridgehead server is running Exchange 5.5. Also, some administrative operations require RPC. To configure a firewall to enable RPC traffic, many more ports than just 135 must be enabled.

For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:

XADM: Setting TCP/IP Port Numbers for Internet Firewalls

XCON: Configuring MTA TCP/IP Port # for X.400 and RPC Listens

Protocol: T.120

  • Port (TCP/UDP): 1503 (TCP)
  • Description: ITU-T Recommendation T.120 is a series of recommendations that define data conferencing. Data conferencing is implemented on the server side as a Conferencing Technology Provider (CTP) in the Multipoint Control Unit (MCU), which is one component of the Exchange Conferencing Services (ECS). Data conferencing is implemented on the client side as Chat, Application Sharing, Whiteboard, and File Transferring in Microsoft NetMeeting.

Protocol: ULS

  • Port (TCP/UDP): 522 (TCP)
  • Description: User Locator Service is a type of Internet directory service for conferencing clients, such as NetMeeting. Exchange 2000 Server and Exchange 2000 Conferencing Server do not implement a ULS, but rather take advantage of Active Directory for directory services (by TCP port 389).

Protocol: H.323 (Video)

  • Port (TCP/UDP): 1720 (TCP)
  • Description: ITU-T Recommendation H.323 defines multimedia conferencing. TCP port 1720 is the H.323 (video) call setup port. After a client connects, the H.323 server negotiates a new, dynamic UDP port to be used for streaming data.

Protocol: Audio

  • Port (TCP/UDP): 1731 (TCP)
  • Description: Audio conferencing is enabled in much the same way as H.323 video conferencing is enabled in Exchange 2000 Server. After clients connect to TCP port 1731, a new dynamic port is negotiated for further streaming data.
Related publications: