If you want a handy list of firewall ports that need to be open for Exchange 2010, Microsoft have a very detailed list as tabled below.
For Mailbox Role
For CAS Role
For Transport Hub Role
For Mailbox Role
| Data path | Required ports | Default authentication | Supported authentication | Encryption supported? | Encrypted by default? |
| Active Directory access | 389/TCP/UDP (LDAP), 3268/TCP (LDAP GC), 88/TCP/UDP (Kerberos), 53/TCP/UDP (DNS), 135/TCP (RPC netlogon) | Kerberos | Kerberos | Yes, using Kerberos encryption | Yes |
| Admin remote access (Remote Registry) | 135/TCP (RPC) | NTLM/Kerberos | NTLM/Kerberos | Yes, using IPsec | No |
| Admin remote access (SMB/File) | 445/TCP (SMB) | NTLM/Kerberos | NTLM/Kerberos | Yes, using IPsec | No |
| Availability Web service (Client Access to Mailbox) | 135/TCP (RPC) | NTLM/Kerberos | NTLM/Kerberos | Yes, using RPC encryption | Yes |
| Clustering | 135/TCP (RPC) | NTLM/Kerberos | NTLM/Kerberos | Yes, using IPsec | No |
| Content indexing | 135/TCP (RPC) | NTLM/Kerberos | NTLM/Kerberos | Yes, using RPC encryption | Yes |
| Log shipping | 64327 (customizable) | NTLM/Kerberos | NTLM/Kerberos | Yes | No |
| Seeding | 64327 (customizable) | NTLM/Kerberos | NTLM/Kerberos | Yes | No |
| Volume shadow copy service (VSS) backup | Local Message Block (SMB) | NTLM/Kerberos | NTLM/Kerberos | No | No |
| Mailbox Assistants | 135/TCP (RPC) | NTLM/Kerberos | NTLM/Kerberos | No | No |
| MAPI access | 135/TCP (RPC) | NTLM/Kerberos | NTLM/Kerberos | Yes, using RPC encryption | Yes |
| Microsoft Exchange Active Directory Topology service access | 135/TCP (RPC) | NTLM/Kerberos | NTLM/Kerberos | Yes, using RPC encryption | Yes |
| Microsoft Exchange System Attendant service legacy access (Listen to requests) | 135/TCP (RPC) | NTLM/Kerberos | NTLM/Kerberos | No | No |
| Microsoft Exchange System Attendant service legacy access to Active Directory | 389/TCP/UDP (LDAP), 3268/TCP (LDAP GC), 88/TCP/UDP (Kerberos), 53/TCP/UDP (DNS), 135/TCP (RPC netlogon) | Kerberos | Kerberos | Yes, using Kerberos encryption | Yes |
| Microsoft Exchange System Attendant service legacy access (As MAPI client) | 135/TCP (RPC) | NTLM/Kerberos | NTLM/Kerberos | Yes, using RPC encryption | Yes |
| Offline address book (OAB) accessing Active Directory | 135/TCP (RPC) | Kerberos | Kerberos | Yes, using RPC encryption | Yes |
| Recipient Update Service RPC access | 135/TCP (RPC) | Kerberos | Kerberos | Yes, using RPC encryption | Yes |
| Recipient update to Active Directory | 389/TCP/UDP (LDAP), 3268/TCP (LDAP GC), 88/TCP/UDP (Kerberos), 53/TCP/UDP (DNS), 135/TCP (RPC netlogon) | Kerberos | Kerberos | Yes, using Kerberos encryption | Yes |
For CAS Role
| Data path | Required ports | Default authentication | Supported authentication | Encryption supported? | Encrypted by default? |
| Active Directory access | 389/TCP/UDP (LDAP), 3268/TCP (LDAP GC), 88/TCP/UDP (Kerberos), 53/TCP/UDP (DNS), 135/TCP (RPC netlogon) | Kerberos | Kerberos | Yes, using Kerberos encryption | Yes |
| Autodiscover service | 80/TCP, 443/TCP (SSL) | Basic/Integrated Windows authentication (Negotiate) | Basic, Digest, NTLM, Negotiate (Kerberos) | Yes, using HTTPS | Yes |
| Availability service | 80/TCP, 443/TCP (SSL) | NTLM/Kerberos | NTLM, Kerberos | Yes, using HTTPS | Yes |
| Mailbox Replication Service (MRS) | 808/TCP | Kerberos/NTLM | Kerberos, NTLM | Yes, using RPC encryption | Yes |
| Outlook accessing OAB | 80/TCP, 443/TCP (SSL) | NTLM/Kerberos | Yes, using HTTPS | No | |
| Outlook Web App | 80/TCP, 443/TCP (SSL) | Yes, using HTTPS | Yes, using a self-signed certificate | ||
| POP3 | 110/TCP (TLS), 995/TCP (SSL) | Basic, Kerberos | Basic, Kerberos | Yes, using SSL, TLS | Yes |
| IMAP4 | 143/TCP (TLS), 993/TCP (SSL) | Basic, Kerberos | Basic, Kerberos | Yes, using SSL, TLS | Yes |
| Outlook Anywhere (formerly known as RPC over HTTP ) | 80/TCP, 443/TCP (SSL) | Basic | Basic or NTLM | Yes, using HTTPS | Yes |
| Exchange ActiveSync application | 80/TCP, 443/TCP (SSL) | Basic | Basic, Certificate | Yes, using HTTPS | Yes |
| Client Access server to Unified Messaging server | 5060/TCP, 5061/TCP, 5062/TCP, a dynamic port | By IP address | By IP address | Yes, using Session Initiation Protocol (SIP) over TLS | Yes |
| Client Access server to a Mailbox server that is running an earlier version of Exchange Server | 80/TCP, 443/TCP (SSL) | NTLM/Kerberos | Negotiate (Kerberos with fallback to NTLM or optionally Basic,) POP/IMAP plain text | Yes, using IPsec | No |
| Client Access server to Exchange 2010 Mailbox server | RPC | Kerberos | NTLM/Kerberos | Yes, using RPC encryption | Yes |
| Client Access server to Client Access server (Exchange ActiveSync) | 80/TCP, 443/TCP (SSL) | Kerberos | Kerberos, Certificate | Yes, using HTTPS | Yes, using a self-signed certificate |
| Client Access server to Client Access server (Outlook Web Access) | 80/TCP, 443/TCP (HTTPS) | Kerberos | Kerberos | Yes, using SSL | Yes |
| Client Access server to Client Access server (Exchange Web Services) | 443/TCP (HTTPS) | Kerberos | Kerberos | Yes, using SSL | Yes |
| Client Access server to Client Access server (POP3) | 995 (SSL) | Basic | Basic | Yes, using SSL | Yes |
| Client Access server to Client Access server (IMAP4) | 993 (SSL) | Basic | Basic | Yes, using SSL | Yes |
| Office Communications Server access to Client Access server (when Office Communications Server and Outlook Web App integration is enabled) | 5075-5077/TCP (IN), 5061/TCP (OUT) | mTLS (Required) | mTLS (Required) | Yes, using SSL | Yes |
For Transport Hub Role
| Data path | Required ports | Default authentication | Supported authentication | Encryption supported? | Encrypted by default? |
| Hub Transport server to Hub Transport server | 25/TCP (SMTP) | Kerberos | Kerberos | Yes, using Transport Layer Security (TLS) | Yes |
| Hub Transport server to Edge Transport server | 25/TCP (SMTP) | Direct trust | Direct trust | Yes, using TLS | Yes |
| Edge Transport server to Hub Transport server | 25/TCP (SMTP) | Direct trust | Direct trust | Yes, using TLS | Yes |
| Edge Transport server to Edge Transport server | 25/TCP (SMTP) | Anonymous, Certificate | Anonymous, Certificate | Yes, using TLS | Yes |
| Mailbox server to Hub Transport server via the Microsoft Exchange Mail Submission Service | 135/TCP (RPC) | NTLM. If the Hub Transport and the Mailbox server roles are on the same server, Kerberos is used. | NTLM/Kerberos | Yes, using RPC encryption | Yes |
| Hub Transport to Mailbox server via MAPI | 135/TCP (RPC) | NTLM. If the Hub Transport and the Mailbox server roles are on the same server, Kerberos is used. | NTLM/Kerberos | Yes, using RPC encryption | Yes |
| Unified Messaging server to Hub Transport server | 25/TCP (SMTP) | Kerberos | Kerberos | Yes, using TLS | Yes |
| Microsoft Exchange EdgeSync service from Hub Transport server to Edge Transport server | 50636/TCP (SSL) | Basic | Basic | Yes, using LDAP over SSL (LDAPS) | Yes |
| Active Directory access from Hub Transport server | 389/TCP/UDP (LDAP), 3268/TCP (LDAP GC), 88/TCP/UDP (Kerberos), 53/TCP/UDP (DNS), 135/TCP (RPC netlogon) | Kerberos | Kerberos | Yes, using Kerberos encryption | Yes |
| Active Directory Rights Management Services (AD RMS) access from Hub Transport server | 443/TCP (HTTPS) | NTLM/Kerberos | NTLM/Kerberos | Yes, using SSL | Yes |
| SMTP clients to Hub Transport server (for example, end-users using Windows Live Mail) | 587 (SMTP), 25/TCP (SMTP) | NTLM/Kerberos | NTLM/Kerberos | Yes, using TLS | Yes |
No comments:
Post a Comment