Placing your Exchange 2000 server in the DMZ provides a convenient solution for hosting both internal and external client mail services while denying direct connections between external clients and your internal network. Following is a brief guide on which ports to open. The Windows 2000 server on the backend (DMZ->IntraNet) has to communicate with your internal domain controllers to authenticate and validate the client requests for e-mail services. On the frontend (Internet->DMZ) the Windows 2000 server communicates with clients and must be able to communicate with the Exchange 2000 server now residing in your DMZ.
Windows 2000 : DMZ -> Intranet
- UDP/TCP 53 : Domain Name System
- UDP/TCP 88 : Kerberos Authentication
- TCP 123 : Network Time Protocol
Kerberos authentication require that you synchronize the time of your Exchange server and domain controllers.
- TCP 135 : DEC Endpoint Resolution
also known as RPC Endpoint Mapper
- UDP/TCP 389 : Lightweight Directory Access
- TCP 445 : Microsoft Directory Service
- TCP 3268 : LDAP to global catalog servers
- AD logon and directory replication port
you need to allow a high port for Active Directory logon and directory replication. Default, this high port is dynamically chosen when the server starts, but you need to statically map it :
Hive: HKEY_LOCAL_MACHINE
Key: System\CurrentControlSet\Services\NTDS\Parameters
Name: TCP/IP Port
Type: REG_DWORD
Value: decimal value greater than 1024
Windows 2000 : Internet -> DMZ
You need to open TCP 25 SMTP ( internet<->DMZ ) to communicate with other email servers on the internet.
Exchange 2000 supports an assortment of client access types including MAPI, IMAP, POP3, or Web. You will need to allow the appropriate port for whatever client access type(s) you allow. When accessing Microsoft Exchange, MAPI is the client access protocol of choice for communication between e-mail client and server. For MAPI to grant access to your internet Outlook clients:
- TCP 135 : DEC Endpoint Resolution
also known as RPC Endpoint Mapper
- Statically map
- Microsoft Exchange SA RFR (System Attendant Request For Response)
Hive: HKEY_LOCAL_MACHINE
Key: System\CurrentControlSet\Services\MSExchangeSA\Parameters
Name: TCP/IP Port
Type: REG_DWORD
Value: decimal value greater than 1024
- Microsoft Exchange Directory NSPI (Name Service Provider Interface) Proxy Interface
Hive: HKEY_LOCAL_MACHINE
Key: System\CurrentControlSet\Services\MSExchangeSA\Parameters
Name: TCP/IP NSPI port
Type: REG_DWORD
Value: decimal value greater than 1024
- Microsoft Exchange Information Store Interface :
Hive: HKEY_LOCAL_MACHINE
Key: System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
Name: TCP/IP port
Type: REG_DWORD
Value: decimal value greater than 1024
- Microsoft Exchange SA RFR (System Attendant Request For Response)