Announcement

Collapse
No announcement yet.

Ports Required to be open on the firewall

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Ports Required to be open on the firewall

    Hi guys,

    I have a quick question. What are the ports required to be opened for Exchange 2003 on a router firewall? I have a list (135, 25, 691, 443/80, 110/995, 143/993, 593, 445-for message tracking) but I was wondering if is not too much...
    Thank you and have a great week-end.

  • #2
    Re: Ports Required to be open on the firewall

    This is an opinion question, but . . .

    I like to keep the absolute minimum open and use the most security. For example, if you have no reason for your users to retrieve mail using POP, then there is no reason to open 110. If you require them to access POP mail but with security, then you open Port 995, but close 110. No sense leaving them both open if you don't have to. I figure that if it is so easy to configure the server and the client to use a secure channel instead of using port 110, why not take the extra step.

    Besides, with many types of business - soon it will be legally required that your email is sniff-proof. (I wonder if spammers are already sniffing the internet for POP mail packets that include email addresses they can harvest?) A really good snoop could glean all sorts of business intelligence from reading your email.

    On a server where I allow POP mail to be retrieved and OWA/OMA I have 443 open and I don't let anyone in on 80. If they can't do it my way, they can't do it at all. I also have 995 opened for the POP mail - but NOT Port 110.

    I allow port 25 traffic coming in from anywhere to go only to the mail server, but I only let the mail server itself SEND Port 25 traffic out the router. This keeps the odd laptop or PC on your LAN that gets infected with a Spam Engine virus from being able to send email out to the world and get your IP address blacklisted.

    If you are not using IMAP from the outside, why open the port? Same goes for NT Domain Login, FTP, and other services.

    I didn't recognize a few of the ports you listed and I am WAY too lazy to look them up. My overall answer is, yes you have too much open. Ratchet that puppy down to the bare minimum, and if somebody screams you can always open it up again.

    Comment


    • #3
      Re: Ports Required to be open on the firewall

      Well that's quite a list you've got there. I agree with rderby, the ports you need to open depend on what services you're providing and to whom.

      If all the clients are on the LAN then the only incoming port that needs to be open is 25.

      Some of the ports you listed I don't think should ever be opened to the Internet (I'll have to check though) 135, 691, 593, and 445.
      Regards,
      Jeremy

      Network Consultant/Engineer
      Baltimore - Washington area and beyond
      www.gma-cpa.com

      Comment


      • #4
        Re: Ports Required to be open on the firewall

        Hi RDerby,

        Thank you for the opinion. We use SSL so it's going to be 443, 995, etc.
        Here is a link with Exchange ports:
        http://www.microsoft.com/technet/pro....mspx?mfr=true
        Regards,

        Comment


        • #5
          Re: Ports Required to be open on the firewall

          Thanx Jeremy,

          Like 30% of my users are on the LAN. But RDerby was right, I always can open an additional port if I need/have to. I'll keep everything to the minimum.
          Regards,

          Florin

          Comment


          • #6
            Re: Ports Required to be open on the firewall

            That list is of the ports Exchange uses to function. This does not mean they need to be open to an untrusted network for Exchange to function.

            I see that you'll be using SSL but what services are you providing your clients over the Internet? OWA, OMA, POP, IMAP, RPC/HTTP(S)? BTW - if you're providing all the services I just listed, the only ports you'll need to open are 25(TLS not SSL), 443, 993, and 995.
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: Ports Required to be open on the firewall

              Hi Jeremy,

              Thanx for the replay. That's what I'm going to open, 25/443/993/995.
              Have a great week-end.

              Comment

              Working...
              X