The very nature and capabilities of a front-end (FE) and back-end (BE) Exchange Server 2003 configuration lends itself to a more secure environment. An FE server hosts only the Internet Information Services (IIS) virtual server that provides the interface to users and communicates with the BE virtual server. It should not, by definition, host Exchange information stores containing messaging data. Only the back-end servers contain information stores so that messaging data is not easily accessible from outside the organization.
Many organizations place FE servers in the perimeter network (also known as the DMZ) to segment the internal network from those servers requiring some degree of exposure to the Internet. As a result, ports must be opened on the firewall to enable for the FE and BE servers to communicate. Other ports might also be necessary depending on the services being offered and the configuration of the messaging environment.
Table 13.1 lists the common inbound ports to open to the OWA FE servers.
Protocol | TCP/UDP | Port Number |
---|---|---|
HTTP | TCP | 80 |
HTTPS | TCP | 443 |
SMTP | TCP | 25 |
POP3 | TCP | 110 |
IMAP | TCP | 143 |
Table 13.2 lists the commonly required ports between FE and BE Exchange Server 2003 servers. Some of these ports are optional, and the specific ports that the organization might require will vary depending on the messaging environment.
NOTE
SSL cannot be used between an FE and BE server. If the organization's security policy dictates that communication between the FE and BE servers is encrypted, implement IPSec.
Protocol | TCP/UDP | Port Number |
---|---|---|
HTTP | TCP | 80 |
DNS Lookup | TCP/UDP | 53 |
Kerberos | TCP/UDP | 88 |
TCP | 123 | |
RPC End Point Mapper | TCP | 135 |
LDAP | TCP/UDP | 389 |
Server Message Block (SMB) | TCP | 445 |
Link State Algorithm | TCP | 691 |
Global Catalog | TCP | 3268 |
The ports listed in Table 13.3 are optional.
Protocol | TCP/UDP/ID | Port/ID Number |
---|---|---|
POP3 | TCP | 110 |
IMAP | TCP | 143 |
SMTP | TCP | 25 |
RPC | TCP | 1024+ |
IPSec | IP Protocol ID | 50, 51 |
IPSec | UDP | 500 |
TIP
To avoid having to leave a large number of RPC ports open, statically map them to a standardized port number. To statically map the port, create a registry key value called TCP/IP Port of type REG_DWORD in
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters.