Exchange 2000 Windows 2000 connectivity through firewalls
This article was previously published under Q280132
This article describes how to install Exchange 2000 Server
and Outlook Web Access 5.5 on computers that are isolated from their Microsoft
Windows 2000 networks by a firewall and are in a perimeter network (also known
as DMZ, demilitarized zone, and screened subnet) Ethernet environment. Before
any Exchange 2000 connectivity can be attempted, the firewall must be
configured to permit Windows 2000 logon and networking traffic.
NOTE: This article discusses Windows 2000 traffic and connectivity
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
How to back up and restore the registry in Windows
To install Exchange 2000 and Outlook Web Access
5.5 on computers that are isolated from their Microsoft Windows 2000 networks
by a firewall and are in a perimeter network Ethernet environment:
- Enable Windows 2000 Server-based computers to log on to the domain through the firewall by opening the following ports for incoming traffic:
- 53 (Transmission Control Protocol [TCP], User Datagram Protocol [UDP]) - Domain Name System (DNS) to all DNS Servers listed in the front-end server's IP configuration.
- 80 (TCP) - Required for Exchange 2000 Outlook Web Access for communication between Exchange front-end and back-end servers.
- 88 (Transmission Control Protocol [TCP], UDP) - Kerberos authentication to all domain controllers that are in the same Active Directory site as the Exchange front-end server.
- 123 (UDP) - Windows Time Synchronization Protocol (NTP) to all domain controllers that are in the same Active Directory site as the Exchange front-end server. This is not required for Windows 2000 logon capability, but it may be configured or required by the network administrator.
- 135 (TCP) - EndPointMapper to all domain controllers that are in the same Active Directory site as the Exchange front-end server.
- 389 (TCP, UDP) - Lightweight Directory Access Protocol (LDAP) to all domain controllers that are in the same Active Directory site as the Exchange front-end server.
- 445 (TCP) - Server message block (SMB) for Netlogon, LDAP conversion and Microsoft Distributed File System (DFS) discovery to all domain controllers that are in the same Active Directory site as the Exchange front-end server.
- 3268 (TCP) - LDAP to global catalog servers.
One port for the Active Directory logon and directory
replication interface (universally unique identifiers [UUIDs]
12345678-1234-abcd-ef00-01234567cffb and e3514235-4b06-11d1-ab04-00c04fc2dcd2).
This is typically assigned port 1025 or 1026 during startup. This value is not
set in the DSProxy or System attendant (MAD) source code. Therefore, you must
map the port in the registry on any domain controllers that the Exchange 2000
computer must contact through the firewall to process logons, and then open the
port on the firewall.
To map the port in the registry:
Make sure that the slash in "TCP/IP" is a forward
slash, and that the value that you assign is greater than 1024, in decimal
format. That number is the extra port that you have to open (TCP, UDP) on the
firewall. Setting this registry value on every domain controller inside the
firewall does not affect performance, and covers any logon request redirects
that occur because of servers that are down, roles that change, or
- Start Registry Editor (Regedt32.exe).
- Locate the following key in the registry:
- On the Edit menu, click Add Value, and then add the following registry value:
Value Name: TCP/IP Port
Data Type: REG_DWORD
Value: greater than 1024
- Quit Registry Editor.
- For the server inside the firewall to communicate back through
the firewall to the external server, you also must have ports 1024 through
65535 configured for outgoing communications. Computers that initiate the
communication through the firewall use a client-side port that is dynamically
assigned and cannot be configured.
- Windows 2000 takes the form of a sequence of TCP/IP ping requests to the destination server when Windows 2000 Server-based computers log on to the domain through the firewall. Windows 2000 does this to determine whether a client computer is gaining access to a domain controller over a slow link to apply Group Policy or to download a roaming user profile.
- Install Exchange 2000 on the external computer. You do not
need any additional ports open to install Exchange 2000 on the external
- Install Outlook Web Access 5.5 on the external computer. To
install Outlook Web Access 5.5 on the external computer, directed at a
Microsoft Exchange Server 5.5 computer that is running inside the perimeter
network and firewall, you need the Windows 2000 ports discussed previously,
plus static mappings for the Exchange Server 5.5 directory service (UUID
f5cc5a18-4264-101a-8c59-08002b2f8426), information store (UUID
a4f1db00-ca47-1067-b31f-00dd010662da), and system attendant (UUID
For more information about how to set up these static
mappings, click the following article number to view the article in the Microsoft Knowledge Base:
OWA Setup error message: "There are no more endpoints available from the Endpoint Mapper"
- Configure Exchange 2000 front-end and back-end
connectivity. Exchange 2000 front-end and back-end connectivity only requires
that additional ports be open as required for whatever communication is
appropriate (for example, Web client front-end and back-end connectivity
requires port 80 [TCP] open, IMAP 143 [TCP], and so on). Additionally, any
connectivity by secure protocols such as Ipsec or Secure Sockets Layer
(SSL)-secured HTTP, Internet Message Access
Protocol (IMAP), or Post Office Protocol version 3 (POP3) that you need
requires additional configuration that is not specified in this
article. If the front-end server in the perimeter network has a different subnet, make sure that you add that subnet in the Active Directory Sites and Services snap-in.
In a perimeter network Ethernet environment, you also have
to define TCP\IP routes from the computer in the perimeter network Ethernet to
every computer in the internal network that you have to communicate
NOTE: In a perimeter network firewall scenario, there is no Internet
Control Message Protocol (ICMP) connectivity between the Exchange 2000 server
and the domain controllers. By default, Directory Access (DSAccess) uses ICMP
to ping each server that it connects to determine whether the server is
available. When there is no ICMP connectivity, Directory Access responds as if
every domain controller is unavailable.
For more information about how to turn off
the Directory Access ping by creating a registry key, click the following article number to view the article in the Microsoft Knowledge Base:
Using DSAccess in a perimeter network firewall scenario requires a registry key setting
Article ID: 280132 - Last Review: February 21, 2007 - Revision: 8.4
- Microsoft Outlook Web Access 5.5 SP 1
- Microsoft Exchange Server 5.5 Service Pack 2
- Microsoft Exchange Server 5.5 Service Pack 3
- Microsoft Exchange 2000 Server Standard Edition