TCP ports and Microsoft Exchange: In-depth discussion
This article was previously published under Q176466
This article has been archived. It is offered "as is" and will no longer be updated.
In troubleshooting communication between computers running Exchange Serverand between computers running Exchange Server and Exchange Client, youoften face the issue of the use of packet filtering (firewall), which canresult in an inability to communicate. In certain situations, you may needto monitor traffic on your network before introducing Exchange in yournetwork infrastructure, to ensure that communication can occur among thevarious Exchange components. This article addresses the frequently askedquestions of what ports need to be open when firewalls are used and whatports need to be monitored in the Microsoft Exchange organization.
In discussing network traffic associated with Exchange, there are sixscenarios:
- Communication between POP3 clients and Exchange Server computers. Two conditions exist:
- Downloading and retrieving messages
- Sending messages
- Communication between IMAP4 clients and Exchange Server computers. Two conditions exist:
- Downloading and retrieving messages
- Sending messages
- Communication between Exchange Server computers and LDAP (Lightweight Directory Access Protocol) clients.
- Communication between Exchange Client computers and Exchange Server computers.
- Communication between two Exchange Server computers in the same site (intrasite communication).
- Communication between two Exchange Server computers in different sites (intersite communication). This communication has two further distinctions:
- Intersite link uses site connector (RPC).
- Intersite link is an X.400 connector.
TERMINOLOGY: When discussing ports, two terms are often used: "well-known"and "ephemeral." "Well-known" represents ports below the 1024 range thatare used regularly and have in most cases a standardized assignment forcertain types of network service. "Ephemeral" represents all portsinclusive of and above the 1024 range.
An in-depth discussion follows of issues for each of the six scenariospresented above.
Communication between POP3 clients and Exchange Server computersExchange 5.0 supports POP3, a protocol used to retrieve messages from amail server. In addition to POP3 mail clients like Internet Mail and News,Windows CE Inbox, and Internet Mail Service for Windows, clients such asPegasus and Eudora Pro are often used to send and retrieve messages fromthe Exchange Server computer. This introduces a new angle to the discussionof the availability of TCP port access.
- Downloading and retrieving messagesPOP3 client access to messages on an Exchange Server computer is regulatedby the authentication method used. There are three such authenticationmethods. If Basic or Windows NT Challenge/Response authentication (WindowsNTLM authentication) is used, downloading and retrieval of messages using aPOP3 client requires access to TCP port 110. Exchange Server listens onport 110 for any incoming connection requests from POP3 clients for messagedownload. If the SSL (Secure Sockets Layer) authentication method is used,the Exchange Server computer listens on port 995. Therefore, if you aredesigning the packet filtering requirements of a network that includes anExchange installation, keep in mind the access to either TCP port 110 orTCP port 995 if POP3 is a supported protocol.
- Sending messagesWhen POP3 clients send messages, the Exchange Server computer iscommunicating with an SMTP (Simple Mail Transfer Protocol) host. Thisrequires access to TCP port 25. The Internet Mail Connector and theInternet Mail Service use TCP port 25 for inbound SMTP messages as definedby RFC-821. For inbound SMTP messages, the Internet Mail Connector andInternet Mail Service monitor port 25 for incoming connections from otherSMTP hosts. Microsoft Exchange Server supports POP3 as defined in the RFC-1734 and RFC- 1957 specifications.
Communication between IMAP4 clients and Exchange Server computersExchange version 5.5 supports IMAP4, the Internet Message Access Protocol.IMAP4 is a superset of POP3 and therefore supports all its features andsome additional ones. An example of an IMAP4 enhancement over POP3 is theability to search messages for key words while the messages are still onthe mail server. Users can then choose which messages to download to theirlocal computer. IMAP4 also allows access to public folders and personalfolders.
- Downloading and retrieving messagesThe ports that IMAP4 clients use when accessing messages on an ExchangeServer computer depend on the authentication method in use. With Basic orNTLM authentication and TCP, the IMAP4 server listens on TCP port 143 forany incoming connection requests from IMAP4 clients for message downloadand retrieval. If SSL authentication is used, however, the port on whichthe Exchange Server computer listens is TCP port 993. Router and firewallsetups should therefore take into consideration the access to TCP port 143or TCP port 993 when this protocol is a supported feature for messaging.
- Sending messagesAs discussed above for POP3 clients sending messages, when IMAP4 clientssend messages, the Exchange Server computer is communicating with an SMTPhost. This requires access to TCP port 25. The Internet Mail Connector andInternet Mail Service use TCP port 25 for inbound SMTP messages as definedby RFC-821. For inbound SMTP messages, the Internet Mail Connector andInternet Mail Service monitor port 25 for incoming connections from otherSMTP hosts.Microsoft Exchange Server supports IMAP4 as defined in the RFC-2060 and RFC-2061.
Communication between Exchange Server computers and LDAP clientsLDAP (Lightweight Directory Access Protocol) is a specification for clientaccess to the Exchange Server directory service to provide address bookfunctionality. It allows the client to connect to the directory and allowsinformation retrieval, addition, and modification. LDAP was introduced inExchange version 5.0.
For the LDAP client to connect to the Exchange Server computer, the portsthat need to be configured on the firewall are based purely on theauthentication method in use. With Basic authentication, the ExchangeServer computer listens on port 389. For SSL authentication, the port thatthe Exchange Server computer listens on is 636.Microsoft Exchange Server supports LDAP as defined in RFC-1777.
Communication between Exchange Server computers and NNTP clientsThe Network News Transport Protocol (NNTP) is widely used to post,distribute, and retrieve USENET messages. Clients can access thesenewsgroups as Exchange public folders. NNTP clients need to connect to theExchange Server computer via port 119. The proxy software or firewallshould take this into consideration when NNTP is supported. MicrosoftExchange Server supports NNTP as defined in RFC-977.
Communication between Exchange Client computers and Exchange Server computersAn Exchange Client computer on a LAN or WAN link uses remote procedure call(RPC) to communicate with an Exchange Server computer. The Exchange Servercomputer, an RPC- based application, uses TCP port 135, also referred to asthe location service that helps RPC applications to query for the portnumber of a service.
The Exchange Server computer monitors port 135 for client connections tothe RPC endpoint mapper service. After a client connects to a socket, theExchange Server computer allocates the client two random ports to use tocommunicate with the directory and the information store. The client doesnot communicate with other components of the Exchange Server computer.
If security concerns for a network infrastructure require blocking of anyports other than the ones used, then the random assignment of ports forcommunication with the directory and the information store can become aroadblock. To avoid this, Exchange Server versions 4.0 and later allow youto statically allocate these ports.
At this juncture, for successful communication between client and server,the firewall needs to be configured to allow TCP connections to port135 and all statically allocated ports. If you need to monitor trafficfor analysis, these are the ports to monitor.
Communication between two Exchange Server computers in the same siteAll intrasite communication between Exchange Server computers uses RPC.Consequently, access to TCP port 135 becomes an important variable in theability of Exchange Server computers to communicate if they are separatedusing routers and firewalls.
Communication between two Exchange Server computers within a site isbetween the two message transfer agents (MTAs) and the two directoryservices. No other components of the Exchange Server computers communicatedirectly.
As discussed above in client to server communication, an Exchange Servercomputer monitors port 135 for connections to the RPC endpoint mapperservice. When an initiating Exchange Server computer connects to a socket,the receiving Exchange Server computer assigns two random ports to use tocommunicate with the directory and the MTA.
Already discussed above was the possibility of static allocation of a TCPport for the directory to listen and communicate on a specific port number.With the release of Exchange Server 4.0 Service Pack 4 and all releases ofExchange Server 5.0, a similar adjustment can be made for the MTA. Theendpoint mapper will then relay the appropriate port number, so thatfurther communication can be achieved by going to the port numberspecified. For establishing a static allocation of port for the MTA, referto the latter part of Knowledge Base article 161931, "XCON: ConfiguringMTA TCP/IP Port # for X.400 and RPC Listens." This explains the use of theregistry value "TCP/IP port for RPC listens".
Consequently, for successful communication between two servers, thefirewall needs to be configured to allow TCP connections to port 135 andall statically allocated ports. If you need to monitor traffic foranalysis, these are the ports to monitor.
For more information about the ramifications and guidelines for staticport assignment of Exchange services, please see the following articlein the Microsoft Knowledge Base:
180795XADM: Intrasite Directory Replication Fails with Error 1720
Communication between two Exchange Server computers in different sites
- Intersite link uses site connector (RPC)Most of the discussion on intersite communication via site connectorsmirrors the situation of intrasite communication between Exchange Servercomputers. The only difference is that communication between ExchangeServer computers installed in two different sites is only via thecorresponding message transfer agents (MTAs).
Although you continue to need the services of the RPC locator service andthereby port 135, the only adjustment you may need for static allocation ofa port would be for the MTA. Again, refer to Knowledge Base articleQ161931, "XCON: Configuring MTA TCP/IP Port # for X.400 and RPC Listens."This article discusses the use of the registry value "TCP/IP port for RPClistens". This feature is available with Exchange Server Service Pack 4 andall releases of Exchange Server 5.0.
- Intersite link is an X.400 connectorIf the intersite link is an X.400 connector, then the communication betweenthe two Exchange Server computers continues to be between correspondingMTAs only. However, RPC is not the means of such communication.Communication between the MTAs follows the RFC1006: ISO over TCP/IP.Consequently Exchange Server computers, by default, use TCP port 102 forall such communication between the MTAs. There is no need for TCP port 135as far the Exchange communication is concerned, because no RPC traffic isinvolved.
Exchange Server Service Pack 4 and all releases of Exchange Server 5.0provide the ability to change this default port assignment of port 102.Article 161931, referred to above, discusses the use of the registry value"RFC1006 Port Number".
In this setting, for successful communication between two servers, thefirewall must be configured to allow TCP connections to TCP port 102 orthe manually assigned replacement port. If you need to monitor traffic foranalysis, these are the ports to monitor.
IMPORTANT: If the port number for RFC1006 is changed from the default valueof 102 on one server, then it is absolutely essential that all serverscommunicating via the X.400 connector incorporate this change. All MTAsmust use the same port number.
Finally, as you analyze your specific situation, keep in mind that severalcombinations of the above situations can exist in an Exchangeinfrastructure.
Article ID: 176466 - Last Review: 12/05/2015 08:10:13 - Revision: 3.4
Microsoft Exchange Server 4.0 Standard Edition, Microsoft Exchange Server 5.0 Standard Edition, Microsoft Exchange Server 5.5 Standard Edition
- kbnosurvey kbarchive kbusage KB176466