Ex2003 ports to AD?

Hi,

I'm about to install Exchange 2003 in our organization.
I'd like to know (get confirmation) which ports I need to open between the
Exchange and the domaincontroller.

I'm guessing:
88 (Kerberos)
389 (LDAP)
3268 (GC, is this even needed?)

Is that enough or too much? I'll need some confirmation, thanks in advance.

Regards,
Tony

The recommended practice would be to install Exchange Server 2003 into a
subnet that contains a Domain Controller, preferably one that is a Global
Catalog server. Both of these servers would be installed behind your
firewall on your private network. You would not have firewall installed
between the Exchange server and a domain controller, so you would not need
to open specific ports.

--
Hope that helps,
Rand Williams

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email to this address, post a reply to this newsgroup.

Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"Tony" <nospam@hotmail.com> wrote in message
news:uDqbfIFsEHA.2512@TK2MSFTNGP11.phx.gbl...
> Hi,
>
> I'm about to install Exchange 2003 in our organization.
> I'd like to know (get confirmation) which ports I need to open between the
> Exchange and the domaincontroller.
>
> I'm guessing:
> 88 (Kerberos)
> 389 (LDAP)
> 3268 (GC, is this even needed?)
>
> Is that enough or too much? I'll need some confirmation, thanks in
> advance.
>
> Regards,
> Tony
>

Ok, that was my recommendation.
But, we want to use web-mail (forward tcp 80) and the securityteam will not
allow that.
That is why the Exchangeserver will be placed in the DMZ, which is why I
need to know which ports to open between EX and the DC.

Thanks for your reply.

Regards,
Tony



"Rand Williams [MSFT]" <randw@online.microsoft.com> wrote in message
news:%2307U1IHsEHA.2668@TK2MSFTNGP10.phx.gbl...
> The recommended practice would be to install Exchange Server 2003 into a
> subnet that contains a Domain Controller, preferably one that is a Global
> Catalog server. Both of these servers would be installed behind your
> firewall on your private network. You would not have firewall installed
> between the Exchange server and a domain controller, so you would not need
> to open specific ports.
>
> --
> Hope that helps,
> Rand Williams
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> Please do not send email to this address, post a reply to this newsgroup.
>
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
>
> "Tony" <nospam@hotmail.com> wrote in message
> news:uDqbfIFsEHA.2512@TK2MSFTNGP11.phx.gbl...
>> Hi,
>>
>> I'm about to install Exchange 2003 in our organization.
>> I'd like to know (get confirmation) which ports I need to open between
>> the Exchange and the domaincontroller.
>>
>> I'm guessing:
>> 88 (Kerberos)
>> 389 (LDAP)
>> 3268 (GC, is this even needed?)
>>
>> Is that enough or too much? I'll need some confirmation, thanks in
>> advance.
>>
>> Regards,
>> Tony
>>
>
>

Hi,

Tell your security team that this a most insecure way of doing things.

The recommemded way would be to install an ISA server in the DMZ and then
publish the OWA server located on the LAN. This way you would only have to
open one port from the DMZ to tha LAN.

If the Exchange server is located in the DMZ you have to open app. 10 IP
ports.

Leif

"Tony" <nospam@hotmail.com> skrev i en meddelelse
news:OZn5ZCRsEHA.2712@TK2MSFTNGP10.phx.gbl...
> Ok, that was my recommendation.
> But, we want to use web-mail (forward tcp 80) and the securityteam will
not
> allow that.
> That is why the Exchangeserver will be placed in the DMZ, which is why I
> need to know which ports to open between EX and the DC.
>
> Thanks for your reply.
>
> Regards,
> Tony
>
>
>
> "Rand Williams [MSFT]" <randw@online.microsoft.com> wrote in message
> news:%2307U1IHsEHA.2668@TK2MSFTNGP10.phx.gbl...
> > The recommended practice would be to install Exchange Server 2003 into a
> > subnet that contains a Domain Controller, preferably one that is a
Global
> > Catalog server. Both of these servers would be installed behind your
> > firewall on your private network. You would not have firewall installed
> > between the Exchange server and a domain controller, so you would not
need
> > to open specific ports.
> >
> > --
> > Hope that helps,
> > Rand Williams
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > Please do not send email to this address, post a reply to this
newsgroup.
> >
> > Use of included script samples are subject to the terms specified at
> > http://www.microsoft.com/info/cpyright.htm
> >
> >
> > "Tony" <nospam@hotmail.com> wrote in message
> > news:uDqbfIFsEHA.2512@TK2MSFTNGP11.phx.gbl...
> >> Hi,
> >>
> >> I'm about to install Exchange 2003 in our organization.
> >> I'd like to know (get confirmation) which ports I need to open between
> >> the Exchange and the domaincontroller.
> >>
> >> I'm guessing:
> >> 88 (Kerberos)
> >> 389 (LDAP)
> >> 3268 (GC, is this even needed?)
> >>
> >> Is that enough or too much? I'll need some confirmation, thanks in
> >> advance.
> >>
> >> Regards,
> >> Tony
> >>
> >
> >
>
>

The recommended solution would be to use SSL and port 443.
From a security standpoint the recommendation is to have an ISA server
installed in a DMZ (Perimeter Network) and to have your Front End server
behind the Internal Firewall. This will give you the most secure solution.

--
Hope that helps,
Rand Williams

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email to this address, post a reply to this newsgroup.

Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"Tony" <nospam@hotmail.com> wrote in message
news:OZn5ZCRsEHA.2712@TK2MSFTNGP10.phx.gbl...
> Ok, that was my recommendation.
> But, we want to use web-mail (forward tcp 80) and the securityteam will
> not allow that.
> That is why the Exchangeserver will be placed in the DMZ, which is why I
> need to know which ports to open between EX and the DC.
>
> Thanks for your reply.
>
> Regards,
> Tony
>
>
>
> "Rand Williams [MSFT]" <randw@online.microsoft.com> wrote in message
> news:%2307U1IHsEHA.2668@TK2MSFTNGP10.phx.gbl...
>> The recommended practice would be to install Exchange Server 2003 into a
>> subnet that contains a Domain Controller, preferably one that is a Global
>> Catalog server. Both of these servers would be installed behind your
>> firewall on your private network. You would not have firewall installed
>> between the Exchange server and a domain controller, so you would not
>> need to open specific ports.
>>
>> --
>> Hope that helps,
>> Rand Williams
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> Please do not send email to this address, post a reply to this newsgroup.
>>
>> Use of included script samples are subject to the terms specified at
>> http://www.microsoft.com/info/cpyright.htm
>>
>>
>> "Tony" <nospam@hotmail.com> wrote in message
>> news:uDqbfIFsEHA.2512@TK2MSFTNGP11.phx.gbl...
>>> Hi,
>>>
>>> I'm about to install Exchange 2003 in our organization.
>>> I'd like to know (get confirmation) which ports I need to open between
>>> the Exchange and the domaincontroller.
>>>
>>> I'm guessing:
>>> 88 (Kerberos)
>>> 389 (LDAP)
>>> 3268 (GC, is this even needed?)
>>>
>>> Is that enough or too much? I'll need some confirmation, thanks in
>>> advance.
>>>
>>> Regards,
>>> Tony
>>>
>>
>>
>
>

Thanks for your reply.

I'll see what I can do about that. Running Exchange and the DC in internal
network would make things alot easier but I don't think that's an option in
this case. Anything that is accessable from the outside must reside in the
DMZ, company policy, if you know what I mean

We won't be using ISA server anywhere since we already have firewalls in
place.
Does ISA offer something to the scenario or would it work with any firewall?

Thanks again for your tips.

Regards,
Tony



"Rand Williams [MSFT]" <randw@online.microsoft.com> wrote in message
news:%23iofATXsEHA.2808@TK2MSFTNGP14.phx.gbl...
> The recommended solution would be to use SSL and port 443.
> From a security standpoint the recommendation is to have an ISA server
> installed in a DMZ (Perimeter Network) and to have your Front End server
> behind the Internal Firewall. This will give you the most secure
> solution.
>
> --
> Hope that helps,
> Rand Williams
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> Please do not send email to this address, post a reply to this newsgroup.
>
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
>
> "Tony" <nospam@hotmail.com> wrote in message
> news:OZn5ZCRsEHA.2712@TK2MSFTNGP10.phx.gbl...
>> Ok, that was my recommendation.
>> But, we want to use web-mail (forward tcp 80) and the securityteam will
>> not allow that.
>> That is why the Exchangeserver will be placed in the DMZ, which is why I
>> need to know which ports to open between EX and the DC.
>>
>> Thanks for your reply.
>>
>> Regards,
>> Tony
>>
>>
>>
>> "Rand Williams [MSFT]" <randw@online.microsoft.com> wrote in message
>> news:%2307U1IHsEHA.2668@TK2MSFTNGP10.phx.gbl...
>>> The recommended practice would be to install Exchange Server 2003 into a
>>> subnet that contains a Domain Controller, preferably one that is a
>>> Global Catalog server. Both of these servers would be installed behind
>>> your firewall on your private network. You would not have firewall
>>> installed between the Exchange server and a domain controller, so you
>>> would not need to open specific ports.
>>>
>>> --
>>> Hope that helps,
>>> Rand Williams
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>> Please do not send email to this address, post a reply to this
>>> newsgroup.
>>>
>>> Use of included script samples are subject to the terms specified at
>>> http://www.microsoft.com/info/cpyright.htm
>>>
>>>
>>> "Tony" <nospam@hotmail.com> wrote in message
>>> news:uDqbfIFsEHA.2512@TK2MSFTNGP11.phx.gbl...
>>>> Hi,
>>>>
>>>> I'm about to install Exchange 2003 in our organization.
>>>> I'd like to know (get confirmation) which ports I need to open between
>>>> the Exchange and the domaincontroller.
>>>>
>>>> I'm guessing:
>>>> 88 (Kerberos)
>>>> 389 (LDAP)
>>>> 3268 (GC, is this even needed?)
>>>>
>>>> Is that enough or too much? I'll need some confirmation, thanks in
>>>> advance.
>>>>
>>>> Regards,
>>>> Tony
>>>>
>>>
>>>
>>
>>
>
>

Dear Tony,

Thank you for posting here. Thanks Rand and Leif for sharing great
experience.

First, I agree with Rand and Leif, it is better to set Exchange Server and
Domain Controller in the Internal Network for the security consideration.
If you still prefer to set them in DMZ and internal network separately, you
may refer to the article below to open the port for the communication.

280132 XCCC: Exchange 2000 Windows 2000 Connectivity Through Firewalls
http://support.microsoft.com/?id=280132

Meanwhile, as a secure and convenient alternative, you can configure
Front-End and Back-End Topology with FE in DMZ and BE in internal network
so that it can secure the internal network with less port communication.
For more information, please refer to the White Paper: Exchange Server 2003
and Exchange 2000 Server Front-End and Back-End Topology.

Exchange Server 2003 and Exchange 2000 Server Front-End and Back-End
Topology
http://www.microsoft.com/technet/pro...rary/febetop.m
spx

Hope this helps. Please let me know if you have any other concerns or
questions. Thanks and have a nice day!

Thanks & Regards,

Lee Li
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks everyone for your tips.

I'll begin with the setup soon and I'll have to discuss some of these option
with the others involved.
Thanks Lee for the links.

Regards,
Tony


"Lee Li [MSFT]" <v-leeli@online.microsoft.com> wrote in message
news:jAncypdsEHA.3152@cpmsftngxa10.phx.gbl...
> Dear Tony,
>
> Thank you for posting here. Thanks Rand and Leif for sharing great
> experience.
>
> First, I agree with Rand and Leif, it is better to set Exchange Server and
> Domain Controller in the Internal Network for the security consideration.
> If you still prefer to set them in DMZ and internal network separately,
> you
> may refer to the article below to open the port for the communication.
>
> 280132 XCCC: Exchange 2000 Windows 2000 Connectivity Through Firewalls
> http://support.microsoft.com/?id=280132
>
> Meanwhile, as a secure and convenient alternative, you can configure
> Front-End and Back-End Topology with FE in DMZ and BE in internal network
> so that it can secure the internal network with less port communication.
> For more information, please refer to the White Paper: Exchange Server
> 2003
> and Exchange 2000 Server Front-End and Back-End Topology.
>
> Exchange Server 2003 and Exchange 2000 Server Front-End and Back-End
> Topology
> http://www.microsoft.com/technet/pro...rary/febetop.m
> spx
>
> Hope this helps. Please let me know if you have any other concerns or
> questions. Thanks and have a nice day!
>
> Thanks & Regards,
>
> Lee Li
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
>
> ================================================== ===
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ================================================== ===
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>

Hi Tony,

Thank you for your update. If you have any other questions or concerns,
please do not hesitate to contact us. It is always our pleasure to be of
assistance.

Lee Li