Windows 2000 Exchange Server in the DMZ

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Placing your Exchange 2000 server in the DMZ provides a convenient solution for hosting both internal and external client mail services while denying direct connections between external clients and your internal network. Following is a brief guide on which ports to open. The Windows 2000 server on the backend (DMZ->IntraNet) has to communicate with your internal domain controllers to authenticate and validate the client requests for e-mail services. On the frontend (Internet->DMZ) the Windows 2000 server communicates with clients and must be able to communicate with the Exchange 2000 server now residing in your DMZ.

Windows 2000 : DMZ -> Intranet

  • UDP/TCP 53 : Domain Name System
  • UDP/TCP 88 : Kerberos Authentication
  • TCP 123 : Network Time Protocol
    Kerberos authentication require that you synchronize the time of your Exchange server and domain controllers.
  • TCP 135 : DEC Endpoint Resolution
    also known as RPC Endpoint Mapper
  • UDP/TCP 389 : Lightweight Directory Access
  • TCP 445 : Microsoft Directory Service
  • TCP 3268 : LDAP to global catalog servers
  • AD logon and directory replication port
    you need to allow a high port for Active Directory logon and directory replication. Default, this high port is dynamically chosen when the server starts, but you need to statically map it :

    Hive: HKEY_LOCAL_MACHINE
    Key: System\CurrentControlSet\Services\NTDS\Parameters
    Name: TCP/IP Port
    Type: REG_DWORD
    Value: decimal value greater than 1024

Windows 2000 : Internet -> DMZ

You need to open TCP 25 SMTP ( internet<->DMZ ) to communicate with other email servers on the internet.

Exchange 2000 supports an assortment of client access types including MAPI, IMAP, POP3, or Web. You will need to allow the appropriate port for whatever client access type(s) you allow. When accessing Microsoft Exchange, MAPI is the client access protocol of choice for communication between e-mail client and server. For MAPI to grant access to your internet Outlook clients:

  • TCP 135 : DEC Endpoint Resolution
    also known as RPC Endpoint Mapper
  • Statically map
    • Microsoft Exchange SA RFR (System Attendant Request For Response)

      Hive: HKEY_LOCAL_MACHINE
      Key: System\CurrentControlSet\Services\MSExchangeSA\Parameters
      Name: TCP/IP Port
      Type: REG_DWORD
      Value: decimal value greater than 1024

    • Microsoft Exchange Directory NSPI (Name Service Provider Interface) Proxy Interface

      Hive: HKEY_LOCAL_MACHINE
      Key: System\CurrentControlSet\Services\MSExchangeSA\Parameters
      Name: TCP/IP NSPI port
      Type: REG_DWORD
      Value: decimal value greater than 1024

    • Microsoft Exchange Information Store Interface :

      Hive: HKEY_LOCAL_MACHINE
      Key: System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
      Name: TCP/IP port
      Type: REG_DWORD
      Value: decimal value greater than 1024

For more info :

See Also

Featured Links