Exchange Server static port mappings

This article describes how to statically map the ports that earlier-version MAPI client computers use to connect through a firewall to a server that is running Microsoft Exchange Server 5.5, Microsoft Exchange 2000 Server, or Microsoft Exchange Server 2003. Earlier-version MAPI client computers include Exchange Server client computers and client computers that are running Microsoft Outlook in Corporate or Workgroup mode. Additionally, this article describes how to statically map the ports in a front-end server in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet) Ethernet environment so that the computer can log on to the network and communicate with the back-end servers.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

Static port mappings for MAPI client computers to connect to Exchange 2000 Server or Exchange Server 2003 through a firewall

To enable earlier-version MAPI client computers to connect to Exchange 2000 Server or Exchange Server 2003 through a firewall, add entries to the registry to make the ports that are assigned to these connections static. To do this, follow these steps:

1. Start Registry Editor.
2. Locate and then click to select the following key:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSA\Parameters
3. Add the following entry for the Microsoft Exchange SA RFR Interface:
   Value name: TCP/IP Port
   Value type: REG_DWORD
   Value data: The port number to be assigned, in decimal format
   Make sure that you assign different port settings to each registry key. If you run the netstat -an command at a command prompt, you can view all TCP/IP connections and listening ports in numeric format. You must use an unused port for the static mappings.
   
   For more information about the guidelines for static port assignment of Exchange Server, click the following article number to view the article in the Microsoft Knowledge Base:
   154596 How to configure RPC dynamic port allocation to work with firewalls
4. Locate and then click to select the following key:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSA\Parameters
5. Add the following registry value for the Microsoft Exchange Directory NSPI Proxy Interface:
   Value name: TCP/IP NSPI Port
   Value type: REG_DWORD
   Value data: The port number to be assigned, in decimal format
6. Locate and then click to select the following key:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
7. Add the following registry value for the Microsoft Exchange Information Store Interface:
   Value name: TCP/IP Port
   Value type: REG_DWORD
   Value data: The port number to be assigned, in decimal format
8. Locate and then click to select the following key:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSRS\Parameters
9. Add the following registry value for the Microsoft Exchange Site Replication Service (SRS):
   Value name: TCP/IP
   Value type: REG_DWORD
   Value data: The port number to be assigned, in decimal format
10. Exit Registry Editor.
11. Restart the computer.

After you complete these steps, configure the packet filter or firewall to enable TCP connections to be made to port 135 for the Microsoft Exchange System Attendant service and the ports that you assigned in steps 3, 5, 7, and 9.

If you make these changes on a server that is running Exchange 2000 Server or Exchange Server 2003 and that is installed on a global catalog server, follow these steps:

1. Start Registry Editor.
2. Locate and then click to select the following key:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
3. Add the following registry value:
   Value name: TCP/IP Port
   Value type: REG_DWORD
   Base: Decimal
   Value data: The port number to be assigned, in decimal format
4. Exit Registry Editor.

Restart the global catalog server so that the static mapping is read when the Name Service Provider Interface (NSPI) is initialized.

Note The port number that is selected should not conflict with other programs. If the port number conflicts with other programs, the NSPI will not start.

Static port mappings for MAPI client computers to connect to Exchange Server 5.5 through a firewall

To enable earlier-version MAPI client computers to connect to Exchange Server 5.5 through a firewall, add entries to the registry to make the ports that are assigned to these connections static. To do this, follow these steps:

1. Start Registry Editor.
2. Locate and then click to select the following subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeDS\Parameters
3. Add the following registry value:
   Value name: TCP/IP Port
   Value type: REG_DWORD
   Base: Decimal
   Value data: 5000
   Note We recommend that you assign ports in the 5000 - 65535 (decimal) range. For more information about the guidelines for static port assignments of Exchange Server services, click the following article number to view the article in the Microsoft Knowledge Base:
   154596 How to configure RPC dynamic port allocation to work with firewalls
4. Locate and then click to select the following subkey:
   System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
5. Add the following registry value:
   Value name: TCP/IP Port
   Value type: REG_DWORD
   Base: Decimal
   Value data: 5001
   Note We recommend that you assign ports in the 5000 - 65535 (decimal) range. For more information about the guidelines for static port assignments of Exchange Server services, click the following article number to view the article in the Microsoft Knowledge Base:
   154596 How to configure RPC dynamic port allocation to work with firewalls
6. Exit Registry Editor.
7. Restart the computer.

After you complete these steps, configure the packet filter or firewall to allow for Transmission Control Protocol (TCP) connections to be made to port 135 for the Microsoft Exchange System Attendant service, and the ports that you assigned in steps 3 and 5.

Statically map the ports for a front-end server in a perimeter network Ethernet environment so that the computer can log on to the network and communicate with the back-end servers

To install Exchange Server 2003 or Exchange 2000 Server on computers that are isolated from their Windows Server 2003 or Microsoft Windows 2000 networks by a firewall and that are in a perimeter network Ethernet environment, follow these steps:

1. To enable Windows Server 2003-based computers or Windows 2000-based computers to log on to the domain through the firewall, open the following ports for incoming traffic:
   • 53 (Transmission Control Protocol [TCP], User Datagram Protocol [UDP]) - Domain Name System (DNS).
   • 80 (TCP) - Required for Outlook Web Access access for communication between front-end and back-end Exchange servers.
   • 88 (Transmission Control Protocol [TCP], UDP) - Kerberos authentication.
   • 123 (UDP) - Windows Time Synchronization Protocol (NTP). This is not required for Windows 2000 logon capability. However, it may be configured or required by the network administrator.
   • 135 (TCP) - EndPointMapper.
   • 389 (TCP, UDP) - Lightweight Directory Access Protocol (LDAP).
   • 445 (TCP) - Server message block (SMB) for Netlogon, LDAP conversion, and Microsoft Distributed File System (DFS) discovery.
   • 3268 (TCP) - LDAP to global catalog servers.
   • One port for the Active Directory logon and directory replication interface (universally unique identifiers [UUIDs] 12345678-1234-abcd-ef00-01234567cffb and 3514235-4b06-11d1-ab04-00c04fc2dcd2). This is typically assigned port 1025 or 1026 during startup. This value is not set in the DSProxy or System Attendant (MAD) source code. Therefore, you must map the port in the registry on any domain controllers that the Exchange server must contact through the firewall to process logons. Then, open the port on the firewall.
     
     To map the port in the registry, follow these steps:
     1. Start Registry Editor.
     2. Locate and then click to select the following key:
        HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
     3. Add the following registry value:
        Value name: TCP/IP Port
        Value type: REG_DWORD
        Base: Decimal
        Value: A value that is more than 1024
     4. Exit Registry Editor.
     Make sure that the slash in "TCP/IP" is a forward slash. Additionally, make sure that you assign a value that is more than 1024 (decimal). This number is the additional port that you must open (TCP, UDP) on the firewall. Setting this registry value on every domain controller inside the firewall does not affect performance. Additionally, setting this registry value covers any logon request redirects that occur because of servers that are down, roles that change, or bandwidth requirements.
   Notes
   • For the server inside the firewall to communicate through the firewall to the external server, you must also have ports 1024 through 65535 configured for outgoing communications. Computers that initiate the communication through the firewall use a client-side port that is dynamically assigned and cannot be configured.
   • Windows 2000 takes the form of a sequence of TCP/IP ping requests to the destination server when Windows 2000 Server-based computers log on to the domain through the firewall. Windows 2000 does this to determine whether a client computer is gaining access to a domain controller over a slow link to apply Group Policy or to download a roaming user profile.
2. Install Exchange Server 2003 or Exchange 2000 Server on the external computer. You do not need any more ports open to install Exchange Server 2003 or Exchange 2000 Server on the external computer.
3. Configure Exchange Server 2003 or Exchange 2000 Server front-end and back-end connectivity. Exchange Server 2003 or Exchange 2000 Server front-end and back-end connectivity only requires that other ports be open as required for whatever communication is appropriate. For example, Web client front-end and back-end connectivity requires port 80 [TCP] open, IMAP 143 [TCP], and so on. Additionally, any connectivity by secure protocols, such as Ipsec or Secure Sockets Layer (SSL)-secured HTTP, Internet Message Access Protocol (IMAP), or Post Office Protocol version 3 (POP3), that you need requires additional configuration that is not specified in this article. If the front-end server in the perimeter network has a different subnet, make sure that you add that subnet in the Active Directory Sites and Services snap-in.
   
   Note You do not have to add the subnet if you have not created a separate subnet object in Active Directory Sites and Services.
   
   
   In a perimeter network Ethernet environment, you must also define TCP/IP routes from the computer in the perimeter network Ethernet environment to every computer in the internal network that you must communicate with.
   
   Note In a perimeter network firewall scenario, there is no Internet Control Message Protocol (ICMP) connectivity between the Exchange server and the domain controllers. By default, Directory Access (DSAccess) uses ICMP to ping each server to which it connects to determine whether the server is available. When there is no ICMP connectivity, Directory Access responds as if every domain controller were unavailable. For more information about how to turn off the Directory Access ping by creating a registry key, click the following article numbers to view the articles in the Microsoft Knowledge Base:
   320529 Using DSAccess in a perimeter network firewall scenario requires a registry key setting
   320228 The "DisableNetLogonCheck" registry value and how to use it

How to configure Microsoft Exchange Server 5.5 Outlook Web Access to connect to Exchange Server 5.5 through a firewall

To install Exchange Server 5.5 Outlook Web Access on the external computer that is directed at a Microsoft Exchange Server 5.5 server that is running inside the perimeter network and a firewall, you must open the Windows 2000 or Windows Server 2003 ports that were mentioned at the start of the "Statically map the ports for a front-end server in a perimeter network Ethernet environment so that the computer can log on to the network and communicate with the back-end servers" section. Additionally, you need static mappings for the Exchange Server 5.5 directory service (UUID f5cc5a18-4264-101a-8c59-08002b2f8426), the Microsoft Exchange Information Store service (UUID a4f1db00-ca47-1067-b31f-00dd010662da), and the System Attendant (UUID 469d6ec0-0d87-11ce-b13f-00aa003bac6c).

To configure the RPC port for the Microsoft Exchange Directory Service, follow these steps:

1. Start Registry Editor.
2. Locate and then click to select the following registry subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeDS\Parameters
3. Add the following registry value:
   Value name: TCP/IP Port
   Value type: REG_DWORD
   Base: Decimal
   Value data: The port number to be assigned, in decimal format
4. Exit Registry Editor.

To configure the RPC port for the Microsoft Exchange Information Store service, follow these steps:

1. Start Registry Editor.
2. Locate and then click to select the following subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
3. Add the following registry value:
   Value name: TCP/IP Port
   Value type: REG_DWORD
   Base: Decimal
   Value data: The port number to be assigned, in decimal format
4. Exit Registry Editor.

To configure the RPC port for the Microsoft Exchange System Attendant service, follow these steps:

1. Start Registry Editor.
2. Locate and then click to select the following subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSA\Parameters
3. Add the following registry value:
   Value name: TCP/IP Port
   Value type: REG_DWORD
   Base: Decimal
   Value data: The port number to be assigned, in decimal format
4. Exit Registry Editor.
5. Restart the computer.

Limitations of Exchange Server static port mappings

The following list describes some limitations of Exchange Server static port mappings:

• Outlook client access issues
  
  If a process is already using the statically assigned port when the Exchange service starts, the Exchange service cannot use that port. However, the Microsoft Exchange Information Store service or the Microsoft Exchange Directory service, or both services, will still register all their other endpoints and start successfully.
  
  However, when users try to open Outlook and then connect to Exchange Server, they may receive the following error message:
  Unable to open your default e-mail folders. You do not have permission to log on.
  To resolve this issue, make sure that Exchange Server has initialized a port for the Microsoft Exchange Information Store service, the System Attendant service, and the NSPI service. You can verify this by running RPCDump on the server for the TCP/IP protocol.
  
  You can statically map the Exchange Server services that are listed in this article to any free TCP/IP port number in the full range (1 - 65535). If you run a netstat -an command at a command prompt, you receive a listing of all the ports that are currently registered on the server. You can use this list to help determine a new, valid (unused) port that you can use to statically map the Exchange services.
• Message tracking issues
  
  To enable the message tracking function on a server that is running Exchange 2000 Server Service Pack 2 (SP2) or a later version and that is located in the perimeter network, the Windows Management Instrumentation (WMI) must be allowed to connect to the target server.
  
  The WMI service starts to create connections at the lowest numbered port starting at port 1024. Over time, the port number that is used by WMI increases sequentially. For more information about how to statically map ports for the WMI service, click the following article number to view the article in the Microsoft Knowledge Base:
  154596 How to configure RPC dynamic port allocation to work with firewall

Microsoft Exchange Server 2007

In this article, the process for static port mapping for Exchange Server 2003 and Exchange 2000 Server still works in Exchange 2007. However, installation of a Client Access server in a perimeter network is not supported. It is not supported to put a Client Access Server in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet) or in any configuration with a firewall between that server and the mailbox or domain controllers. Firewall ports that must be open for Exchange 2007.

The following TechNet webpage provides information about ports, authentication, and encryption for all data paths that are used by Exchange 2007. The "Notes" sections that follow each table clarify or define nonstandard authentication or encryption methods.�
� For more information about how to fix the UDP port for Outlook 2003 and for Outlook 2007, click the following article number to view the article in the Microsoft Knowledge Base: �All servers except Edge servers should be deployed on the corporate network. Unlike earlier versions of Exchange, Microsoft does not support installing and deploying Exchange 2007 in a perimeter network. For more information, see the following TechNet article:
Note Installation of a Client Access server in a perimeter network is not supported. When no firewalls are between the Exchange 2007 servers, the Exchange 2007 servers should communicate freely with one another. The firewall should be between the production environment and the clients.

Exchange Server 2010

The following TechNet topic provides information about ports, authentication, and encryption for all data paths that are used by Exchange 2010. The tables clearly define Default and Supported authentication methods. The "Notes" section that follows each table provides additional information.�

For more information about how to configure static communication ports in Outlook 2003, click the following article number to view the article in the Microsoft Knowledge Base: For more information about how Outlook 2000 accesses the Active Directory directory service, click the following article number to view the article in the Microsoft Knowledge Base: For more information about the ports that Exchange 2000 Server uses, click the following article number to view the article in the Microsoft Knowledge Base: For more information about how MAPI clients access Active Directory, click the following article number to view the article in the Microsoft Knowledge Base: For more information about Outlook clients connect through a firewall or proxy server which is performing Network Address Translation (NAT) between public and private networks, click the following article number to view the article in the Microsoft Knowledge Base: For more information about how to configure ports for UDP new mail notification packets, click the following article number to view the article in the Microsoft Knowledge Base: For more information about port requirements for Windows Server systems, click the following article number to view the article in the Microsoft Knowledge Base: