Exchange 2000 Windows 2000 connectivity through firewalls

This article describes how to install Exchange 2000 Server and Outlook Web Access 5.5 on computers that are isolated from their Microsoft Windows 2000 networks by a firewall and are in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet) Ethernet environment. Before any Exchange 2000 connectivity can be attempted, the firewall must be configured to permit Windows 2000 logon and networking traffic.

NOTE: This article discusses Windows 2000 traffic and connectivity only.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
To install Exchange 2000 and Outlook Web Access 5.5 on computers that are isolated from their Microsoft Windows 2000 networks by a firewall and are in a perimeter network Ethernet environment:

1. Enable Windows 2000 Server-based computers to log on to the domain through the firewall by opening the following ports for incoming traffic:
   • 53 (Transmission Control Protocol [TCP], User Datagram Protocol [UDP]) - Domain Name System (DNS) to all DNS Servers listed in the front-end server's IP configuration.
   • 80 (TCP) - Required for Exchange 2000 Outlook Web Access for communication between Exchange front-end and back-end servers.
   • 88 (Transmission Control Protocol [TCP], UDP) - Kerberos authentication to all domain controllers that are in the same Active Directory site as the Exchange front-end server.
   • 123 (UDP) - Windows Time Synchronization Protocol (NTP) to all domain controllers that are in the same Active Directory site as the Exchange front-end server. This is not required for Windows 2000 logon capability, but it may be configured or required by the network administrator.
   • 135 (TCP) - EndPointMapper to all domain controllers that are in the same Active Directory site as the Exchange front-end server.
   • 389 (TCP, UDP) - Lightweight Directory Access Protocol (LDAP) to all domain controllers that are in the same Active Directory site as the Exchange front-end server.
   • 445 (TCP) - Server message block (SMB) for Netlogon, LDAP conversion and Microsoft Distributed File System (DFS) discovery to all domain controllers that are in the same Active Directory site as the Exchange front-end server.
   • 3268 (TCP) - LDAP to global catalog servers.
     
     One port for the Active Directory logon and directory replication interface (universally unique identifiers [UUIDs] 12345678-1234-abcd-ef00-01234567cffb and e3514235-4b06-11d1-ab04-00c04fc2dcd2).
     
     This is typically assigned port 1025 or 1026 during startup. This value is not set in the DSProxy or System attendant (MAD) source code. Therefore, you must map the port in the registry on any domain controllers that the Exchange 2000 computer must contact through the firewall to process logons, and then open the port on the firewall.
     
     To map the port in the registry:
     1. Start Registry Editor (Regedt32.exe).
     2. Locate the following key in the registry:
        HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
     3. On the Edit menu, click Add Value, and then add the following registry value:
        Value Name: TCP/IP Port
        Data Type: REG_DWORD
        Radix: Decimal
        Value: greater than 1024
     4. Quit Registry Editor.
     Make sure that the slash in "TCP/IP" is a forward slash, and that the value that you assign is greater than 1024, in decimal format. That number is the extra port that you have to open (TCP, UDP) on the firewall. Setting this registry value on every domain controller inside the firewall does not affect performance, and covers any logon request redirects that occur because of servers that are down, roles that change, or bandwidth requirements.
   NOTES:
   • For the server inside the firewall to communicate back through the firewall to the external server, you also must have ports 1024 through 65535 configured for outgoing communications. Computers that initiate the communication through the firewall use a client-side port that is dynamically assigned and cannot be configured.
   • Windows 2000 takes the form of a sequence of TCP/IP ping requests to the destination server when Windows 2000 Server-based computers log on to the domain through the firewall. Windows 2000 does this to determine whether a client computer is gaining access to a domain controller over a slow link to apply Group Policy or to download a roaming user profile.
2. Install Exchange 2000 on the external computer. You do not need any additional ports open to install Exchange 2000 on the external computer.
3. Install Outlook Web Access 5.5 on the external computer. To install Outlook Web Access 5.5 on the external computer, directed at a Microsoft Exchange Server 5.5 computer that is running inside the perimeter network and firewall, you need the Windows 2000 ports discussed previously, plus static mappings for the Exchange Server 5.5 directory service (UUID f5cc5a18-4264-101a-8c59-08002b2f8426), information store (UUID a4f1db00-ca47-1067-b31f-00dd010662da), and system attendant (UUID 469d6ec0-0d87-11ce-b13f-00aa003bac6c). For more information about how to set up these static mappings, click the following article number to view the article in the Microsoft Knowledge Base:
   245273� OWA Setup error message: "There are no more endpoints available from the Endpoint Mapper"
4. Configure Exchange 2000 front-end and back-end connectivity. Exchange 2000 front-end and back-end connectivity only requires that additional ports be open as required for whatever communication is appropriate (for example, Web client front-end and back-end connectivity requires port 80 [TCP] open, IMAP 143 [TCP], and so on). Additionally, any connectivity by secure protocols such as Ipsec or Secure Sockets Layer (SSL)-secured HTTP, Internet Message Access Protocol (IMAP), or Post Office Protocol version 3 (POP3) that you need requires additional configuration that is not specified in this article. If the front-end server in the perimeter network has a different subnet, make sure that you add that subnet in the Active Directory Sites and Services snap-in.
   
   In a perimeter network Ethernet environment, you also have to define TCP\IP routes from the computer in the perimeter network Ethernet to every computer in the internal network that you have to communicate with.
   
   NOTE: In a perimeter network firewall scenario, there is no Internet Control Message Protocol (ICMP) connectivity between the Exchange 2000 server and the domain controllers. By default, Directory Access (DSAccess) uses ICMP to ping each server that it connects to determine whether the server is available. When there is no ICMP connectivity, Directory Access responds as if every domain controller is unavailable.
   
   For more information about how to turn off the Directory Access ping by creating a registry key, click the following article number to view the article in the Microsoft Knowledge Base:
   320529� Using DSAccess in a perimeter network firewall scenario requires a registry key setting