Exchange & Outbound Firewall rules

[mlc9]

Running Exchange 2010 on a Windows 2008 R2 server. Our current Windows Firewall rules, specifically outbound rules, are pretty much out of the box. Overall, outbound is set to allow anything that doesn't match the rules.

A recent IT audit is leading us to only allow Outbound traffic on the Exchange server that is necessary. My thought is to turn off the larger rule allowing everything that does not match the out of the box outbound policies, while making sure that email can still function and get out as needed (ie; outbound to the domain controller).

I can see the Microsoft documentation outlining every port/service that Exchange 2010 needs (transport needs, hub needs, etc), but am a bit intimidated by that. Can anybody recommend something that I can refer to that will give me the bare minimum of what I need outbound for Exchange 2010?

 

[rjs]

Is it a single Exchange server (not front end/backend)?

 

[mlc9]

Yes, we are a small organization with only about 80-100 mailboxes on one Exchange 2010 server. Said Exchange is sitting on a virtual MS Server 2K8 box.

 

[rjs]

You should just need SMTP for sending/receiving email. If you are doing more (web access, outlook anywhere), then you will need additional.

If you have a firewall (not on exchange, but at your Internet connection), then Exchange should only have a local/internal IP address which is not accessible from the outside and the rules for access controlled there, not on exchange.

 

[mlc9]

Well, the same Exchange server does serve up OWA as well. Also concerned with ports that need opened to talk to domain controller, etc. Thanks

 

[rjs]

You can configure the firewall on Exchange to only block/control connections outside. So the firewall state for "Public Networks" would be on, but the one for Internal networks is off.

You can also just create a rule which allows all to your domain controller (by IP address).