Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX, OWA, Active Directory,CA Ports

Status
Not open for further replies.
loyalist

loyalist

MIS
Jun 25, 2003
69
0
0
CA
Hi there,

Currently configuring Exchange 2003 and need to have OWA access through pix firewall to exchange server sitting on dmz. Users will also have to authenticate to domain controller on inside network. What ports do I need to open on outside interface other than dns, smtp and 443. Don't I need to open ports for authentication as well? Also what ports need to be opened between exchange server and domain controller? Installing CA on domain controller for secure http on exchange server, what ports need to be opened for CA?

Finding alot of conflicting information, just wondering if anybody knows the correct combination of allowed ports.

Here is an example of my access lists so far for these services:

access-list acl_outside permit tcp any host x.x.x.x eq 443
access-list acl_outside permit tcp any host x.x.x.x eq domain
access-list acl_outside permit udp any host x.x.x.x eq domain
access-list acl_outside permit tcp any host x.x.x.x eq smtp


access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 135
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 139
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq 137
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq 138
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 445
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq 389
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 636
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq domain
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq domain
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq smtp
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 119
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 110
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 995
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 143
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 993
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq www
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 443
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq 88
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 464
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq 500
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 593
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq 1645
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq 1646
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq 1701
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 1723
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq 1812
access-list dmz permit udp host 10.100.75.5 host 10.100.50.5 eq 1813
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 3268
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 3269
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 eq 3389
access-list dmz permit tcp host 10.100.75.5 host 10.100.50.5 gt 1023
access-list dmz permit tcp host 10.100.75.5 any eq smtp
access-list dmz permit tcp host 10.100.75.5 any eq 443
access-list dmz permit udp host 10.100.75.5 any eq domain
access-list dmz permit tcp host 10.100.75.5 any eq domain

Pretty sure I don't need to allow all the ports I have specified so far, however wondering which ones I really need and any that I have missed. Can someone please help me straighten this mess out?

Thanks,

Loyalist

 
Sort by date Sort by votes
Hi,

On my Exchange 2000 for OWA, I have ports: 25,80,110,443 open. My Exchange server is not my primary DNS so I don't need dns open to the server. My Authentication is done on a secure socket through port 443. I would recommend you test this out and close as many of those ports as possible.

jk
 
Upvote 0 Downvote
Thanks jkeduhsd, that works fine for just email, however the main problem is the active directory ports and the client connection ports. Need to do static port mappings on the domain controller and exchange server. Found something strange yesterday, that if I don't allow icmp between the exchange server and domain controller, msexchangedsaccess fails, ie no directory services! Almost have the whole thing completed and I will post the final access-list for any future users.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

microsGuy16
  • Locked
  • Question
Global Address List Names not showing in Outlook OWA 365
Replies
0
Views
661
microsGuy16
microsGuy16
ponoodle
  • Locked
  • Question
Disabling OWA for on prem Exchange while in a hybrid envirenment.
Replies
0
Views
525
ponoodle
ponoodle
DrB0b
  • Locked
  • Question
Moved to 365 in cloud, cannot get iPhones default mail app to connect
Replies
2
Views
536
Priyanka_Chauhan
Priyanka_Chauhan
lwhalo
  • Locked
  • Question
Domain Admins - Active Sync/OWA question
Replies
1
Views
55
ntinlin
ntinlin
joblack23
  • Locked
  • Question
owa lock
Replies
0
Views
37
joblack23
joblack23

Part and Inventory Search

Sponsor

Back
Top