4

I have been tasked with deploying Windows Firewall on our servers as an added measure of security. The more I investigate the ports in use on an Exchange server, the more I realize that this is a very diligent task. Has anyone ever done anything like this, or is it a general consensus that this is ridiculous and would be impossible to identify all of the ports in use.

Based on Microsoft's documentation, they claim to use this port, that port, this port "AND MANY DYNAMIC PORTS," well how is one going to drill down on the "many dynamic ports" to permit them through the firewall?

Any help, comments, or suggestions are welcome and thank you in advance!

chris
  • 41
  • 1
  • 2
    What OS? The firewall that ships with 2003 is much different than the one that ships with 2008/2008r2. – MDMarra Jun 09 '11 at 17:13
  • I'm not really willing to poke my production Exchange server (I might poke a VM when I have chance though), but in 2008 R2 you can allow a specific process or service through the firewall on all ports. – Ben Pilbrow Jun 09 '11 at 17:21
  • Currently it is 2003 with full intent on upgrading to 2008 R2 in the very near future. I agree that it is best to test on a VM. Do you guys think we should hold off until we do the upgrade? – chris Jun 10 '11 at 12:12

1 Answers1

3

There really are only a few ports that you need to open. 443,80,25,and 135, etc.. You'll absolutely need to restrict the RPC ports to something specific. This includes the OAB. A quick google search will turn up how to do this. We have all of our Exchange 2010 servers using the built in windows firewall.

Restricting Exchange 2010 RPC ports

Tatas
  • 2,081
  • 1
  • 13
  • 19
  • Restricting the RPC Ports is a GREAT idea! Have you done this, and did you (your company) do it to all of your exchange servers? We are very small and use only one Exchange server, but now you have me thinking "why not do that to all of my servers." It would be very easy to monitor traffic that way. What say you? – chris Jun 10 '11 at 12:45
  • We've only done it on our Exchange 2010 system, which has 3 cas/hub servers. I know that other institutions have done this for their Active Directory systems as well, but we have not. Updated my original post with a link describing something similar to what we did. There are many others out there detailing this as well – Tatas Jun 13 '11 at 19:31