By popular demand and since many of you requested this: I’ve put the Visio file of the Exchange 2010 SP1 Network Ports Diagram online. The original post in PDF format is of April 5th.
If you got any comments or additions worth sharing, do not hesitate to write ‘em down in the comments or send me an e-mail. When used, crediting or a reference is appreciated.
The Visio document can be downloaded from here.
I’d like to say thanks for sharing the knowledge! Much appreciated. Nice Visio skillz too!!
EDGE to HUB is missing 50389.
Port 50389 (non-SSL LDAP) is used by the Edge server to access its local ADAM instance so it doesn’t need to be opened on the firewall
Regarding the EMC i think we also require the Dynamic RPC 1024-65535 range to access various roles..
EMC utilizes remote PowerShell session to the nearest Exchange box so no need to open up that ones besides those mentioned and 80/443 for a remote PowerShell session.
I am facing this issue recently the EMC uses high ports last trace i took had something on the 9000 range i assume it uses the rpc high ports + the ones you mentioned.
What did you do, because when I set up a trace I only see traffic going from EMC to one of the CAS servers on port 80
Pingback: Exchange 2010 SP1 Network Ports Diagram v0.31 « EighTwOne (821)
Awesome diagram!!
The file link seems to have expired I get a 404 when trying to download it??
Is there another link where it’s available.
Great Work!
Excellent work. Thank you for these outstanding and *CLEAR* contributions!
I real help in understand who talks to what and how. Thanks.
Excellent work, but who ist the connect to the KC(DC) ?
Which one?
The visio document is not able to be downloaded from that link.
Hm, URL on “link” works, URL on pictogram didn’t. Fixed, thanks.
Very nice work, great !
I have a question regarding the design: would it be possible to have a “Client Access Server” inside the DMZ in order not have raw TCP connections forwarded from “public” to “internal” network segements?
And a small optical thing: the “DMZ | Internal” String in the visio schould be allinged to the boder line seperating DMZ and internal network.
Thanks for all your time and effords!
BR Onno
Thanks for your feedback. installation of a Client Access server in a perimeter network is not supported; use a reverse proxy instead.
Thanks very much
Great diagram, thanks. Saved me a bunch of time
small addition needed of 445 (SMB) between DAG members. SP1 Help port referece identifies this as “Admin remote access (SMB/File)” but it is actually content indexing related. I was seeing huge amount of this traffic accross the WAN in a 4 node DAG before any users were migrated.
Nice work. Would like to see Lync incorporated into this.
Great job. It seems missing TCP 808 from CAS to Mailbox server for mailbox replication services on Cas to talk to mailbox server. Right?
No
the skydrive link is not working on the link or the visio link? cannot download the vsd
No problem here. Here’s a direct link:
https://skydrive.live.com/redir.aspx?cid=a1f8de1649b0bf13&resid=A1F8DE1649B0BF13!347&parid=A1F8DE1649B0BF13!215&authkey=!AJ0WN5J56bbpERE
Great Diagram!! Has anything changed with SP2??
Thanks for the nice Visio Diagram it explains a lot
1 question I am missing DNS from the edgetransport server to DNS for MX is that right.
When configured, yes (and DNSBL etc).
I savour, result in I discovered just what I was taking a look for.
You have ended my four day long hunt! God Bless you man.
Have a nice day. Bye
This diagram is missing CAS>MBX port 6001, 6002, and 6004 for RPC-over-HTTP proxy (Outlook Anywhere)
Wonderful diagram, thanks! Let’s say we have a 2 node DAG stretched across 2 sites with a physical firewall between the sites. The DAG members have 2 Networks, one for MAPI traffic and one for DAG replication. What ports will need to be opened for the MAPI network and what ports will be required for the Replication Network? Will the Replication network only require TCP_64327 & UDP_3343 or will all DAG traffic use the Replication Network?
A little confused regarding the ports opened between the EMC and Mailbox servers. Can you elaborate
135 = RPC Endpoint Mapper, 445 = SMB