Visio of Exchange 2010 SP1 Network Ports Diagram v0.31

By popular demand and since many of you requested this: I’ve put the Visio file of the Exchange 2010 SP1 Network Ports Diagram online. The original post in PDF format is of April 5th.

If you got any comments or additions worth sharing, do not hesitate to write ‘em down in the comments or send me an e-mail. When used, crediting or a reference is appreciated.

The Visio document can be downloaded from here.

44 thoughts on “Visio of Exchange 2010 SP1 Network Ports Diagram v0.31

  1. Pingback: Exchange 2010 SP1 Network Ports Diagram v0.31 « EighTwOne (821)

  2. Very nice work, great !
    I have a question regarding the design: would it be possible to have a “Client Access Server” inside the DMZ in order not have raw TCP connections forwarded from “public” to “internal” network segements?

    And a small optical thing: the “DMZ | Internal” String in the visio schould be allinged to the boder line seperating DMZ and internal network.

    Thanks for all your time and effords!
    BR Onno

  3. Great diagram, thanks. Saved me a bunch of time :-) small addition needed of 445 (SMB) between DAG members. SP1 Help port referece identifies this as “Admin remote access (SMB/File)” but it is actually content indexing related. I was seeing huge amount of this traffic accross the WAN in a 4 node DAG before any users were migrated.

  4. Great job. It seems missing TCP 808 from CAS to Mailbox server for mailbox replication services on Cas to talk to mailbox server. Right?

  5. Thanks for the nice Visio Diagram it explains a lot
    1 question I am missing DNS from the edgetransport server to DNS for MX is that right.

  6. I savour, result in I discovered just what I was taking a look for.
    You have ended my four day long hunt! God Bless you man.
    Have a nice day. Bye

  7. Wonderful diagram, thanks! Let’s say we have a 2 node DAG stretched across 2 sites with a physical firewall between the sites. The DAG members have 2 Networks, one for MAPI traffic and one for DAG replication. What ports will need to be opened for the MAPI network and what ports will be required for the Replication Network? Will the Replication network only require TCP_64327 & UDP_3343 or will all DAG traffic use the Replication Network?

    • MAPI: 6005-59530 (see note 4), 80, 443 and 135
      Replication: 64327 (see note 1), 3343
      Note that if Replication network fails, DAG will fall back to using MAPI network (so you may want to add those ports there as well)

  8. So for outside OWA access, it goes straight to the CAS server on the inside? There is no additional security needed by going through a FE or Transport device in the DMZ? Just a NAT and allowing 80/443 in?

  9. Hi i am working as an network admin. When i request my exchange administrator to provide the list of ports to do port based restriction between mails servers and also between client to mail servers in ASA-firewall, he replies that port based restrictions cannot be done between exchange servers communication and AD-Exchange communications. It always works with dynamic ports, static ports cannot be defined and even though we do it will not function properly.

    Please any of you suggest how it can be done without dynamic ports?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s