By popular demand and since many of you requested this: I’ve put the Visio file of the Exchange 2010 SP1 Network Ports Diagram online. The original post in PDF format is of April 5th.
If you got any comments or additions worth sharing, do not hesitate to write ’em down in the comments or send me an e-mail. When used, crediting or a reference is appreciated.
The Visio document can be downloaded from here.
I’d like to say thanks for sharing the knowledge! Much appreciated. Nice Visio skillz too!! 😉
EDGE to HUB is missing 50389.
Port 50389 (non-SSL LDAP) is used by the Edge server to access its local ADAM instance so it doesn’t need to be opened on the firewall
Regarding the EMC i think we also require the Dynamic RPC 1024-65535 range to access various roles..
EMC utilizes remote PowerShell session to the nearest Exchange box so no need to open up that ones besides those mentioned and 80/443 for a remote PowerShell session.
I am facing this issue recently the EMC uses high ports last trace i took had something on the 9000 range i assume it uses the rpc high ports + the ones you mentioned.
What did you do, because when I set up a trace I only see traffic going from EMC to one of the CAS servers on port 80
Anyway port 80 is missing from Visio schema…
Also RPC is required to get information like list of installed certificates on servers…
Indeed, the WinRM ports are not graphed. Cert management (via EMS) uses WinRM.
Pingback: Exchange 2010 SP1 Network Ports Diagram v0.31 « EighTwOne (821)
Awesome diagram!!
The file link seems to have expired I get a 404 when trying to download it??
Is there another link where it’s available.
Great Work!
Excellent work. Thank you for these outstanding and *CLEAR* contributions!
I real help in understand who talks to what and how. Thanks.
Excellent work, but who ist the connect to the KC(DC) ?
Which one?
The visio document is not able to be downloaded from that link.
Hm, URL on “link” works, URL on pictogram didn’t. Fixed, thanks.
The link is now broken again due to SkyDrive changing name to OneDrive. I was able to get to it just by replacing “sky” with “one”, but you may want to update links since some folks may not realize that trick.
Very nice work, great !
I have a question regarding the design: would it be possible to have a “Client Access Server” inside the DMZ in order not have raw TCP connections forwarded from “public” to “internal” network segements?
And a small optical thing: the “DMZ | Internal” String in the visio schould be allinged to the boder line seperating DMZ and internal network.
Thanks for all your time and effords!
BR Onno
Thanks for your feedback. installation of a Client Access server in a perimeter network is not supported; use a reverse proxy instead.
Thanks very much
Great diagram, thanks. Saved me a bunch of time 🙂 small addition needed of 445 (SMB) between DAG members. SP1 Help port referece identifies this as “Admin remote access (SMB/File)” but it is actually content indexing related. I was seeing huge amount of this traffic accross the WAN in a 4 node DAG before any users were migrated.
Nice work. Would like to see Lync incorporated into this.
Great job. It seems missing TCP 808 from CAS to Mailbox server for mailbox replication services on Cas to talk to mailbox server. Right?
No
the skydrive link is not working on the link or the visio link? cannot download the vsd
No problem here. Here’s a direct link:
https://skydrive.live.com/redir.aspx?cid=a1f8de1649b0bf13&resid=A1F8DE1649B0BF13!347&parid=A1F8DE1649B0BF13!215&authkey=!AJ0WN5J56bbpERE
You may want to update this link as well, with the new “onedrive.live.com” URL.
Great Diagram!! Has anything changed with SP2??
Thanks for the nice Visio Diagram it explains a lot
1 question I am missing DNS from the edgetransport server to DNS for MX is that right.
When configured, yes (and DNSBL etc).
I savour, result in I discovered just what I was taking a look for.
You have ended my four day long hunt! God Bless you man.
Have a nice day. Bye
This diagram is missing CAS>MBX port 6001, 6002, and 6004 for RPC-over-HTTP proxy (Outlook Anywhere)
Wonderful diagram, thanks! Let’s say we have a 2 node DAG stretched across 2 sites with a physical firewall between the sites. The DAG members have 2 Networks, one for MAPI traffic and one for DAG replication. What ports will need to be opened for the MAPI network and what ports will be required for the Replication Network? Will the Replication network only require TCP_64327 & UDP_3343 or will all DAG traffic use the Replication Network?
MAPI: 6005-59530 (see note 4), 80, 443 and 135
Replication: 64327 (see note 1), 3343
Note that if Replication network fails, DAG will fall back to using MAPI network (so you may want to add those ports there as well)
A little confused regarding the ports opened between the EMC and Mailbox servers. Can you elaborate
135 = RPC Endpoint Mapper, 445 = SMB
So for outside OWA access, it goes straight to the CAS server on the inside? There is no additional security needed by going through a FE or Transport device in the DMZ? Just a NAT and allowing 80/443 in?
I left options like reverse proxies, load balancers etc. out of the diagram.
Hi i am working as an network admin. When i request my exchange administrator to provide the list of ports to do port based restriction between mails servers and also between client to mail servers in ASA-firewall, he replies that port based restrictions cannot be done between exchange servers communication and AD-Exchange communications. It always works with dynamic ports, static ports cannot be defined and even though we do it will not function properly.
Please any of you suggest how it can be done without dynamic ports?
Filtering between clients and Exchange servers is ok, but between Exchange servers and due to the nature of communication dynamics also between Exchange and DC/GCs an ANY/ANY rule is considered best practice. Reading material: http://blogs.technet.com/b/exchange/archive/2013/02/18/exchange-firewalls-and-support-oh-my.aspx
Please let us know if there is new updated Visio diagram for Exchange Server 2013 Michael.
many thanks for the sharing here Michael !
Pingback: 建置Exchange System 常用工具 | 努力學習
Extremely useful and handy Doc.
Thanks for taking the time to upload & share.