By popular demand and since many of you requested this: I’ve put the Visio file of the Exchange 2010 SP1 Network Ports Diagram online. The original post in PDF format is of April 5th.
If you got any comments or additions worth sharing, do not hesitate to write ’em down in the comments or send me an e-mail. When used, crediting or a reference is appreciated.
The Visio document can be downloaded from here.
EighTwOne (821) 
I’d like to say thanks for sharing the knowledge! Much appreciated. Nice Visio skillz too!! 😉
LikeLike
EDGE to HUB is missing 50389.
LikeLike
Port 50389 (non-SSL LDAP) is used by the Edge server to access its local ADAM instance so it doesn’t need to be opened on the firewall
LikeLike
Regarding the EMC i think we also require the Dynamic RPC 1024-65535 range to access various roles..
LikeLike
EMC utilizes remote PowerShell session to the nearest Exchange box so no need to open up that ones besides those mentioned and 80/443 for a remote PowerShell session.
LikeLike
I am facing this issue recently the EMC uses high ports last trace i took had something on the 9000 range i assume it uses the rpc high ports + the ones you mentioned.
LikeLike
What did you do, because when I set up a trace I only see traffic going from EMC to one of the CAS servers on port 80
LikeLike
Anyway port 80 is missing from Visio schema…
Also RPC is required to get information like list of installed certificates on servers…
LikeLike
Indeed, the WinRM ports are not graphed. Cert management (via EMS) uses WinRM.
LikeLike
Pingback: Exchange 2010 SP1 Network Ports Diagram v0.31 « EighTwOne (821)
Awesome diagram!!
The file link seems to have expired I get a 404 when trying to download it??
Is there another link where it’s available.
LikeLike
Great Work!
LikeLike
Excellent work. Thank you for these outstanding and *CLEAR* contributions!
LikeLike
I real help in understand who talks to what and how. Thanks.
LikeLike
Excellent work, but who ist the connect to the KC(DC) ?
LikeLike
Which one?
LikeLike
The visio document is not able to be downloaded from that link.
LikeLike
Hm, URL on “link” works, URL on pictogram didn’t. Fixed, thanks.
LikeLike
The link is now broken again due to SkyDrive changing name to OneDrive. I was able to get to it just by replacing “sky” with “one”, but you may want to update links since some folks may not realize that trick.
LikeLike
Very nice work, great !
I have a question regarding the design: would it be possible to have a “Client Access Server” inside the DMZ in order not have raw TCP connections forwarded from “public” to “internal” network segements?
And a small optical thing: the “DMZ | Internal” String in the visio schould be allinged to the boder line seperating DMZ and internal network.
Thanks for all your time and effords!
BR Onno
LikeLike
Thanks for your feedback. installation of a Client Access server in a perimeter network is not supported; use a reverse proxy instead.
LikeLike
Thanks very much
LikeLike
Great diagram, thanks. Saved me a bunch of time 🙂 small addition needed of 445 (SMB) between DAG members. SP1 Help port referece identifies this as “Admin remote access (SMB/File)” but it is actually content indexing related. I was seeing huge amount of this traffic accross the WAN in a 4 node DAG before any users were migrated.
LikeLike
Nice work. Would like to see Lync incorporated into this.
LikeLike
Great job. It seems missing TCP 808 from CAS to Mailbox server for mailbox replication services on Cas to talk to mailbox server. Right?
LikeLike
No
LikeLike
the skydrive link is not working on the link or the visio link? cannot download the vsd
LikeLike
No problem here. Here’s a direct link:
https://skydrive.live.com/redir.aspx?cid=a1f8de1649b0bf13&resid=A1F8DE1649B0BF13!347&parid=A1F8DE1649B0BF13!215&authkey=!AJ0WN5J56bbpERE
LikeLike
You may want to update this link as well, with the new “onedrive.live.com” URL.
LikeLike
Great Diagram!! Has anything changed with SP2??
LikeLike
Thanks for the nice Visio Diagram it explains a lot
1 question I am missing DNS from the edgetransport server to DNS for MX is that right.
LikeLike
When configured, yes (and DNSBL etc).
LikeLike
I savour, result in I discovered just what I was taking a look for.
You have ended my four day long hunt! God Bless you man.
Have a nice day. Bye
LikeLike
This diagram is missing CAS>MBX port 6001, 6002, and 6004 for RPC-over-HTTP proxy (Outlook Anywhere)
LikeLike
Wonderful diagram, thanks! Let’s say we have a 2 node DAG stretched across 2 sites with a physical firewall between the sites. The DAG members have 2 Networks, one for MAPI traffic and one for DAG replication. What ports will need to be opened for the MAPI network and what ports will be required for the Replication Network? Will the Replication network only require TCP_64327 & UDP_3343 or will all DAG traffic use the Replication Network?
LikeLike
MAPI: 6005-59530 (see note 4), 80, 443 and 135
Replication: 64327 (see note 1), 3343
Note that if Replication network fails, DAG will fall back to using MAPI network (so you may want to add those ports there as well)
LikeLike
A little confused regarding the ports opened between the EMC and Mailbox servers. Can you elaborate
LikeLike
135 = RPC Endpoint Mapper, 445 = SMB
LikeLike
So for outside OWA access, it goes straight to the CAS server on the inside? There is no additional security needed by going through a FE or Transport device in the DMZ? Just a NAT and allowing 80/443 in?
LikeLike
I left options like reverse proxies, load balancers etc. out of the diagram.
LikeLike
Hi i am working as an network admin. When i request my exchange administrator to provide the list of ports to do port based restriction between mails servers and also between client to mail servers in ASA-firewall, he replies that port based restrictions cannot be done between exchange servers communication and AD-Exchange communications. It always works with dynamic ports, static ports cannot be defined and even though we do it will not function properly.
Please any of you suggest how it can be done without dynamic ports?
LikeLike
Filtering between clients and Exchange servers is ok, but between Exchange servers and due to the nature of communication dynamics also between Exchange and DC/GCs an ANY/ANY rule is considered best practice. Reading material: http://blogs.technet.com/b/exchange/archive/2013/02/18/exchange-firewalls-and-support-oh-my.aspx
LikeLike
Please let us know if there is new updated Visio diagram for Exchange Server 2013 Michael.
LikeLike
many thanks for the sharing here Michael !
LikeLike
Pingback: 建置Exchange System 常用工具 | 努力學習
Extremely useful and handy Doc.
Thanks for taking the time to upload & share.
LikeLike