>I have a masq machine setup that is working great. I am able to access >an exchange server outside of the internal network, but with one >drawback. There seams to be some sort of time-out that takes place if >you leave the client application up. Usually you can just click on a >mail message and then it comes up, but new mail notifications are not >coming in until you click something in the client to reinitialise the >connection. Following is letter from ISS Security mailing list: ====================================== You can also do IPMA4 over SSL (TCP 993) and POP3 over SSL (TCP 995). Exchange also supports SMTP over SSL for server to server communication (TCP 465) It also supports NNTP (TCP 119), I believe it also supports NNTP over SSL (TCP 563) but have not tried it. Also if you are running a web server of course there will be TCP Ports 80 and/or 443 (for SSL). I think there are a couple of others I am missing but those are the big ones. --------------------------------------------------------------------------- Just further to Michael's email Exchange Server 5.5, by default, also uses random ports above 1024 for the Directory Store and Information Store (required for Outlook) and one for the System Attendant (in case you need the Exchange Administrator). Port 135 (MS RPC) is used to decide these ports. These ports can all be fixed by using a registry modification on the server - see KB Q176466 (TCP Ports and MS Exchange) and Q155831 "How to force Static Mapping of Sockets" We have our Exchange server set this way for a similar reason. It seems to work OK, though we only run a fairly small site (~100 users). I have found that the Exchange server still sends out UDP packets on a random port >1024 (not mentioned in the KB). Haven't been able to track down what this is for or how to stop it. (The Outlook client still works fine despite this.) You may also want to check Q179442 "How to configure a firewall for Winnt and trusts", which mentions that you may require ports <1024 for DHCP Manager and WINS Manager. It unfortunately does not show ways to avoid opening all these ports. Hope that helps Paul Long Systems Administrator Forbio Research -----Original Message----- From: Micheal Espinola Jr [SMTP:[EMAIL PROTECTED]] Sent: Friday, October 30, 1998 9:05 AM To: 'Max Westin (QDT)' Cc: [ntsec] (E-mail) Subject: RE: [NTSEC] TCP/IP ports for logon and Exchange. ------------------------------------------------------------------------ --- Open Service Ports for WindowsNT, Terminal Server, & Exchange Server Functionality UDP TCP IP Browsing 137,138 DHCP Lease 67,68 DHCP Manager 135 DNS Administration 139 DNS Resolution 53 Exchange Administrator 135 Exchange Client/Server Comm. 135 File Sharing 139 IMAP 143 LDAP 389 LDAP (SSL) 636 Logon Sequence 137,138 139 MTA - X.400 over TCP/IP 102 NetLogon 138 NT Diagnostics 139 NT Directory Replication 138 139 NT Event Viewer 139 NT Performance Monitor 139 NT Registry Editor 139 NT Secure Channel 137,138 139 NT Server Manager 139 NT Trusts 137,138 139 NT User Manager 139 Pass Through Validation 137,138 139 POP3 110 PPTP 1723 47 Printing 137,138 139 RPC 135 135 SMTP 25 WINS Manager 135 WINS Registration 137 WINS Replication 42 Hope this helps you... +-------------------------------+-----------------------------------+ | Micheal Espinola Jr | Hardening NT 4 Security Checklist | | NT Administrator | http://www.netcom.com/~honeyluv/ | | mailto:[EMAIL PROTECTED] | | +-------------------------------+-----------------------------------+ "Views expressed by this individual may differ from your own... ...Reader discretion is advised." | -----Original Message----- | -------------------------------------------------------------- | ------------- | | Hi, | | I have a security related problem I need help with. | I'm about to order a configuration of a router, and I have | all info I need | except two things. | Our users are going to log on to an NT domain by the router, | and they are | going to connect to their exchangeserver that way too. | The department responsible for the configuration of the | router doesn't want | to open the router more than absolutely necessary. | | My questions are: | 1. What ports do I have to open to the PDC (or the BDC) to | be able to | log on to the Domain. | 2. What ports do Microsoft Exchange (and outlook...) use? | | I suspect that the answer to my questions are that they use | the NetBIOS | ports, but do they need TCP, or is UDP enought? | | /Max Westin | PC-Support pa KI/ERA/LR | Tel:08-40 49072 | Mob:070-429 01 04 | --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
