Exchange Server TCP and UDP Ports

Exchange Server is a complex application that can be difficult to allow access to through a firewall. The subsystems and features that Microsoft has added—and continues to add—to Exchange Server have significantly increased the network connections that the platform uses. Sometime it’s difficult to figure out which firewall ports to open for each Exchange Server feature. These ports are the same for all versions of Exchange.

  • TCP 25Simple Mail Transfer Protocol (SMTP) is the foundation for all e-mail transport in Exchange. The SMTP Service (SMTPSvc) runs on top of the IIS Admin Service. Unlike IMAP4, POP3, NNTP, and HTTP, SMTP in Exchange does not use a separate port for secure communication (SSL), but uses a security sub-system called Transport Layer Security (TLS).
  • TCP/UDP 53 – Domain Name System (DNS) is at the heart of all of the services and functions of Windows Active Directory and Exchange Server.
  • TCP 80 – Hyper-Text Transfer Protocol is the protocol used primarily by Microsoft Outlook Web Access (OWA).
  • TCP 102 – TCP port 102 is the port that the Exchange message transfer agent (MTA) uses to communicate with other X.400-capable MTAs.
  • TCP 110 – Post Office Protocol (POP3), enables “standards-based” clients such as Outlook Express, Windows Mail, Live Mail and other POP3 enabled mail clients to access the e-mail server. As with IMAP4, POP3 runs on top of the IIS Admin Service, and enables client access to the Exchange Information store.
  • TCP 119 – Network News Transport Protocol (NNTP), sometimes called Usenet protocol, enables client access to public folders in the Information store. As with IMAP4 and POP3, NNTP runs on top of the IIS Admin Service.
  • TCP 135 – Microsoft Remote Procedure Call is a Microsoft implementation of remote procedure calls (RPCs). TCP port 135 is actually only the RPC Locator Service, which is like the registrar for all RPC-enabled services that run on a particular server. In Exchange 2000, the Routing Group Connector uses RPC instead of SMTP when the target bridgehead server is running Exchange 5.5. Also, some administrative operations require RPC. To configure a firewall to enable RPC traffic, many more ports than just 135 must be enabled.
  • TCP 143 – Internet Message Access Protocol (IMAP), may be used by “standards-based” clients such as Microsoft Outlook Express, Live Mail, Mobile Devices to access the e-mail server. IMAP4 runs on top of the Microsoft Internet Information Service (IIS) Admin Service and enables client access to the Exchange Information Store.
  • TCP 379 – The Site Replication Service (SRS) uses TCP port 379.
  • TCP 389 – TCP port 389 is the Lightweight Directory Access Protocol (LDAP) port, used by Active Directory, Active Directory Connector, and the Microsoft Exchange Server 5.5 directory.
  • TCP 390 – While not a standard LDAP port, TCP port 390 is the recommended alternate port to configure the Exchange Server 5.5 LDAP protocol when Exchange Server 5.5 is running on a Microsoft Windows Active Directory domain controller.
  • TCP 443 – Hyper-Text Transfer Protocol, using HTTPS over SSL, is the protocol used by Microsoft Outlook Web Access (OWA)
  • TCP 465 – TCP port 465 is reserved by common industry practice for secure SMTP communication using the SSL protocol. However SMTP typically still uses port 25 and will use TLS for its security layer.
  • TCP 522 – User Locator Service (ULS) is a type of Internet directory service for conferencing clients, such as NetMeeting. Exchange 2000 Server and Exchange 2000 Conferencing Server do not implement a ULS, but rather take advantage of Active Directory for directory services (by TCP port 389).
  • TCP 563 – NNTPS over SSL uses TCP port 563.
  • TCP 636 – LDAP over Secure Sockets Layer (SSL). When SSL is enabled, LDAP data that is transmitted and received is encrypted.
  • TCP 691 – The Microsoft Exchange Routing Engine (RESvc) listens for routing link state information on TCP port 691. Exchange uses routing link state information to route messages and the routing table is constantly updated.
  • TCP 993 – TCP port 993 is used for IMAP4 over SSL. Before an Exchange server supports IMAP4 (or any other protocol) over SSL, you must install a Computer certificate on the Exchange server. This can be a self-signed certificate or a purchased signed certificate.
  • TCP 995 – TCP port 995 is used POP3 over SSL.
  • TCP 3268 – TCP port 3268 is used for the Global catalog. The Windows Active Directory global catalog (which is really a domain controller “role”) listens on TCP port 3268. When you are troubleshooting issues that may be related to a global catalog, connect to port 3268 in LDP.
  • TCP 3269 – TCP port 3269 is used for the Global catalog over SSL. Applications that connect to TCP port 3269 of a global catalog server can transmit and receive SSL encrypted data. To configure a global catalog to support SSL, you must install a Computer certificate on the global catalog.

This summary should cover your port needs, but you can find more detailed information about the TCP and UDP ports that Exchange Server uses in the Microsoft article “TCP/UDP ports used by Exchange 2000 Server “.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s