Exchange 2013 and Network Ports – Documented! (Somewhat….)

One of the missing pieces of Exchange Server 2013 Documentation has appeared on TechNet recently. The Network ports for clients and mail flow in Exchange 2013 page in TechNet is a very informative look into the inner workings of Exchange Server 2013. A fellow Exchange MVP noted that as of March 3, 2015 the EWS protocol section is missing and I’ve been told that it is being looked into.

The Documentation
Documentation has always been an important part of any software product, from the physical books in the early days to CDs/Floppy Disks, to online resources and electronic documents (Word, PDF, etc.). So when any new documentation is created it is always worth a look to see what is corrected, added or changed since a product came out. In this case, the Network Ports document covers the essentials, without getting into the nitty gritty. I think this is being done because I know of customers who use these documents for firewall rules. While that may work for external access, internally it has been repeatedly stated that no firewall or port blocking should be put into place. Hence the reason the document seems a bit bare.

Good Start
The beginning of the article is of particular interest as it plainly spells important information with regards to ports:

  • We do not support restricting or altering network traffic between internal Exchange servers or between internal Exchange servers and internal Active Directory domain controllers in any and all types of topologies. If you have firewalls or network devices that could potentially restrict or alter this kind of network traffic, you need to configure rules that allow free and unrestricted communication between these servers (rules that allow incoming and outgoing network traffic on any port—including random RPC ports—and any protocol that never alter bits on the wire).
  • Edge Transport servers are almost always located in a perimeter network, so it’s expected that you’ll restrict network traffic between the Edge Transport server and the Internet, and between the Edge Transport server and your internal Exchange organization. These network ports are described in this topic.
  • It’s expected that you’ll restrict network traffic between external clients and services and your internal Exchange organization. It’s also OK if you decide to restrict network traffic between internal clients and internal Exchange servers. These network ports are described in this topic.


Sample Diagram
Diagram-NetworkDoc

The documentation is a good starting place for port communication in Exchange 2013 and it should be used in conjunction with the Exchange Server 2013 SP1 Architecture Poster. Covered are port communications for Clients (Outlook, OWA, etc.) as well as mail flow ports as well as links for Hybrid and UM information.

Thoughts
While any documentation is usually welcomed and appreciated as it opens a window in the otherwise black box of Exchange internal workings. However, in this case the documentation is much different and much more limiting than previous versions of Exchange. Exchange 2010’s port document was detailed, included information on Firewall rules and other internal workings (port #’s as well):

Ex2010-fwRules

I think the document for Exchange Server 2013 does provide useful diagrams, port numbers as well as what is not supported (blocking of ports), it is missing other important internal information. Microsoft I believe has made it clear they will not reveal any more information about port usage as they explain that all ports need to be open between internal Exchange servers. The only place where port restriction is allowed is for Edge Transport to internal server as well as Edge Transport to external destinations (Ports 25 & 53).

Notes
The UM list of ports is listed on separate pages probably due the its complexity. The UM ports can be found here.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s