What ports to open

I'm creating a new Active Directory internal and a new DMZ domain for a company with Exchange Server 2007 and BES. There is already an existing PIX firewall hosted by another supplier to separate the zones. The only things going into the DMZ are an Edge server and a BES router. All servers will hopefully be Server 08 R2.

Quite simply, what ports need to be opened on the internal firewall for functionality of OWA and Outlook Anywhere? I have listed:
TCP 25 SMTP
TCP 88 Kerberos Authentication
TCP 389 LDAP
TCP 3268 Global catalogue
TCP/UDP 53 DNS
TCP port 50389 LDAP for EdgeSync (secure)
TCP port 50636 LDAP for EdgeSync

What else do I need to consider?

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

HeroPsycho

Gotta ask...

Why put the BES in the DMZ? You're gonna need to open RPC ports, all ports related to AD traffic, etc. You're gonna swiss cheese your firewall doing that.

From the Internet, you need to allow in TCP443. You don't need any additional ports for that.

http://technet.microsoft.com/en-us/library/bb123741.aspx

Those need to be able to reach the server(s) running the Client Access Role, or ISA servers if you're securely publishing. Edge Transport is not involved at all in Outlook Anywhere.

Pash

HeroPsycho wrote: »

Why put the BES in the DMZ? You're gonna need to open RPC ports, all ports related to AD traffic, etc. You're gonna swiss cheese your firewall doing that.

How is he swiss cheesing his firewall if he is using proper access policies? Stateful firewalls it's always src dst port/service allow/deny. Putting a device that will typically be accessed through the public domain on a DMZ is perfectly fine, unless I am missing some fundamental reason why not.

As said though. You only need port 443. One quick google search of "outlook anywhere ports" returned the same link as Hero on the second match.

HeroPsycho

Pash wrote: »

How is he swiss cheesing his firewall if he is using proper access policies? Stateful firewalls it's always src dst port/service allow/deny. Putting a device that will typically be accessed through the public domain on a DMZ is perfectly fine, unless I am missing some fundamental reason why not.

Why put a host in the DMZ that needs most of the most dangerous ports that you'd want forbidden from a DMZ host anyway? DMZing the BES server would be like DMZing an internal Outlook/AD client. What are you protecting the production network from by putting the BES server in the DMZ in that scenario? I submit you're not helping security doing that. You're far more likely to cause management/troubleshooting nightmares for little if any security benefit. This is the exact reason Microsoft doesn't support Client Access Servers in DMZ's anymore.

You're also not fundamentally understanding how BES servers work. BB's do not make unsolicited network connections to the BES server directly, which is usually why "front end" servers are put in DMZ's in the first place.

mikedisd2

HeroPsycho wrote: »

Gotta ask...

Why put the BES in the DMZ? You're gonna need to open RPC ports, all ports related to AD traffic, etc. You're gonna swiss cheese your firewall doing that.

From the Internet, you need to allow in TCP443. You don't need any additional ports for that.

Funny enough you've gotten ahead of me. My original post was not about putting the BES in the DMZ; it was putting the BES ROUTER in the DMZ with the BES behind the internal firewall. However:

My design of common sense has been rejected and I am NOW told to put the BES IN the DMZ. I don't like it, you don't like it but being just a gopher means I have no say in it. I'm just the shmuck that has to implement it and I need to know what ports need to be opened on the internal firewall for Exchange to talk to BES.

My main concern is about Exchange, which usually uses a range of dynamic addresses now has to be configured to use static IPs. I don't fully understand how to configure this and am having trouble finding appropriate info.

Please don't respond advising best practices and reasons why the BES needs to be behind the firewall. I know all that but it isn't going to happen.

HeroPsycho

You'd need to check official BES documentation, but I'm pretty sure a lot of the ports listed here would be included.

Front-End and Back-End Topology Checklist

You might also want to check with Blackberry to see if a BES in the DMZ is even supported.

mikedisd2

A BES in the DMZ can be done but isn't supported by RIM. They have a whitepaper describing how to do it, but it's not very comprehensive.

The more I read up on this the more I hate being put in this situation. I'm gonna have it out with the technical lead and see if I can't get it changed to how it should.