locked
Reducing the dynamic ports range between Exchange 2010 servers? RRS feed

  • Question

  • We have a pair of Exchange servers (MBX/HT/CAS) deployed on a different network behind a seperate firewall for security reason, and noticed a lot of traffic over dyanmic ports.  Many of them are used by MSExchangeRepl, MSExcchangeMailboxReplication, W3WP.   I suspect these are RPC dyanmic ports.   What's the best way to limit the dynamic range? 

    The servers are Win2008 R2, Exchange 2010 SP1, there is no other applications other than backup, monitoring agent, AV.  Static port assignment is used for Client RPC, IS, AddressBook.

    I came across a few relevant articles and each use a different methods, I am confused and looking for help:

    http://support.microsoft.com/kb/154596/en-us

    http://support.microsoft.com/kb/929851/en-us

    http://support.microsoft.com/kb/908472

     

    PS:  Stupid me, I just run "rpccfg –pe 45000-50000 –d 0" on a pre-production server and it screwed up the RPC calls, Exchange wont even started now.  Can someone tell me how to fix it?   Lucky there is no user on the server.

    PS2: Compare the registry from a working server.  MSExchangeRPC looks okay but RPCCfg (??) created a Internet key under HKLM\Software\Microsoft\RPC, deleted it and Exchange started now.   Hopefully that is the only bad thing I did with RPCcfg. 

    Thursday, March 10, 2011 6:01 PM

Answers

  • You need to use article 1 and 2, reason being the registry settings don't work with 2008, 7, Vista you need to use netsh in the second article.
    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    • Marked as answer by AndyHWC Tuesday, March 15, 2011 6:27 PM
    Saturday, March 12, 2011 7:01 PM

All replies

  • Hi Andy,

    About exchange 2010 needed port, some information for you:
    http://technet.microsoft.com/en-us/library/bb331973.aspx
    Per my known, we could keep the rpc port as Dynamic ports, or set it as static port, but could not set them as a range of ports in exchange 2010 scenario.
    Some information for you:
    http://social.technet.microsoft.com/wiki/contents/articles/configuring-static-rpc-ports-on-an-exchange-2010-client-access-server.aspx

    Regards!
    Gavin
    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, March 11, 2011 9:28 AM
  • You can use the guide Gavin provided as a reference to configure static ports for RPC

    I've used static ports in several implementation and I haven't found any issues regarding it

     


    Jonas Andersson | Microsoft Community Contributor Award 2011 | MCITP: EMA 2007/2010 | Blog: http://www.testlabs.se/blog | Follow me on twitter: jonand82
    Friday, March 11, 2011 9:52 AM
  • I did that arleady for the client RPC access as mentioned in my original post.  I notice these static ports are used by the inter-server communication too.  But the problem is I still see a lot of dynamic ports between Exchange 2010 servers and the PIDs are referring to MSExchangeRepl, MSExcchangeMailboxReplication, W3WP.   I need a way to reduce the range or use static ports.

    Friday, March 11, 2011 1:47 PM
  • In here Exchange Network Port Reference we find:

    MSExchangeMailboxReplication (GFW) (TCP-In)

    Client Access

    808 (TCP)

    Any

    MSExchangeMailboxReplication (TCP-In)

    Client Access

    808 (TCP)

    Bin\MSExchangeMailboxReplication.exe

    so that shouldn't be a problem but we also see ...

    MSExchangerepl - Log Copier (TCP-In)

    Mailbox

    64327 (TCP)

    Bin\MSExchangeRepl.exe

    MSExchangerepl - RPC (TCP-In)

    Mailbox

    Dynamic RPC

    Bin\MSExchangeRepl.exe

    MSExchangerepl - RPC-EPMap (TCP-In)

    Mailbox

    RPC-EPMap

    Bin\MSExchangeRepl.exe

    How to set this static is beyond me. I know how to change the 64327 port but not how to do it for MSExchangerepl - RPC (TCP-In).

    Perhaps something in here Configuring Static Ports for Exchange 2010 that you have missed?


    Jesper Bernle | Blog: http://xchangeserver.wordpress.com
    Friday, March 11, 2011 4:29 PM
  • Those static port article is mainly for client side access and I had implemented them (I will check the registry again later). 

    I see three articles talk about how to reduce the dynamic range of RPC but each use a different methods.  Not sure which is the right way.

    http://support.microsoft.com/kb/154596/en-us

    http://support.microsoft.com/kb/929851/en-us

    http://support.microsoft.com/kb/908472

    Saturday, March 12, 2011 1:44 AM
  • I'd go for the 1st one - How to configure RPC dynamic port allocation to work with firewalls
    Jesper Bernle | Blog: http://xchangeserver.wordpress.com
    Saturday, March 12, 2011 6:30 PM
  • You need to use article 1 and 2, reason being the registry settings don't work with 2008, 7, Vista you need to use netsh in the second article.
    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    • Marked as answer by AndyHWC Tuesday, March 15, 2011 6:27 PM
    Saturday, March 12, 2011 7:01 PM
  • We are using Windows 2008 R2, so netsh alone sthould do the trick?    No registry change? no rpccfg? 

    Do I need to do this on all Exchange servers?  What about Domain Controllers? 

    Thanks

    Sunday, March 13, 2011 12:21 AM
  • Yes only netsh works, no need to do registry change. The registry change that is done for win 2000 and 2003 does not take affect on 2008, win7, vista machines. I"ve implemented client dynamic rpc restrictions using strategy below.

    Legacy clients XP, 2000, 2003

    range 5000 - 5255

    2008, Vista, 7

    range 49152 - 49407

    The reason why there are two different ranges for legacy systems and newer systems instead of using the same common range is because we've found that biztalk servers requires dynamic rpc registry on lower port ranges 5020 for example for entsso and it will break if you don't include this range. Also Exchange 2007\2010 and newer apps in general likes to register on the upper range. Yes you should also configure your Exchange servers to use static RPC ports, it doesn't have to be in the 49152 -49407 range above but if it's not then you need to open whatever port you assign it to. To sum up legacy OS and apps like are still designed to work in the lower range while new OS and apps in the upper range.

    Also note reboots are required for change to take affect.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Sunday, March 13, 2011 3:41 AM
  • Hi James, can you clarify what needs what? 

    Our Exchange servers are located in 3 data centers. 

    Data Center A - DAG1\EX1 on stretched VLAN 1 (Windows 2008 R2)

    Data Center B - DAG1\EX2 on stretched VLAN 1 (Windows 2008 R2)

    Data Center C - DAG2\EX3,EX4 on VLAN 2 (Windows 2008 R2)

    Data Center C has special security requirement and DAG2 and all its users are behind another dedicated firewall. 

    Domain Controllers are Windows 2003, located in VLAN 1

     

    So should I use custom high dyanmic range on all Exchange servers?  What about Domain Controllers and clients?   We actually still have a few Exchange 2003 on Windows 2003 R2 but I don't think they need to use custom dynamic range as we can use bridgehead to route most of the traffic.

    btw, I checked the firewall and I see port range from 7135 to 63292.  Are Windows 2008 supposed to use 49152 to 65k range?   Or is it because of Exchange?  One of the article says if Exchange 2007 is installed, Windows 2008 will use 1025 - 6000.

    Thanks

    Sunday, March 13, 2011 5:17 AM
  • The article below goes over setting static RPC ports for Exchange it's pretty staright forward it's only 2 ports, don't worry about DAG that's irrelevant.

    http://www.msexchange.org/articles_tutorials/exchange-server-2007/planning-architecture/uncovering-new-rpc-client-access-service-exchange-2010-part2.html

    As far as setting dyanmic rpc range on your Exchange and DCs thats up to you. Servers are servers but they can also be clients. But at the end of the day if you're restricting the port range on the firewall then yes you want to be consistent everywhere clients and servers; that's what I did. I set static rpc ports for exchange on port 55000 and 55001 as well as set the dynamic port range across the board for all servers and clients.

    Legacy clients XP, 2000, 2003

    range 5000 - 5255

    2008, Vista, 7

    range 49152 - 49407


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Sunday, March 13, 2011 5:50 AM
  • Hi James, my concern is if I only setup dynamic range on some of the Exchange servers but not the DC, will that create problems on inter-server communication, dc communication or clients?  Or It just means those without custom dynamic range will simply fall back to the default range?    Just want to double check as I don't have a good test environment to test this scenerio.

    And is 300 dynamic ports good enough for Exchange 2010?

    Sunday, March 13, 2011 2:09 PM
  • Right you need to be consistent across the board if you implement the restriction because the restriction is being enforced at the network layer by FW. When it comes to RPC port restrictions most people get a bit confused because there's dynamic rpc ports and there's also ephemeral ports.

    Ephemeral port usage: I"m a win7 client, I go out to the internet to connect to a website on port 80. So the destination port is 80 but the source client random ephemeral port could be 51345. But even though the source port is 51345 that doesn't mean you're opening up 51345 on the firewall because its' a source port not a destination port and Firewalls by design allow all client initiated source ports to go out.

    Dynamic RPC port usage: I"m an Exchange server, during boot up my exchange services need to dynamically assign an rpc port. It will chooses in the range 49152 - 65535. This means that the Exchange services may register on port 55555 and 55551 (2 ports are required) Now i'm a client and I connect to Exchange, the client connects to port 135 first to query what dynamic ports to connect to 55555 and 55551. That means you need to allow your firewall to open ports 135 and 55555 and 55551. Now keep in mind that the client is also inherently using source ephemeral port maybe 59999 but that a source port so you don't need to open that.

    Putting the dynamic rpc port restriction does not affect ephemeral port range. The ephemeral port range is restricted using the maxuserport reg key, don't fiddle with this leave the ephemeral port range alone.

    So why do I need to open a big range 49152 - 49407 from my client to the Exchange Server if I can statically assing 2 rpc ports? You don't since you can statically configure the exchange ports. But the issue is say you have another server biztalk for example or another app in the same segment as Exchange servers that does not allow you to statically configure rpc ports so you have to open a range.

    Yes 300 dynamic ports for Exchange is more than enough and is more than enough for virtually any app server. I use 255 since that is the lowest range you can go.

     

     


     


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Sunday, March 13, 2011 4:09 PM
  • James, it seems I am going back to square one.  We had already implemented static port assignment for RPC, IS, AB services.   The problem is we still see a lot of dynamic ports being used between the Exhcange servers to/from Data Center C (the data center wit the special security requirement).  I traced the processes that using the ports and I see  MSExchangeRepl, MSExcchangeMailboxReplication, W3WP.  NOTE:  We do not have Biztalk and othe server.  Those are all Exhcange servers, the only other applications running are mean to support Exchange like SCOM, backup, VM tools, System monitoring softwares...  so my questions are:

    1. Is it normal that MSExchangeRepl, MSExcchangeMailboxReplication, W3WP uses dynamic ports?    I assume the answer is Yes.

    2. Is there a way to configure them to use a small custom dyanmic range?  I assume "netsch" is the solution.

    3. Do I just set the same custom dynamaic range on all Exchange 2010 servers?  I assume the answer is Yes but want to confirm that.

    4. Do I need to set custom dynamic range on the DC?  I guess not but what do I know...

    5. Do I need to set custom dynamic range on the clients?  They are running great right now with the static port assignment and no custom dynamic range.

    Sunday, March 13, 2011 6:08 PM
  • 1. Yes you would see that because your CAS server talks to your MB server for different services such as msexchangemailboxreplication as well as many others. That's a mailbox server role process that will dynamically register an RPC port. There should not be a FW between your CAS and MB (not supported) so this shouldnt be an issue. I don't think you can statically configure all the Exchange services on the mailbox role. All the guidance is statically configure ports is for client access, reason being a firewall can be between client subnet to Exchange servers. But there should not be one between Exchange servers to other Exchange servers or DCs and is not supported.

    2. Yes use the netsh, the smallest range is 255.

    3. Yes set the range on all your Exchange services

    4. I would just to be consistent. For example if you allow a range of 50000 to 55255 on your FW and DC registers rpc port of 55256 then your client net will not be able to communicate with it.

    5. No you don't need to.

     


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    • Proposed as answer by Gavin-Zhang Monday, March 14, 2011 6:05 AM
    Sunday, March 13, 2011 8:41 PM
  • 1. Yes you would see that because your CAS server talks to your MB server for different services such as msexchangemailboxreplication as well as many others. That's a mailbox server role process that will dynamically register an RPC port. There should not be a FW between your CAS and MB (not supported) so this shouldnt be an issue. I don't think you can statically configure all the Exchange services on the mailbox role. All the guidance is statically configure ports is for client access, reason being a firewall can be between client subnet to Exchange servers. But there should not be one between Exchange servers to other Exchange servers or DCs and is not supported.

    4. I would just to be consistent. For example if you allow a range of 50000 to 55255 on your FW and DC registers rpc port of 55256 then your client net will not be able to communicate with it.

    Hi James,

    1. So the dynamic ports I saw between Data centers A|B and C are CAS to MBX traffic?  We have dedicated CAS/HT servers on Data Center A and B but for cost reason, the Exchange servers on Data Center C are MBX/CAS/HT in one box.   In that case, are we running Exchange in unsupported scenerio?  

    One thing I forgot to mention is we only have one AD site. 

    4. Unfortunately, I don't think I can change anything on the DC, but we only concern about Server-to-DC traffic.  So we should be okay by just setup custom dynamic range on the Exchange 2010 servers, right?   I will try that on all the MBX, CAS/HT and MBX/CAS/HT servers. 

    Assume the firewall at Data Center C is wide open for the next little while, can I do that in stages?  Or it has to be done and reboot all at the same time?  I like to do it on the passive nodes first.    So I can test it with test mailbox database to ensure everything works before I apply the changes on active nodes.

    Thanks

    Sunday, March 13, 2011 9:06 PM
  • 1. Just because it's two datacenters doesnt mean it's firewalled. Both networks are considered "internal". In terms of CAS not being supported in Firewall basically means it's in a DMZ.

    2. If you're restricting the rpc ports between datacenters then you can possibly break AD replication between DCs since replication uses dynamic rpc.

    3. You can deploy on passive nodes first then observe make sure services are starting and ports listening, but not sure how you would actually confirm that it's "working" unless it can accept client traffic.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Sunday, March 13, 2011 9:45 PM
  • 1. But we do have a firewall between the two data centers, even though we consider both are "internal". 

    2. Our DC are all in data center A and B.  There is no DC in data center C. 

    3. I will confirm it is working by create a test mailbox database server on the passive node, then move the database to the "passive" and connect to the database.

    Thanks

    Sunday, March 13, 2011 10:44 PM
  • 1. Yup understood

    2. Then you're good to go.

    3. Sure, just make the changes, leave the FW open then monitor and if it looks good then put the FW restriction.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Sunday, March 13, 2011 11:05 PM