locked
Narrowed Down Port requirements between CAS and MFG RRS feed

  • Question

    Hi all,

    The company I work for doesn't have external OWA setup for Exchange; however they have requested Outlook F/B sharing with a partner company. My plan is to setup a trust with the Microsoft Federation Gateway, specifically with 443 open to the Virtual IP of our CAS array.

    We don't have our own internet facing reverse proxy available, but do have a public facing load balancer that we were told could be used to expose our CAS servers to the internet. (Port 443 <-> internet)

    Our firewall admins are requesting port specifics that I can't seem to narrow down for them.

    http://technet.microsoft.com/en-us/library/dd638083(v=exchg.141).aspx  this article broadly states the following:

    "Federated delegation features require that the Client Access servers in your organization have outbound access to the Internet by using HTTPS. You must allow outbound HTTPS access (port 443 for TCP) to all Exchange 2010 Client Access servers in the organization.

    For an external organization to access your organization's free/busy information, you must publish one Client Access server to the Internet. This requires inbound HTTPS access from the Internet to the Client Access server. Client Access servers in Active Directory sites that don't have a Client Access server published to the Internet can use Client Access servers in other Active Directory sites that are accessible from the Internet. The Client Access servers that aren't published to the Internet must have the external URL of the Web services virtual directory set with the URL that's visible to external organizations."

    Can anyone provide information on the following:

    • If we narrow it down to the MFG port range as shown here: 

    http://technet.microsoft.com/library/hh373144.aspx   - is it just 443 OUTBOUND to the MFG ranges, or does it have to be INBOUND opened up as well?

    207.46.150.128/25

    207.46.164.0/24

    • If we are F/B sharing with only 1 partner company, would it also be 443 INBOUND and OUTBOUND to their publicly advertised IP? I'm thinking their public autodiscover IP address, is that correct?
    • And since we don't have external OWA available, for public DNS, what is the minimum requirement? Just an autodiscover record?


    • Edited by dq72 Monday, July 7, 2014 5:22 PM
    Monday, July 7, 2014 4:10 PM

All replies

  • Hi dq72,

    As below line says,

    "For an external organization to access your organization's free/busy information, you must publish one Client Access server to the Internet. This requires inbound HTTPS access from the Internet to the Client Access server."

    You need have to be INBOUND 443 opened up as well to atleast 1 CAS server. This means you need to use a reverse proxy solution if you want to follow the best practices. Otherwise you can directly open ports to your CAS, which is really a bad idea (as CAS is a domain joined).

    You have public facing load balancer, what is it used for right now. If its a basic NLB exposing it without Reverse proxy to internet is as good as exposing your CAS, worse if its Load Balancing multiple servers.

    Records on Public DNS required would be:

    Forward Lookup Zone  - yourdomain.com

    Host\CNAME Record - autodiscover.yourdomain.com - Pointing to CAS or reverse proxy Public IP

    Text Record - With the Federation App ID obtained from MS Fede Gateway

    Hope you have already considered the partner company's requirement to "Create a federation trust with the Microsoft Federation Gateway" as well for it to work.

    IPs that required to be opened: (As per MS it should be open to all to work correctly)

    You should be able to query public DNS servers to get the IP details port UDP 53.

    IPs from MS fede Gateway - 443 (Not sure how you get this correct, as IPs might change without notifying you)

    IPs from Partner company's reverse proxy public IP - 443 (This you can pin point from partner)

    You also need to have a publicly trusted certificate for your domain which MFG is aware of.

    Otherwise you can go for the hard way of using AD Trust which would limit you between fixed IP sets on both side.


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Monday, September 22, 2014 9:27 AM