best practice Exchange network security

    Debate general

  • friends i have this hosted setup .. running fine ... but now i want to make it more secure . buy only allowing the traffic from inside lan which is required for exchange and updates to go out .. else should be dropped .. but i am not very sure what all ports are used by exchange ... to make connection to outer world on OWA/ mail client like outlook and other .. or may be some network/ authentication and then windows updates... so is it posible or someone has done this .. to configure the same on router...?

    Happiness Always

    • Editado 'Jatin' lunes, 21 de mayo de 2012 19:36
    lunes, 21 de mayo de 2012 19:32

Todas las respuestas

  • Exchange only makes outbound connections on TCP 25, for sending SMTP, HTTP/S for checking certificate CRL's, downloading updates, that sort of thing, and DNS, though the DNS server is doing that. Are you wanting to block all other outbound traffic? Outlook/OWA etc are making inbound connections to Exchange, so not sure what you are getting at there.

    Also look at as that lists all the ports/protocols Exchange uses.

    lunes, 21 de mayo de 2012 23:46
  • yes Greg .. i want to block all unwanted traffic from my LAN which is connected to WAN on public interface,... so i want to know what all port Msoft exchange uses ... or OS uses for communication or may be updates ... got TMG also in setup

    Happiness Always

    • Editado 'Jatin' martes, 22 de mayo de 2012 2:48
    martes, 22 de mayo de 2012 2:48
  • Why are you concerned about what goes OUT? (Apart from SMTP delivery that is) Is all outbound traffic via TMG? You want to stop people like you on your internal network from getting out to the Internet?

    The article I linked to earlier lists all the ports Exchange uses.

    martes, 22 de mayo de 2012 2:56
  • perfect about the article ... thanks....  but why i want to do this is i want to block any kind of unwanted traffic like in form of some machine infected with virus/worn/trogen sending huge traffic on wan link and choking my bandwidth .. so this way i can only allow traffic which are required by exchange ...

    can you please advise about OS or TMG updates if you have idea..

    one more thing .. plz dont mind Greg.. can you please check this .. as my DAG is stopped

    please advise

    Happiness Always

    • Editado 'Jatin' martes, 22 de mayo de 2012 3:09
    martes, 22 de mayo de 2012 3:09
  • Sorry for the slow reply.

    Not sure what to suggest really, you could simply set up TMG to be the route out for all traffic, and configure TMG to restrict the IP addresses you want to allow access to. More of a network security question than Exchange I'd say. Sorry I can't help much more.

    p.s. hope you got your servers sorted out.

    jueves, 24 de mayo de 2012 22:02