This tip originally appeared on SearchExchange.com, a sister site of SearchCIO-Midmarket.com.
In this article, I explain which ports various Exchange Server components use, so you can get an idea of which you can close for better security, and which must remain open.
The Exchange System Attendant: The Exchange System Attendant is one of the most difficult Exchange components to plan for. It primarily uses inbound TCP port number 135, but it also uses a few random ports for RPC end points (the Exchange System Attendant does not initiate any outbound connections). These random ports use numbers above 1024, but the numbers may change each time the System Attendant is started. If you are using RPC over HTTP, then TCP ports 6002-6004 may also be used for inbound communications.
The Information Store: The Exchange Information Store receives inbound traffic on TCP port 135. If RPC over HTTP is being used, TCP port 6001 is also used for inbound communications. The Information Store does use outbound communications to inform clients of new mail. By default, each Outlook client listens on a random UDP port. These random UDP ports are not used for clients accessing the server through RPC over HTTP. RPC over HTTP makes use of direct server polling instead.
The Message Transfer Agent: The Message Transfer Agent (MTA) is used for communications with Exchange 5.5 servers and for servers that communicate through the X.400 protocol only. The MTA performs RPC-based communications over TCP port number 135. X.400 communications occur over TCP port number 102.
Simple Message Transfer Protocol (SMTP): SMTP is one of the core components of Exchange Server, and SMTP traffic must not be blocked. SMTP traffic flows over TCP port 25.
Microsoft Exchange Routing Engine: One of the lesser known Exchange functions that uses a port is the routing engine. The routing engine routes traffic among the various servers within your Exchange organization. The routing engine uses TCP port 691.
World Wide Web Publishing Service: The World Wide Web Publishing Service isn't technically part of Exchange, but rather a part of IIS. Even so, this service provides OWA's core functionality. If the server is acting as an OWA front-end server, then the WWW Publishing Service uses TCP ports 80 and 443 (SSL). The only time that outbound traffic is required to be sent over port 80 is during front-end to back-end server communications.
POP3: Exchange Server 2003 disables POP3 by default, unless the server was upgraded from a previous Exchange version. If your server is using POP3, it listens for inbound traffic on TCP ports 110 and 995 (SSL). Normally, POP3 doesn't transmit outbound traffic. But if POP3 is being used for front-end to back-end server communications, TCP port 110 is used for outbound traffic.
IMAP4: Like POP3, IMAP4 is disabled by default in Exchange Server 2003 unless the server was upgraded from a previous version of Exchange. IMAP4 uses TCP ports 143 and 993 (SSL) for inbound communications. IMAP4 does not transmit outbound traffic unless it is used in a front-end/back-end server configuration, in which case it uses TCP port 443.
NNTP: The Network News Transfer Protocol (NNTP) is also disabled by default unless the server was upgraded to Exchange Server 2003. NNTP uses TCP ports 119 and 563 (SSL) for inbound communications. These same ports are also used for outbound communications if the server is configured to push content to other NNTP servers.
Site Replication Service: The Site Replication Service is RPC-based. As you would expect, this service uses primarily TCP port 135 for inbound and outbound communications. This service sometimes uses additional random TCP ports for outbound communications though. Inbound traffic also makes use of TCP port 379.
Active Directory Connector: The Active Directory Connector supports outbound traffic only. Outbound traffic flows over TCP ports 379 and 389.
Exchange Management: Exchange Management isn't really a built-in Exchange service; it's actually generic term for any Exchange Server management tools based on WMI. A good example of such a tool is Microsoft Operations Manager (MOM). WMI-based tools use RPC and pass inbound traffic through RPC calls across TCP port 135 and other random UDP ports.
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Posey has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox.