Pro-Exchange,Lync & Office 365
Belgian Microsoft Unified Communications Professionals
Microsoft Exchange Server, Microsoft Lync Server & Office 365
Configuring Static Ports for Exchange 2007

Hi and once again welcome to our brand new community site which I hope you will enjoy very much. Today I will explain how to configure your Exchange 2007 servers with static ports which is easy enough but you may like some of the additional info …

 

Let’s first start with the “why?”:

Exchange 2007 (and older version as well for that matter) will register its RPC ports dynamically upon startup, basically it allocates ports in the range of 1024-65535 which immediately demonstrates the problem with firewalls.

As a brief reminder this is how the dynamic allocation works with various RPC services:
You have a specific RPC service, such as the Information Store, with a well-known, unique and hard-coded RPC Identifier or better known as “RPC Service Number”. In order to provide a mapping between these RPC Service Numbers and associated port numbers there is a windows service called “RPC Endpoint Mapper” (running on port TCP/UDP 135).
In this example the Information Store starts up and will register its RPC Service Number with the RPC Endpoint Mapper and will receive a dynamically allocated port number. Now when a client connects to the server it will first connect to the RPC Endpoint Mapper requesting for registered port number of the Information Store  RPC service number. Once the client has the port number it can successfully connect to the Information Service…
The reason this process exist is because you *could* potentially have more RPC Service Numbers (4-byte field) than available TCP/UDP port numbers (2-byte field). And for those wondering there is no performance or stability impact in making these ports static, whether you make it static or not you keep having 3 TCP ports for clients to connect to in the case of Exchange 2007.

Now back to the why…

If you have a good rationale to put firewalls in between your clients and servers then you probably don’t want to tell your firewall admin to open ports between 1024-65535. Instead you want to tell him that you fixed the Exchange ports and he should only allow these fixed ports. Related to firewalls and something I ran across recently is when using the IOREPL (InterOrg Replication) tool to exchange Free/Busy information with another organization where you typically don’t have full network access with. Since the tool uses MAPI you have to fix the ports of the Publisher and Subscriber Exchange servers to ensure that it can pass the firewalls without opening too many ports.

Another good reason to fix these ports is if your network administrator wants to prioritize that traffic using Quality of Service (QoS). If you leave the ports dynamically then it’s much harder to build “generic” QoS rules.

Now with Exchange 2007 you have several services that register dynamically a port upon startup such as:

Service Comment

Microsoft Exchange SA RFR Interface

This will provide the client with a referral to a Domain Controller when the client is connected in normal intranet mode. In this case your outlook client is connecting directly to domain controllers in addition to exchange servers.

Microsoft Exchange Directory NSPI Proxy Interface

This will proxy all directory connections from the client to the domain controllers when the client is connected in RPC/HTTPS mode or when you forced outlook to operate in this mode. In this case your outlook client is only connecting to your exchange servers.

Microsoft Exchange Information Store Interface

Provides the client with access to the mailbox or public folder databases

 

These services not only register a dynamic RPC port they also register a FIXED RPC port for when the connection is made through HTTP such as when you connect using Outlook Anywhere (former RPC/HTTPS). You will recognize ports such as 6001,6002 and 6004 which should not be selected as a fixed RPC port for the above mentioned service as these are already fixed for Outlook Anywhere.

 

Now how do we implement this?

There are 3 steps to execute:

  1. First determine 3 free port numbers on your exchange server by reviewing the current RPC Service Numbers and allocated port numbers. You can use the following command to find the ports currently registered on your exchange server:

    netstat –ban | findstr /i “listening”

    TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
    TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       692
    TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       4
    TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
    TCP    0.0.0.0:587            0.0.0.0:0              LISTENING       2496
    TCP    0.0.0.0:593            0.0.0.0:0              LISTENING       692
    TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING       412
    TCP    0.0.0.0:1059           0.0.0.0:0              LISTENING       1232
    TCP    0.0.0.0:1081           0.0.0.0:0              LISTENING       1656
    TCP    0.0.0.0:1085           0.0.0.0:0              LISTENING       1788
    TCP    0.0.0.0:1124           0.0.0.0:0              LISTENING       2340
    TCP    0.0.0.0:1135           0.0.0.0:0              LISTENING       2472
    TCP    0.0.0.0:1168           0.0.0.0:0              LISTENING       2496
    TCP    0.0.0.0:1218           0.0.0.0:0              LISTENING       1100
    TCP    0.0.0.0:1221           0.0.0.0:0              LISTENING       2864
    TCP    0.0.0.0:1242           0.0.0.0:0              LISTENING       2864

    TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       3072
    TCP    0.0.0.0:6001           0.0.0.0:0              LISTENING       1100
    TCP    0.0.0.0:6002           0.0.0.0:0              LISTENING       2864
    TCP    0.0.0.0:6004           0.0.0.0:0              LISTENING       2864
    TCP    10.82.0.116:25         0.0.0.0:0              LISTENING       2496
    TCP    10.82.0.116:139        0.0.0.0:0              LISTENING       4
    TCP    10.82.0.114:139        0.0.0.0:0              LISTENING       4


    The listening ports shown in red above represent the 3 different Exchange RPC Services, you can confirm this by either looking up the process identifier (shown in the last column of the above netstat output) in Task Manager and seeing if it matches the MAD.EXE and STORE.EXE processes. Another method is by running “RPCDUMP /i” on the host and looking for the specific RPC endpoints in the ncacn_ip_tcp protocol mapping table such as the following output:

    ncacn_ip_tcp(Connection-oriented TCP/IP)
      10.82.0.116[1025] [12345678-1234-abcd-ef00-0123456789ab] IPSec Policy agent endpoint :YES
      10.82.0.116[1025] [12345778-1234-abcd-ef00-0123456789ac]  :YES
      10.82.0.116[1059] [b9fadb8d-53a1-41d7-b763-88d884b6b829] Microsoft Exchange Topology Information Server RPC Interface :YES
      10.82.0.116[1081] [76c0d124-a18e-49d4-adf1-d8c6ba868ea6]  :NO
      10.82.0.116[1085] [37fc1b02-da36-4b27-a745-bf2f58a98ff6]  :NO
      10.82.0.116[1124] [52d3f3f5-248c-4d74-a01f-a06e41d5cd59]  :NO
      10.82.0.116[1135] [f1f21151-7185-4170-ac8d-9bb077c29bd3]  :NO
      10.82.0.116[1168] [41f5fae1-e0ac-414c-a721-0d287466cb23]  :NO
      10.82.0.116[1168] [bd5790c9-d855-42b0-990f-3dfed8c184b3]  :NO
      10.82.0.116[1168] [8384fc47-956a-4d1e-ab2a-1205014f96ec]  :NO
      10.82.0.116[1218] [5261574a-4572-206e-b268-6b199213b4e4] Exchange Server STORE Async EMSMDB Interface :YES
      10.82.0.116[1218] [a4f1db00-ca47-1067-b31f-00dd010662da] Exchange Server STORE EMSMDB Interface :YES
      10.82.0.116[1218] [a9e05b20-6f57-4e24-a540-52412017e6ff] Microsoft Information Store :YES
      10.82.0.116[1218] [0e4a0156-dd5d-11d2-8c2f-00c04fb6bcde] Microsoft Information Store :YES
      10.82.0.116[1218] [bf6dd426-77b4-44b3-984e-d413fc075562] Microsoft Information Store :YES
      10.82.0.116[1218] [1453c42c-0fa6-11d2-a910-00c04f990f3b] Microsoft Information Store :YES
      10.82.0.116[1218] [10f24e8e-0fa6-11d2-a910-00c04f990f3b] Microsoft Information Store :YES
      10.82.0.116[1218] [da107c01-2b50-44d7-9d5f-bfd4fd8e95ed] Exchange Server STORE ADMIN Interface :YES
      10.82.0.116[1218] [99e64010-b032-11d0-97a4-00c04fd6551d] Exchange Server STORE ADMIN Interface :YES
      10.82.0.116[1218] [99e64010-b032-11d0-97a4-00c04fd6551d] Exchange Server STORE ADMIN Interface :YES
      10.82.0.116[1218] [89742ace-a9ed-11cf-9c0c-08002be7ae86] Exchange Server STORE ADMIN Interface :YES
      10.82.0.116[1218] [a4f1db00-ca47-1067-b31e-00dd010662da] Exchange Server STORE ADMIN Interface :YES
      10.82.0.116[1221] [1544f5e0-613c-11d1-93df-00c04fd7bd09] MS Exchange Directory RFR Interface :YES
      10.82.0.116[1242] [f5cc5a18-4264-101a-8c59-08002b2f8426] MS Exchange Directory NSPI Proxy :YES
      10.82.0.116[1221] [3cb4be69-9ba1-448c-9a44-a1f759a1878a] MS Exchange Recipient Update Service RPC Interface :YES
      10.82.0.116[1221] [f930c514-1215-11d3-99a5-00a0c9b61b04] MS Exchange System Attendant Cluster Interface :YES
      10.82.0.116[1221] [83d72bf0-0d89-11ce-b13f-00aa003bac6c] MS Exchange System Attendant Private Interface :YES
      10.82.0.116[1221] [469d6ec0-0d87-11ce-b13f-00aa003bac6c] MS Exchange System Attendant Public Interface :YES


    Now you need to select 3 different port numbers that are currently NOT in use and preferably doesn’t conflict with another well known service port. The last one is important as most firewalls do some application level filtering based on the port used. So if you for example selected port 80 or 443 the firewall may think it’s HTTP traffic and drop it. 

    There are sites or documents available with all the well known service ports which you could consult to make sure:
    http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers or http://www.iana.org/assignments/port-numbers

  2. In this example I select 56001, 56002 and 56004 as service ports for the above mentioned services. If you want to select different ones then simply alter the values below but keep in mind they are in HEX format, if you’re setting the values manually make sure the set the value format to DECIMAL before entering the port number:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeSA\Parameters]
    "TCP/IP Port"=dword:0000dac2
    "TCP/IP NSPI Port"=dword:0000dac4

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem]
    "TCP/IP Port"=dword:0000dac1

    After implementing these registry keys simply restart the System Attendant and Information Store Processes…

  3. Configure your firewall to allow traffic from your clients towards the Exchange Servers through ports 56001,56002 and 56004 (or whatever ports you selected)

What’s next?

You can find more information on fixing your Exchange 2007 service ports in the following article:

Exchange Server static port mappings http://support.microsoft.com/kb/270836

 

Additionally in Exchange 2007 you will see that Outlook clients receive a “new mail” notification from the server, unfortunately this UDP traffic is less flexible to fix to a static port. On the server side it will always be a dynamic port but you can control which port the client uses to receive the UDP packet on. For more information please read this KB article: No way to configure port for UDP new mail notification packets  http://support.microsoft.com/kb/264035/

 

And probably fixing the service ports for Exchange 2007 isn’t going to be sufficient as you have Active Directory access to handle as well. With the knowledge you gained from this article you can review the following Microsoft KB for information on how to set static ports for your Domain Controllers:

Restricting Active Directory replication traffic and client RPC traffic to a specific port (Windows 2003) http://support.microsoft.com/kb/224196/

The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008 http://support.microsoft.com/kb/929851/

 

And finally if you need a overview on all service ports used by Windows Server systems you can consult the following KB:

Service overview and network port requirements for the Windows Server system http://support.microsoft.com/kb/832017/

 

I really hope you enjoyed this article and as always I welcome any feedback (or corrections)…

 

Greetings,

Tonino Bruno | ICT Consultant | www.proexchange.be


Posted 05-18-2009 12:30 by Tonino