Pro-Exchange,Lync & Office 365
Belgian Microsoft Unified Communications Professionals
Microsoft Exchange Server, Microsoft Lync Server & Office 365
Configuring Static Ports for Exchange 2010

Hi,

 

For reasons explained in my article “Configuring Static Ports for Exchange 2007” you may want to lock down the TCP ports Exchange uses to communicate with clients such as Outlook. As you may have noticed things are a bit different in Exchange 2010, such as the introduction of the RPC Client Access Service. In Exchange 2007 Outlook would connect to the Mailbox Server on port TCP135, request the ports for the different services such as the Store, NSPI Proxy or the Referral Service and proceed with making a connection on those advertised ports. This process is still the same in Exchange 2010 however with the RPC Client Access Service in the mix we have some changes in the procedure.

 

I won’t go into more detail on the RPC Client Access Service, my friend Henrik Walther has written some excellent articles on this topic:

Uncovering the new RPC Client Access Service in Exchange 2010 (Part 1)
Uncovering the new RPC Client Access Service in Exchange 2010 (Part 2)
Uncovering the new RPC Client Access Service in Exchange 2010 (Part 3)
Uncovering the new RPC Client Access Service in Exchange 2010 (Part 4)

 

So in my lab I have a client running Outlook 2007 connected to a Mailbox Database in a DAG through the RPC Client Access Service:

image

 

When you logon to the RPC Client Access Server and check the network connections for my client you’ll see the following:

image

As you can see my client is connected on port 17823 and 17757, a pretty random port number …

 

Let’s open task manager on the RPC Client Access Server and check the Process Identifiers (1704 & 2360) you’ll notice these ports belong to the MSExchangeRPC and MSExchangeAB services.

image

 

Let’s check on the server how the RPC Services are registered. In order to see this I use the RPCDUMP tool which is part of the Windows 2003 Resource Kit toolkit.

RPCDUMP /i” dumps all RPC Services registered on the server, for readability I have listed below the ones that I found interesting for Exchange.

 

ncacn_ip_tcp(Connection-oriented TCP/IP)
  X10-CH01[17757] [1544f5e0-613c-11d1-93df-00c04fd7bd09] Microsoft Exchange RFR Interface :NOT_PINGED
  X10-CH01[17757] [f5cc5a18-4264-101a-8c59-08002b2f8426] Microsoft Exchange NSP Interface :NOT_PINGED
  X10-CH01[17823] [5261574a-4572-206e-b268-6b199213b4e4]  :NOT_PINGED
  X10-CH01[17823] [a4f1db00-ca47-1067-b31f-00dd010662da]  :NOT_PINGED

The first 2 services, the RFR and NSP, are related to the directory services now provided by the MSExchangeAB service. Compared to an Exchange 2007 RPC Dump (as shown in my article for Exchange 2007) these services are identical to the Referral and NSPI proxy services but the difference is that both RPC Services are now running on the same TCP Port in Exchange 2010.

The last 2 services belong to the MSExchangeRPC Service (or known as the RPC Client Access Service), when you compare this to an Exchange 2007 RPC Dump you can see that these “RPC Identifiers” actually used to belong to the “Exchange Server Store” services. This is a how Microsoft ensured that legacy clients would still work as expected when connected through the RPC Client Access Server or Mailbox Server. In the end the client basically requests the RPC Endpoint mapper on the server for a TCP port of a well known service (such as “a4f1db00-ca47-1067-b31f-00dd010662da”). On an Exchange 2010 CAS server (and MBX as well) this RPC Identifier is linked to the MSExchangeRPC Service which will proxies the request to a back-end mailbox server using a new RPC Identifier for the Information Store service.

 

 

 

 

 

 

 

So let’s summarize the different ports we need to lock down:

image

 

How to set static ports on the Client Access Server:

For the Address Book Service edit the config file Microsoft.exchange.addressbook.service.exe.config as follows:

<!-- Set port to an empty string to disable ncacn_ip_tcp. -->
<!-- Set the port to 0 to allow the server to assign a port number dynamically. -->
<add key="RpcTcpPort" value="56004" />

For the MS Exchange RPC Service edit the registry as follows

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem]
"TCP/IP Port"=dword:0000dac0

Note: that the hex value corresponds to 56000

 

How to set static ports on the Mailbox Server:

For the MS Exchange RPC Service, such that PF Connections can be accepted, edit the registry as follows

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem]
"TCP/IP Port"=dword:0000dac0

Note: that the hex value corresponds to 56000, it safe to use the same port number as on the CAS

 

For the new Information Store RPC Service we need to edit the registry like we did in Exchange 2007:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeIS\ParametersSystem]
"TCP/IP Port"=dword:0000dac1

Note: that the hex value corresponds to 56001

 

Once you’ve completed these changes and restarted the respective services you’ll notice the following on the client:

image

Now you can see a connection to 56000 for the MS Exchange RPC Service and 56004 for the Address Book Service

 

On the Client Access Server you’ll notice this in the RPCDUMP output:

ncacn_ip_tcp(Connection-oriented TCP/IP)
X10-CH01[56000] [5261574a-4572-206e-b268-6b199213b4e4]  :NOT_PINGED
X10-CH01[56000] [a4f1db00-ca47-1067-b31f-00dd010662da]  :NOT_PINGED
X10-CH01[56004] [1544f5e0-613c-11d1-93df-00c04fd7bd09] Microsoft Exchange RFR Interface :NOT_PINGED
X10-CH01[56004] [f5cc5a18-4264-101a-8c59-08002b2f8426] Microsoft Exchange NSP Interface :NOT_PINGED

On the Mailbox Server you’ll notice this in the RPCDUMP output:

ncacn_ip_tcp(Connection-oriented TCP/IP)
X10-DAG1-1[56000] [5261574a-4572-206e-b268-6b199213b4e4]  :YES
X10-DAG1-1[56000] [a4f1db00-ca47-1067-b31f-00dd010662da]  :YES
X10-DAG1-1[56001] [938fe036-ede6-4f6c-966e-a3d7300279c8] Exchange Server STORE EMSMDBPOOL Interface :YES
X10-DAG1-1[56001] [31e68719-d4fc-401a-8788-bc56169a336b] Exchange Server STORE Async EMSMDBMT Interface :YES
X10-DAG1-1[56001] [df831451-edad-415d-905f-9d3793f92db3] Exchange Server STORE EMSMDBMT Interface :YES
X10-DAG1-1[56001] [a9e05b20-6f57-4e24-a540-52412017e6ff] Microsoft Information Store :YES
X10-DAG1-1[56001] [0e4a0156-dd5d-11d2-8c2f-00c04fb6bcde] Microsoft Information Store :YES
X10-DAG1-1[56001] [bf6dd426-77b4-44b3-984e-d413fc075562] Microsoft Information Store :YES
X10-DAG1-1[56001] [1453c42c-0fa6-11d2-a910-00c04f990f3b] Microsoft Information Store :YES
X10-DAG1-1[56001] [10f24e8e-0fa6-11d2-a910-00c04f990f3b] Microsoft Information Store :YES
X10-DAG1-1[56001] [da107c01-2b50-44d7-9d5f-bfd4fd8e95ed] Exchange Server STORE ADMIN Interface :YES
X10-DAG1-1[56001] [99e64010-b032-11d0-97a4-00c04fd6551d] Exchange Server STORE ADMIN Interface :YES
X10-DAG1-1[56001] [89742ace-a9ed-11cf-9c0c-08002be7ae86] Exchange Server STORE ADMIN Interface :YES

 

Voila, now you can go around and set those ports to fixed values if you need them for QoS or restricting ports on the firewall.

 

Hope you enjoyed the article and please don’t hesitate to use the forums for any questions you may have…

 

Greetz,

Tonino Bruno | ICT Consultant | www.proexchange.be


Posted 04-08-2010 9:50 by Tonino