Exchange 2016 firewall ports for mail flow and clients
Are you following the topic Exchange Server 2016? If you are, you do know that we first have to configure Exchange 2016 firewall ports for mail flow and clients. After that, we can start testing sending and receiving emails. In this article, you will learn about Exchange firewall ports requirements. Let’s get into the Exchange firewall configuration.
Configure Exchange 2016 firewall ports
It’s important to open the following three firewall ports for mail flow and clients. It will enable the Exchange server to communicate with other mail servers outside your organization.
1 2 3 4 5 | Purpose Ports Source Destination ------- ----- ------ ----------- Encrypted web connections 443/TCP (HTTPS) Internet (any) 192.168.1.52 Inbound mail 25/TCP (SMTP) Internet (any) 192.168.1.52 Outbound mail 25/TCP (SMTP) 192.168.1.52 Internet (any) |
In our example, the IP 192.168.1.52 is the Exchange Server.
An architecture view of the Exchange 2016 namespace is shown below in the diagram.
Test firewall ports
Verify the above three firewall rules after configuring them. If you followed the article configure External DNS Exchange 2016, you already have the public IP of your Exchange Server. If you want to get the public IP with PowerShell, log in to Exchange Server. Run PowerShell as administrator.
1 2 | PS C:\> (Invoke-WebRequest -Uri "http://ifconfig.me/ip").Content 73.122.35.127 |
Test both ports 443 and 25 against the public IP, this is for incoming connections. Test port 25 against the Exchange Server, this is for outgoing connections. If it shows the TCP Test Succeeded value as True, you’re good to go. If not, check the firewall ports. Make use of the Test-NetConnection cmdlet.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | PS C:\> Test-NetConnection 73.122.35.127 -Port 443 ComputerName : 73.122.35.127 RemoteAddress : 73.122.35.127 RemotePort : 443 InterfaceAlias : LAN SourceAddress : 192.168.1.52 TcpTestSucceeded : True PS C:\> Test-NetConnection 73.122.35.127 -Port 25 ComputerName : 73.122.35.127 RemoteAddress : 73.122.35.127 RemotePort : 25 InterfaceAlias : LAN SourceAddress : 192.168.1.52 TcpTestSucceeded : True PS C:\> Test-NetConnection 192.168.1.52 -Port 25 ComputerName : 192.168.1.52 RemoteAddress : 192.168.1.52 RemotePort : 25 InterfaceAlias : LAN SourceAddress : 192.168.1.52 TcpTestSucceeded : True |
You can check if port 443 and port 25 are open against the public IP with open port check tool. Fill in the public IP and the port numbers. It will scan if the ports are open.
Port 443 is open on public IP.
Port 25 is open on Public IP.
Do you like to know more about the Exchange firewall requirements? Read more in the next parts.
Exchange 2016 firewall ports for clients
To get clients working with Exchange, it’s very important to open port 443 on the firewall. This is only for inbound. Have a look at the image below. The arrows are only going from the Internet -> On-premises Exchange 2016 environment.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | Purpose Ports Source Destination ------- ----- ------ ----------- Encrypted web connections are used by the following 443/TCP (HTTPS) Internet (any) Mailbox Server clients and services: • Autodiscover service • Exchange ActiveSync • Exchange Web Services (EWS) • Offline address book (OAB) distribution • Outlook Anywhere (RPC over HTTP) • Outlook MAPI over HTTP • Outlook on the web (formerly known as Outlook Web App) Unencrypted web connections are used by the following 80/TCP (HTTP) Internet (any) Mailbox Server clients and services: • Internet calendar publishing • Outlook on the web (redirect to 443/TCP) • Autodiscover (fallback when 443/TCP isn't available) IMAP4 clients* 143/TCP (IMAP), Internet (any) Mailbox Server 993/TCP (secure IMAP) POP3 clients** 110/TCP (POP3), Internet (any) Mailbox Server 995/TCP (secure POP3) SMTP clients (authenticated) 587/TCP Internet (any) Mailbox Server (authenticated SMTP) |
*IMAP4 is disabled by default.
**POP3 is disabled by default.
Exchange 2016 firewall ports for mail flow
To get mail flow working with Exchange, it’s very important to open port 25 on the firewall. This is for both inbound and outbound. Have a look at the image below. The arrows are going from the Internet <-> On-premises Exchange 2016 environment.
1 2 3 4 5 6 7 8 9 10 11 | Purpose Ports Source Destination ------- ----- ------ ----------- Inbound mail 25/TCP (SMTP) Internet (any) Mailbox server Outbound mail 25/TCP (SMTP) Mailbox server Internet (any) Outbound mail 25/TCP (SMTP) Mailbox server Internet (any) (if proxied through the Front End transport service) |
Conclusion
To sum it up, you learned which Exchange 2016 firewall ports for mail flow and clients need to be configured. The Exchange firewall configuration is important, otherwise you can’t send and receive email. Enable the ports on the firewall and test if the ports are open as shown in the article. Did you enjoy this article? You may also like to read Create bulk mailboxes in Exchange 2016 with PowerShell. Don’t forget to follow us and share this article.
