Exchange 2016 firewall ports for mail flow and clients

Are you following the topic Exchange Server 2016? If you are, you do know that we first have to configure Exchange 2016 firewall ports for mail flow and clients. After that, we can start testing sending and receiving emails. In this article, you will learn about Exchange firewall ports requirements. Let’s get into the Exchange firewall configuration.

Configure Exchange 2016 firewall ports

It’s important to open the following three firewall ports for mail flow and clients. It will enable the Exchange server to communicate with other mail servers outside your organization.

Purpose                     Ports             Source            Destination
-------                     -----             ------            -----------
Encrypted web connections   443/TCP (HTTPS)   Internet (any)    192.168.1.52
Inbound mail                25/TCP (SMTP)     Internet (any)    192.168.1.52
Outbound mail               25/TCP (SMTP)     192.168.1.52      Internet (any)

In our example, the IP 192.168.1.52 is the Exchange Server.

An architecture view of the Exchange 2016 namespace is shown below in the topology.

Test firewall ports

Verify the above three firewall rules after configuring them. If you followed the article configure External DNS Exchange 2016, you already have the public IP of your Exchange Server. If you want to get the public IP with PowerShell, log in to Exchange Server. Run PowerShell as administrator.

PS C:\> (Invoke-WebRequest -Uri "http://ifconfig.me/ip").Content
73.122.35.127

Test both ports 443 and 25 against the public IP, this is for incoming connections. Test port 25 against the Exchange Server, this is for outgoing connections. If it shows the TCP Test Succeeded value as True, you’re good to go. If not, check the firewall ports. Make use of the Test-NetConnection cmdlet.

PS C:\> Test-NetConnection 73.122.35.127 -Port 443

ComputerName     : 73.122.35.127
RemoteAddress    : 73.122.35.127
RemotePort       : 443
InterfaceAlias   : LAN
SourceAddress    : 192.168.1.52
TcpTestSucceeded : True

PS C:\> Test-NetConnection 73.122.35.127 -Port 25

ComputerName     : 73.122.35.127
RemoteAddress    : 73.122.35.127
RemotePort       : 25
InterfaceAlias   : LAN
SourceAddress    : 192.168.1.52
TcpTestSucceeded : True

PS C:\> Test-NetConnection 192.168.1.52 -Port 25

ComputerName     : 192.168.1.52
RemoteAddress    : 192.168.1.52
RemotePort       : 25
InterfaceAlias   : LAN
SourceAddress    : 192.168.1.52
TcpTestSucceeded : True

You can check if port 443 and port 25 are open against the public IP with open port check tool. Fill in the public IP and the port numbers. It will scan if the ports are open.

Port 443 is open on public IP.

Port 25 is open on Public IP.

Do you like to know more about the Exchange firewall requirements? Read more in the next parts.

Exchange 2016 firewall ports for clients

To get clients working with Exchange, it’s very important to open port 443 on the firewall. This is only for inbound. Have a look at the image below. The arrows are only going from the Internet -> On-premises Exchange 2016 environment.

Purpose                                                      Ports             Source            Destination          
-------                                                      -----             ------            -----------
Encrypted web connections are used by the following          443/TCP (HTTPS)   Internet (any)    Mailbox Server
clients and services:
• Autodiscover service
• Exchange ActiveSync
• Exchange Web Services (EWS)
• Offline address book (OAB) distribution
• Outlook Anywhere (RPC over HTTP)
• Outlook MAPI over HTTP
• Outlook on the web (formerly known as Outlook Web App)     

Unencrypted web connections are used by the following        80/TCP (HTTP)      Internet (any)    Mailbox Server
clients and services:
• Internet calendar publishing
• Outlook on the web (redirect to 443/TCP)
• Autodiscover (fallback when 443/TCP isn't available)

IMAP4 clients*                                               143/TCP (IMAP),    Internet (any)    Mailbox Server
                                                             993/TCP (secure
                                                             IMAP)

POP3 clients**                                               110/TCP (POP3),    Internet (any)    Mailbox Server   
                                                             995/TCP (secure
                                                             POP3)

SMTP clients (authenticated)                                 587/TCP            Internet (any)    Mailbox Server 
                                                             (authenticated
                                                             SMTP)

*IMAP4 is disabled by default.
**POP3 is disabled by default.

Exchange 2016 firewall ports for mail flow

To get mail flow working with Exchange, it’s very important to open port 25 on the firewall. This is for both inbound and outbound. Have a look at the image below. The arrows are going from the Internet <-> On-premises Exchange 2016 environment.

Purpose                Ports             Source             Destination
-------	               -----             ------             -----------
Inbound mail           25/TCP (SMTP)     Internet (any)     Mailbox server

Outbound mail          25/TCP (SMTP)     Mailbox server     Internet (any)

Outbound mail          25/TCP (SMTP)     Mailbox server     Internet (any)
(if proxied 
through the 
Front End 
transport service)

Conclusion

To sum it up, you learned which Exchange 2016 firewall ports for mail flow and clients need to be configured. The Exchange firewall configuration is important, otherwise you can’t send and receive email. Enable the ports on the firewall and test if the ports are open as shown in the article. Did you enjoy this article? You may also like to read Create bulk mailboxes in Exchange 2016 with PowerShell. Don’t forget to follow us and share this article.