skip to Main Content

Exchange firewall ports for mail flow and clients

Are you following the course Exchange Server 2016? If you are, you do know that we first have to configure Exchange firewall ports for mail flow and clients. After that, we can start testing sending and receiving emails. In this article, you will learn about Exchange firewall ports requirements. Let’s get into the Exchange firewall configuration.

Configure Exchange firewall ports

It’s important to open the following three firewall ports for mail flow and clients. It will enable the Exchange server to communicate with other mail servers outside your organization.

PurposePortsSourceDestination
Encrypted web connections443/TCP (HTTPS)Internet (any)192.168.1.52
Inbound mail25/TCP (SMTP)Internet (any)192.168.1.52
Outbound mail25/TCP (SMTP)192.168.1.52Internet (any)

In our example, the Exchange Server IP address is 192.168.1.52.

An architecture view of the Exchange 2016 namespace is shown below in the topology.

Test firewall ports

Verify the above three firewall rules after configuring them. If you followed the article configure External DNS Exchange 2016, you already have the public IP of your Exchange Server.

Do you want to get the public IP with PowerShell? Sign in to Exchange Server. After that, run PowerShell as administrator and run the below command.

PS C:\> (Invoke-WebRequest -Uri "http://ifconfig.me/ip").Content
73.122.35.127

Test both ports 443 and 25 against the public IP; this is for incoming connections. Test port 25 against the Exchange Server; this is for outgoing connections.

If it shows the TCP Test Succeeded value as True, you’re good to go. If not, check the firewall ports. Make use of the Test-NetConnection cmdlet.

PS C:\> Test-NetConnection 73.122.35.127 -Port 443

ComputerName     : 73.122.35.127
RemoteAddress    : 73.122.35.127
RemotePort       : 443
InterfaceAlias   : LAN
SourceAddress    : 192.168.1.52
TcpTestSucceeded : True

PS C:\> Test-NetConnection 73.122.35.127 -Port 25

ComputerName     : 73.122.35.127
RemoteAddress    : 73.122.35.127
RemotePort       : 25
InterfaceAlias   : LAN
SourceAddress    : 192.168.1.52
TcpTestSucceeded : True

PS C:\> Test-NetConnection 192.168.1.52 -Port 25

ComputerName     : 192.168.1.52
RemoteAddress    : 192.168.1.52
RemotePort       : 25
InterfaceAlias   : LAN
SourceAddress    : 192.168.1.52
TcpTestSucceeded : True

You can check if port 443 and port 25 are open against the public IP with open port check tool. Fill in the public IP and the port numbers. It will scan if the ports are open.

Port 443 is open on public IP.

Port 25 is open on Public IP.

Do you like to know more about the Exchange firewall requirements? Read more in the next parts.

Exchange firewall ports for clients and services

To get clients working with Exchange, it’s very important to open port 443 on the firewall. This is only for inbound. Have a look at the image below. The arrows are only going from the Internet -> On-premises Exchange 2016 environment.

Exchange 2016 firewall ports for clients architect
PurposePortsSourceDestination
Encrypted web connections are used by the following clients and services:
• Autodiscover service
• Exchange ActiveSync
• Exchange Web Services (EWS)
• Offline address book (OAB) distribution
• Outlook Anywhere (RPC over HTTP)
• Outlook MAPI over HTTP
• Outlook on the web (formerly known as Outlook Web App)
443/TCP (HTTPS)Internet (any)Mailbox server
Unencrypted web connections are used by the following clients and services:
• Internet calendar publishing
• Outlook on the web (redirect to 443/TCP)
• Autodiscover (fallback when 443/TCP isn’t available)
80/TCP (HTTP)Internet (any)Mailbox server
IMAP4 clients*143/TCP (IMAP), 993/TCP (secure IMAP)Internet (any)Mailbox server
POP3 clients**110/TCP (POP3), 995/TCP (secure POP3)Internet (any)Mailbox server
SMTP clients (authenticated)587/TCP (authenticated SMTP)Internet (any)Mailbox server

*IMAP4 is disabled by default.
**POP3 is disabled by default.

Exchange firewall ports for mail flow

To get mail flow working with Exchange, it’s very important to open port 25 on the firewall. This is for both inbound and outbound. Have a look at the image below. The arrows are going from the Internet <-> On-premises Exchange 2016 environment.

Exchange 2016 firewall ports for mail flow architect
PurposePortsSourceDestination
Inbound mail25/TCP (SMTP)Internet (any)Mailbox server
Outbound mail25/TCP (SMTP)Mailbox serverInternet (any)
Outbound mail (if proxied through the Front End transport service)25/TCP (SMTP)Mailbox serverInternet (any)

Conclusion

You learned how to configure Exchange firewall ports for mail flow and clients. The Exchange firewall configuration is important. Otherwise, you can’t send and receive emails. Enable the ports on the firewall and test if the ports are open as shown in the article.

Did you enjoy this article? You may also like to read Create bulk mailboxes in Exchange Server with PowerShell. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *