Source Role |
Destination Role |
Port |
Protocol |
Description |
Default Authentication |
Supported Authentication |
Encryption Supported |
Encrypted by Default |
Notes |
Client-Access |
Database-MAPI |
135 |
TCP |
Availability Web service (RPC) |
NTLM/Kerberos |
NTLM/Kerberos |
Yes-using RPC encryption |
Yes |
|
Client-Access |
DC |
389 |
TCP/UDP |
LDAP |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|
Client-Access |
DC |
3268 |
TCP |
LDAP GC |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|
Client-Access |
DC |
88 |
TCP/UDP |
Kerberos |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|
Client-Access |
DC |
53 |
TCP/UDP |
DNS |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|
Client-Access |
DC |
135 |
TCP |
RPC Net Logon |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|
Client-Access |
UnifiedMessaging |
5060-5062 |
TCP |
TCP |
By IP address |
By IP address |
By IP address |
Yes-using Session Initiation Protocol (SIP) over TLS |
|
Client-Access |
Client-Access |
80 |
TCP |
HTTP |
Kerberos |
Kerberos-Certificate |
Yes-using HTTPS |
Yes-using a self-signed certificate |
|
Client-Access |
Client-Access |
443 |
TCP |
HTTPS |
Kerberos |
Kerberos-Certificate |
Yes-using HTTPS |
Yes-using a self-signed certificate |
|
Client-Access |
Client-Access |
995 |
TCP |
POP3-SSL |
Basic |
Basic |
Yes-using SSL |
Yes |
When a Client Access server proxies POP3 requests to another Client Access server-the communication occurs over port 995/TCP-regardless of whether the connecting client uses POP3 and requests TLS (on port 110/TCP) or connects on port 995/TCP using SSL. Similarly-for IMAP4 connections-port 993/TCP is used to proxy requests regardless of whether the connecting client uses IMAP4 and requests TLS (on port 443/TCP) or connects on port 995 using IMAP4 with SSL encryption |
Client-Access |
Client-Access |
993 |
TCP |
IMAP-SSL |
Basic |
Basic |
Yes-using SSL |
Yes |
When a Client Access server proxies POP3 requests to another Client Access server-the communication occurs over port 995/TCP-regardless of whether the connecting client uses POP3 and requests TLS (on port 110/TCP) or connects on port 995/TCP using SSL. Similarly-for IMAP4 connections-port 993/TCP is used to proxy requests regardless of whether the connecting client uses IMAP4 and requests TLS (on port 443/TCP) or connects on port 995 using IMAP4 with SSL encryption |
Client-Access |
Legacy-Exchange |
80 |
TCP |
HTTP |
??? |
??? |
??? |
??? |
|
Client-Access |
Legacy-Exchange |
443 |
TCP |
HTTPS |
NTLM/Kerberos |
Negotiate (Kerberos with fallback to NTLM or optionally Basic-) POP/IMAP plain text |
Yes-using IPsec |
No |
|
Client-Access |
OCS |
5061 |
TCP |
SIP |
mTLS (Required) |
mTLS (Required) |
Yes-using SSL |
Yes |
|
Client-Access |
Database-MAPI |
49152-65535 |
TCP/UDP |
RPC |
Kerberos |
NTLM/Kerberos |
Yes-using RPC encryption |
Yes |
Only needed for database servers housing public folders, can be set to a static range (Edit TCP/IP Port under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC and assign it to a recommended value between 59531-60554) When the port has been set for public folder connections it's required to restart the Microsoft Exchange RPC Client Access service on the Mailbox server in order for the changes to be applied. |
Client-Network |
Hub-Transport |
587 |
TCP |
SMTP |
NTLM/Kerberos |
NTLM/Kerberos |
Yes-using Transport Layer Security (TLS) |
Yes |
|
Client-Network |
Hub-Transport |
25 |
TCP |
SMTP |
NTLM/Kerberos |
NTLM/Kerberos |
Yes-using Transport Layer Security (TLS) |
Yes |
|
Client-Network |
DC |
389 |
TCP/UDP |
LDAP |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|
Client-Network |
DC |
3268 |
TCP |
LDAP GC |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|
Client-Network |
DC |
88 |
TCP/UDP |
Kerberos |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|
Client-Network |
DC |
53 |
TCP/UDP |
DNS |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|
Client-Network |
DC |
135 |
TCP |
RPC Net Logon |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|
Client-Network |
Client-Access |
80 |
TCP |
HTTP |
Varies |
Varies |
Varies |
Yes |
|
Client-Network |
Client-Access |
443 |
TCP |
HTTP |
Varies |
Varies |
Varies |
No |
|
Client-Network |
Client-Access |
110 |
TCP |
POP3 |
Basic-Kerberos |
Basic-Kerberos |
Yes-using SSL-TLS |
Yes |
Optional-Service not enabled by default |
Client-Network |
Client-Access |
995 |
TCP |
POP3-SSL |
Basic-Kerberos |
Basic-Kerberos |
Yes-using SSL-TLS |
Yes |
Optional-Service not enabled by default |
Client-Network |
Client-Access |
143 |
TCP |
IMAP4 |
Basic-Kerberos |
Basic-Kerberos |
Yes-using SSL-TLS |
Yes |
Optional-Service not enabled by default |
Client-Network |
Client-Access |
993 |
TCP |
IMAP4-SSL |
Basic-Kerberos |
Basic-Kerberos |
Yes-using SSL-TLS |
Yes |
Optional-Service not enabled by default |
Client-Network |
Client-Access |
49152-65535 |
TCP/UDP |
RPC |
Kerberos |
NTLM/Kerberos |
Yes-using RPC encryption |
Yes |
Can be set to random static port for outlook anywhere and addressbook access. (create a new REG_SZ registry key named RpcTcpPort under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters and assign it to a recommended value between 59531-60554) |
Database-MAPI |
DC |
389 |
TCP/UDP |
LDAP |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|
Database-MAPI |
DC |
3268 |
TCP |
LDAP GC |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|
Database-MAPI |
DC |
88 |
TCP/UDP |
Kerberos |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|
Database-MAPI |
DC |
53 |
TCP/UDP |
DNS |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|
Database-MAPI |
DC |
135 |
TCP |
RPC Net Logon |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|
Database-MAPI |
Database-MAPI |
135 |
TCP |
Clustering (RPC) |
NTLM/Kerberos |
NTLM/Kerberos |
Yes-using IPsec |
No |
|
Database-MAPI |
Database-MAPI |
3343 |
UDP |
Clustering Communication |
??? |
??? |
??? |
??? |
Custer service (ClusSvc.exe) uses this and randomly allocated high TCP ports to communicate between cluster nodes |
Database-MAPI |
Database-MAPI |
6005-59530 |
TCP/UDP |
RPC |
Kerberos |
NTLM/Kerberos |
Yes-using RPC encryption |
Yes |
Can be narrowed down to a static port range for database replication. (http://support.microsoft.com/kb/929851/en-us and http://support.microsoft.com/kb/154596). You can use the rpcdump.exe command to count the number of RPC endpoints that are bound to a TCP port and to increase this number if you must: rpcdump /s ExchangeServer /v /i > endpoints.txt |
Database-MAPI |
Database-MAPI |
445 |
TCP |
Admin remote access (SMB/File) |
NTLM/Kerberos |
NTLM/Kerberos |
Yes-using IPsec |
No |
|
Database-Replication |
Database-Replication |
64327 |
TCP |
DAG Replication (Seeding/Log Shipping) |
NTLM/Kerberos |
NTLM/Kerberos |
Yes |
no |
Can be changed with Set-DatabaseAvailabilityGroup -Identity <DAGNAME> -ReplicationPort <Port Number> |
Edge-Transport |
Hub-Transport |
25 |
TCP |
SMTP |
Direct Trust |
Direct Trust |
Yes-using Transport Layer Security (TLS) |
Yes |
|
Edge-Transport |
Edge-Transport |
25 |
TCP |
SMTP |
Anonymous-Certificate |
Anonymous-Certificate |
Yes-using Transport Layer Security (TLS) |
Yes |
|
Hub-Transport |
Hub-Transport |
25 |
TCP |
SMTP |
Kerberos |
Kerberos |
Yes-using Transport Layer Security (TLS) |
Yes |
|
Hub-Transport |
Edge-Transport |
25 |
TCP |
SMTP |
Direct Trust |
Direct Trust |
Yes-using Transport Layer Security (TLS) |
Yes |
|
Hub-Transport |
Database-MAPI |
135 |
TCP |
RPC |
NTLM. If the Hub Transport and the Mailbox server roles are on the same server-Kerberos is used. |
NTLM/Kerberos |
Yes-using RPC encryption |
Yes |
|
Hub-Transport |
Edge-Transport |
50636 |
TCP |
SSL |
Basic |
Basic |
Yes-using LDAP over SSL (LDAPS) |
Yes |
|
Hub-Transport |
DC |
389 |
TCP/UDP |
LDAP |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|
Hub-Transport |
DC |
3268 |
TCP |
LDAP GC |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|
Hub-Transport |
DC |
88 |
TCP/UDP |
Kerberos |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|
Hub-Transport |
DC |
53 |
TCP/UDP |
DNS |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|
Hub-Transport |
DC |
135 |
TCP |
RPC Net Logon |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|
Hub-Transport |
AD-RMS |
443 |
TCP |
HTTP |
NTLM/Kerberos |
NTLM/Kerberos |
Yes-using SSL |
Yes |
|
Internet |
Edge-Transport |
587 |
TCP |
SMTP |
NTLM/Kerberos |
NTLM/Kerberos |
Yes-using TLS |
Yes |
|
Internet |
Edge-Transport |
25 |
TCP |
SMTP |
None |
None |
None |
No |
|
Internet |
Hub-Transport |
587 |
TCP |
SMTP |
NTLM/Kerberos |
NTLM/Kerberos |
Yes-using TLS |
Yes |
This is only needed if you have no Edge-Transport servers and should be limited to your anti-spam provider IPs |
Internet |
Hub-Transport |
25 |
TCP |
SMTP |
None |
None |
None |
No |
This is only needed if you have no Edge-Transport servers and should be limited to your anti-spam provider IPs |
Internet |
Client-Access |
80 |
TCP |
HTTP |
Varies |
Varies |
Varies |
No |
This is only if you have no secure reverse proxy in place (bad practice!) |
Internet |
Client-Access |
443 |
TCP |
HTTPS |
Varies |
Varies |
Varies |
Yes |
This is only if you have no secure reverse proxy in place (bad practice!) |
Internet |
Client-Access |
110 |
TCP |
POP3 |
Basic-Kerberos |
Basic-Kerberos |
Yes-using SSL-TLS |
Yes |
Optional-Service not enabled by default, This is only needed if you have no Edge-Transport servers and should be limited to your anti-spam provider Ips |
Internet |
Client-Access |
995 |
TCP |
POP3-SSL |
Basic-Kerberos |
Basic-Kerberos |
Yes-using SSL-TLS |
Yes |
Optional-Service not enabled by default, This is only needed if you have no Edge-Transport servers and should be limited to your anti-spam provider Ips |
Internet |
Client-Access |
143 |
TCP |
IMAP4 |
Basic-Kerberos |
Basic-Kerberos |
Yes-using SSL-TLS |
Yes |
Optional-Service not enabled by default, This is only needed if you have no Edge-Transport servers and should be limited to your anti-spam provider Ips |
Internet |
Client-Access |
993 |
TCP |
IMAP4-SSL |
Basic-Kerberos |
Basic-Kerberos |
Yes-using SSL-TLS |
Yes |
Optional-Service not enabled by default, This is only needed if you have no Edge-Transport servers and should be limited to your anti-spam provider Ips |
Internet |
Proxy-External |
80 |
TCP |
HTTP |
Varies |
Varies |
Varies |
Yes |
|
Internet |
Proxy-External |
443 |
TCP |
HTTP |
Varies |
Varies |
Varies |
No |
|
Database-MAPI |
Hub-Transport |
135 |
TCP |
RPC |
NTLM. If the Hub Transport and the Mailbox server roles are on the same server-Kerberos is used. |
NTLM/Kerberos |
Yes-using RPC encryption |
Yes |
|
OCS |
Client-Access |
5075-5077 |
TCP |
??? |
mTLS (Required) |
mTLS (Required) |
Yes-using SSL |
Yes |
|
Proxy-Internal |
Client-Access |
443 |
TCP |
HTTPS |
Varies |
Varies |
Varies |
Yes |
|
Proxy-Internal |
Client-Access |
80 |
TCP |
HTTP |
Varies |
Varies |
Varies |
No |
|
Proxy-Internal |
Legacy-Exchange |
443 |
TCP |
HTTPS |
Varies |
Varies |
Varies |
Yes |
Only required when migrating to 2010 and you are maintaining the same namespace in a migration |
Proxy-Internal |
Legacy-Exchange |
80 |
TCP |
HTTP |
Varies |
Varies |
Varies |
No |
Only required when migrating to 2010 and you are maintaining the same namespace in a migration |
UnifiedMessaging |
Hub-Transport |
25 |
TCP |
SMTP |
Kerberos |
Kerberos |
Yes-using Transport Layer Security (TLS) |
Yes |
|
UnifiedMessaging |
DC |
389 |
TCP/UDP |
LDAP |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|
UnifiedMessaging |
DC |
3268 |
TCP |
LDAP GC |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|
UnifiedMessaging |
DC |
88 |
TCP/UDP |
Kerberos |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|
UnifiedMessaging |
DC |
53 |
TCP/UDP |
DNS |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|
UnifiedMessaging |
DC |
135 |
TCP |
RPC Net Logon |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|
UnifiedMessaging |
Client-Access |
5705-5077 |
TCP |
??? |
Integrated Windows authentication (Negotiate) |
Basic-Digest-NTLM-Negotiate (Kerberos) |
Yes-using SSL |
Yes |
|
UnifiedMessaging |
Client-Access |
5060-5062 |
TCP |
SIP |
By IP address |
By IP address |
Yes-using Session Initiation Protocol (SIP) over TLS |
Yes |
|
UnifiedMessaging |
Database-MAPI |
135 |
TCP |
RPC Net Logon |
Kerberos |
Kerberos |
Yes-using Kerberos encryption |
Yes |
|