Source Role Destination Role Port Protocol Description Default Authentication Supported Authentication Encryption Supported Encrypted by Default Notes
Client-Access Database-MAPI 135 TCP Availability Web service (RPC) NTLM/Kerberos NTLM/Kerberos Yes-using RPC encryption Yes
Client-Access DC 389 TCP/UDP LDAP Kerberos Kerberos Yes-using Kerberos encryption Yes
Client-Access DC 3268 TCP LDAP GC Kerberos Kerberos Yes-using Kerberos encryption Yes
Client-Access DC 88 TCP/UDP Kerberos Kerberos Kerberos Yes-using Kerberos encryption Yes
Client-Access DC 53 TCP/UDP DNS Kerberos Kerberos Yes-using Kerberos encryption Yes
Client-Access DC 135 TCP RPC Net Logon Kerberos Kerberos Yes-using Kerberos encryption Yes
Client-Access UnifiedMessaging 5060-5062 TCP TCP By IP address By IP address By IP address Yes-using Session Initiation Protocol (SIP) over TLS
Client-Access Client-Access 80 TCP HTTP Kerberos Kerberos-Certificate Yes-using HTTPS Yes-using a self-signed certificate
Client-Access Client-Access 443 TCP HTTPS Kerberos Kerberos-Certificate Yes-using HTTPS Yes-using a self-signed certificate
Client-Access Client-Access 995 TCP POP3-SSL Basic Basic Yes-using SSL Yes When a Client Access server proxies POP3 requests to another Client Access server-the communication occurs over port 995/TCP-regardless of whether the connecting client uses POP3 and requests TLS (on port 110/TCP) or connects on port 995/TCP using SSL. Similarly-for IMAP4 connections-port 993/TCP is used to proxy requests regardless of whether the connecting client uses IMAP4 and requests TLS (on port 443/TCP) or connects on port 995 using IMAP4 with SSL encryption
Client-Access Client-Access 993 TCP IMAP-SSL Basic Basic Yes-using SSL Yes When a Client Access server proxies POP3 requests to another Client Access server-the communication occurs over port 995/TCP-regardless of whether the connecting client uses POP3 and requests TLS (on port 110/TCP) or connects on port 995/TCP using SSL. Similarly-for IMAP4 connections-port 993/TCP is used to proxy requests regardless of whether the connecting client uses IMAP4 and requests TLS (on port 443/TCP) or connects on port 995 using IMAP4 with SSL encryption
Client-Access Legacy-Exchange 80 TCP HTTP ??? ??? ??? ???
Client-Access Legacy-Exchange 443 TCP HTTPS NTLM/Kerberos Negotiate (Kerberos with fallback to NTLM or optionally Basic-) POP/IMAP plain text Yes-using IPsec No
Client-Access OCS 5061 TCP SIP mTLS (Required) mTLS (Required) Yes-using SSL Yes
Client-Access Database-MAPI 49152-65535 TCP/UDP RPC Kerberos NTLM/Kerberos Yes-using RPC encryption Yes Only needed for database servers housing public folders, can be set to a static range (Edit TCP/IP Port under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC and assign it to a recommended value between 59531-60554) When the port has been set for public folder connections it's required to restart the Microsoft Exchange RPC Client Access service on the Mailbox server in order for the changes to be applied.
Client-Network Hub-Transport 587 TCP SMTP NTLM/Kerberos NTLM/Kerberos Yes-using Transport Layer Security (TLS) Yes
Client-Network Hub-Transport 25 TCP SMTP NTLM/Kerberos NTLM/Kerberos Yes-using Transport Layer Security (TLS) Yes
Client-Network DC 389 TCP/UDP LDAP Kerberos Kerberos Yes-using Kerberos encryption Yes
Client-Network DC 3268 TCP LDAP GC Kerberos Kerberos Yes-using Kerberos encryption Yes
Client-Network DC 88 TCP/UDP Kerberos Kerberos Kerberos Yes-using Kerberos encryption Yes
Client-Network DC 53 TCP/UDP DNS Kerberos Kerberos Yes-using Kerberos encryption Yes
Client-Network DC 135 TCP RPC Net Logon Kerberos Kerberos Yes-using Kerberos encryption Yes
Client-Network Client-Access 80 TCP HTTP Varies Varies Varies Yes
Client-Network Client-Access 443 TCP HTTP Varies Varies Varies No
Client-Network Client-Access 110 TCP POP3 Basic-Kerberos Basic-Kerberos Yes-using SSL-TLS Yes Optional-Service not enabled by default
Client-Network Client-Access 995 TCP POP3-SSL Basic-Kerberos Basic-Kerberos Yes-using SSL-TLS Yes Optional-Service not enabled by default
Client-Network Client-Access 143 TCP IMAP4 Basic-Kerberos Basic-Kerberos Yes-using SSL-TLS Yes Optional-Service not enabled by default
Client-Network Client-Access 993 TCP IMAP4-SSL Basic-Kerberos Basic-Kerberos Yes-using SSL-TLS Yes Optional-Service not enabled by default
Client-Network Client-Access 49152-65535 TCP/UDP RPC Kerberos NTLM/Kerberos Yes-using RPC encryption Yes Can be set to random static port for outlook anywhere and addressbook access. (create a new REG_SZ registry key named RpcTcpPort under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters and assign it to a recommended value between 59531-60554)
Database-MAPI DC 389 TCP/UDP LDAP Kerberos Kerberos Yes-using Kerberos encryption Yes
Database-MAPI DC 3268 TCP LDAP GC Kerberos Kerberos Yes-using Kerberos encryption Yes
Database-MAPI DC 88 TCP/UDP Kerberos Kerberos Kerberos Yes-using Kerberos encryption Yes
Database-MAPI DC 53 TCP/UDP DNS Kerberos Kerberos Yes-using Kerberos encryption Yes
Database-MAPI DC 135 TCP RPC Net Logon Kerberos Kerberos Yes-using Kerberos encryption Yes
Database-MAPI Database-MAPI 135 TCP Clustering (RPC) NTLM/Kerberos NTLM/Kerberos Yes-using IPsec No
Database-MAPI Database-MAPI 3343 UDP Clustering Communication ??? ??? ??? ??? Custer service (ClusSvc.exe) uses this and randomly allocated high TCP ports to communicate between cluster nodes
Database-MAPI Database-MAPI 6005-59530 TCP/UDP RPC Kerberos NTLM/Kerberos Yes-using RPC encryption Yes Can be narrowed down to a static port range for database replication. (http://support.microsoft.com/kb/929851/en-us and http://support.microsoft.com/kb/154596). You can use the rpcdump.exe command to count the number of RPC endpoints that are bound to a TCP port and to increase this number if you must: rpcdump /s ExchangeServer /v /i > endpoints.txt
Database-MAPI Database-MAPI 445 TCP Admin remote access (SMB/File) NTLM/Kerberos NTLM/Kerberos Yes-using IPsec No
Database-Replication Database-Replication 64327 TCP DAG Replication (Seeding/Log Shipping) NTLM/Kerberos NTLM/Kerberos Yes no Can be changed with Set-DatabaseAvailabilityGroup -Identity <DAGNAME> -ReplicationPort <Port Number>
Edge-Transport Hub-Transport 25 TCP SMTP Direct Trust Direct Trust Yes-using Transport Layer Security (TLS) Yes
Edge-Transport Edge-Transport 25 TCP SMTP Anonymous-Certificate Anonymous-Certificate Yes-using Transport Layer Security (TLS) Yes
Hub-Transport Hub-Transport 25 TCP SMTP Kerberos Kerberos Yes-using Transport Layer Security (TLS) Yes
Hub-Transport Edge-Transport 25 TCP SMTP Direct Trust Direct Trust Yes-using Transport Layer Security (TLS) Yes
Hub-Transport Database-MAPI 135 TCP RPC NTLM. If the Hub Transport and the Mailbox server roles are on the same server-Kerberos is used. NTLM/Kerberos Yes-using RPC encryption Yes
Hub-Transport Edge-Transport 50636 TCP SSL Basic Basic Yes-using LDAP over SSL (LDAPS) Yes
Hub-Transport DC 389 TCP/UDP LDAP Kerberos Kerberos Yes-using Kerberos encryption Yes
Hub-Transport DC 3268 TCP LDAP GC Kerberos Kerberos Yes-using Kerberos encryption Yes
Hub-Transport DC 88 TCP/UDP Kerberos Kerberos Kerberos Yes-using Kerberos encryption Yes
Hub-Transport DC 53 TCP/UDP DNS Kerberos Kerberos Yes-using Kerberos encryption Yes
Hub-Transport DC 135 TCP RPC Net Logon Kerberos Kerberos Yes-using Kerberos encryption Yes
Hub-Transport AD-RMS 443 TCP HTTP NTLM/Kerberos NTLM/Kerberos Yes-using SSL Yes
Internet Edge-Transport 587 TCP SMTP NTLM/Kerberos NTLM/Kerberos Yes-using TLS Yes
Internet Edge-Transport 25 TCP SMTP None None None No
Internet Hub-Transport 587 TCP SMTP NTLM/Kerberos NTLM/Kerberos Yes-using TLS Yes This is only needed if you have no Edge-Transport servers and should be limited to your anti-spam provider IPs
Internet Hub-Transport 25 TCP SMTP None None None No This is only needed if you have no Edge-Transport servers and should be limited to your anti-spam provider IPs
Internet Client-Access 80 TCP HTTP Varies Varies Varies No This is only if you have no secure reverse proxy in place (bad practice!)
Internet Client-Access 443 TCP HTTPS Varies Varies Varies Yes This is only if you have no secure reverse proxy in place (bad practice!)
Internet Client-Access 110 TCP POP3 Basic-Kerberos Basic-Kerberos Yes-using SSL-TLS Yes Optional-Service not enabled by default, This is only needed if you have no Edge-Transport servers and should be limited to your anti-spam provider Ips
Internet Client-Access 995 TCP POP3-SSL Basic-Kerberos Basic-Kerberos Yes-using SSL-TLS Yes Optional-Service not enabled by default, This is only needed if you have no Edge-Transport servers and should be limited to your anti-spam provider Ips
Internet Client-Access 143 TCP IMAP4 Basic-Kerberos Basic-Kerberos Yes-using SSL-TLS Yes Optional-Service not enabled by default, This is only needed if you have no Edge-Transport servers and should be limited to your anti-spam provider Ips
Internet Client-Access 993 TCP IMAP4-SSL Basic-Kerberos Basic-Kerberos Yes-using SSL-TLS Yes Optional-Service not enabled by default, This is only needed if you have no Edge-Transport servers and should be limited to your anti-spam provider Ips
Internet Proxy-External 80 TCP HTTP Varies Varies Varies Yes
Internet Proxy-External 443 TCP HTTP Varies Varies Varies No
Database-MAPI Hub-Transport 135 TCP RPC NTLM. If the Hub Transport and the Mailbox server roles are on the same server-Kerberos is used. NTLM/Kerberos Yes-using RPC encryption Yes
OCS Client-Access 5075-5077 TCP ??? mTLS (Required) mTLS (Required) Yes-using SSL Yes
Proxy-Internal Client-Access 443 TCP HTTPS Varies Varies Varies Yes
Proxy-Internal Client-Access 80 TCP HTTP Varies Varies Varies No
Proxy-Internal Legacy-Exchange 443 TCP HTTPS Varies Varies Varies Yes Only required when migrating to 2010 and you are maintaining the same namespace in a migration
Proxy-Internal Legacy-Exchange 80 TCP HTTP Varies Varies Varies No Only required when migrating to 2010 and you are maintaining the same namespace in a migration
UnifiedMessaging Hub-Transport 25 TCP SMTP Kerberos Kerberos Yes-using Transport Layer Security (TLS) Yes
UnifiedMessaging DC 389 TCP/UDP LDAP Kerberos Kerberos Yes-using Kerberos encryption Yes
UnifiedMessaging DC 3268 TCP LDAP GC Kerberos Kerberos Yes-using Kerberos encryption Yes
UnifiedMessaging DC 88 TCP/UDP Kerberos Kerberos Kerberos Yes-using Kerberos encryption Yes
UnifiedMessaging DC 53 TCP/UDP DNS Kerberos Kerberos Yes-using Kerberos encryption Yes
UnifiedMessaging DC 135 TCP RPC Net Logon Kerberos Kerberos Yes-using Kerberos encryption Yes
UnifiedMessaging Client-Access 5705-5077 TCP ??? Integrated Windows authentication (Negotiate) Basic-Digest-NTLM-Negotiate (Kerberos) Yes-using SSL Yes
UnifiedMessaging Client-Access 5060-5062 TCP SIP By IP address By IP address Yes-using Session Initiation Protocol (SIP) over TLS Yes
UnifiedMessaging Database-MAPI 135 TCP RPC Net Logon Kerberos Kerberos Yes-using Kerberos encryption Yes