Setting up firewall rules for Microsoft Exchange

In this scenario we will be setting up a simple Microsoft Exchange mail server to be accessed by the internet. We will assume all Exchange services are on the same host, and all clients are on the internet.

To begin, we start by looking at the available documentation. A brief internet search turns up , which appears to include everything needed for this very brief scenario. NOTE: If you are setting up an Exchange mail server, look beyond my simple search to confirm things will work.

Reading through the documentation, we see that we need the below ports. The direction of the traffic is just as important as the ports listed as they help describe the desired flow of data. The directions are assuming we are viewing the flow from the Exchange server.

Several of the ports identified in the document are struck through because there were found to be unnecessary. For example, the documentation states that POP3 and IMAP4 services are disabled by default, therefore the ports do not need to be open.

Allow / DenySourcePortDirectionRule Name
AllowInternet443/TCP InInboundExchange
AllowInternet80/TCP InInboundExchange
AllowInternet143/TCP InInboundExchange
AllowInternet993/TCP InInboundExchange
AllowInternet110/TCP InInboundExchange
AllowInternet995/TCP InInboundExchange
AllowInternet587/TCP InInboundExchange
AllowExchange25/TCP outOutboundExchange

Now that we know how the data flows in and out of the mail server, the process of converting this to firewall rules are fairly easy. We simply research the correct command and format to convert the desired flows to access lists.

Leave a Reply