Placing your Exchange 2000 server in the DMZ provides a convenient solution for hosting both internal and external client mail services while denying direct connections between external clients and your internal network. Follows is a brief guide on whick ports to open. The Windows 2000 server on the backend (DMZ->IntraNet) has to communicate with your internal domain controllers to authenticate and validate the client requests for e-mail services. On the frontend (Internet->DMZ) the Windows 2000 server communicates with clients must be able to communicate with the Exchange 2000 server now residing in your DMZ.

Windows 2000 : DMZ -> Intranet

• UDP/TCP 53 : Domain Name System
• UDP/TCP 88 : Kerberos Authentication
• TCP 123 : Network Time Protocol
  Kerberos authentication require that you synchronize the time of your Exchange server and domain controllers.
• TCP 135 : DEC Endpoint Resolution
  also known as RPC Endpoint Mapper
• UDP/TCP 389 : Lightweight Directory Access
• TCP 445 : Microsoft Directory Service
• TCP 3268 : LDAP to global catalog servers
• AD logon and directory replication port
  you need to allow a high port for Active Directory logon and directory replication. Default, this high port is dynamically chosen when the server starts, but you need to statically map it :

  Hive: HKEY_LOCAL_MACHINE
  Key: System\CurrentControlSet\Services\NTDS\Parameters
  Name: TCP/IP Port
  Type: REG_DWORD
  Value: decimal value greater than 1024
  

Windows 2000 : Internet -> DMZ

You need to open TCP 25 SMTP ( internet<->DMZ ) to communicate with other email servers on the internet.

Exchange 2000 supports an assortment of client access types including MAPI, IMAP, POP3, or Web. You will need to allow the appropriate port for whatever client access type(s) you allow. When accessing Microsoft Exchange, MAPI is the client access protocol of choice for communication between e-mail client and server. For MAPI to grant access to your internet Outlook clients:

• TCP 135 : DEC Endpoint Resolution
  also known as RPC Endpoint Mapper
• Statically map
  • Microsoft Exchange SA RFR (System Attendant Request For Response)

    Hive: HKEY_LOCAL_MACHINE
    Key: System\CurrentControlSet\Services\MSExchangeSA\Parameters
    Name: TCP/IP Port
    Type: REG_DWORD
    Value: decimal value greater than 1024
    
    

  • Microsoft Exchange Directory NSPI (Name Service Provider Interface) Proxy Interface

    Hive: HKEY_LOCAL_MACHINE
    Key: System\CurrentControlSet\Services\MSExchangeSA\Parameters
    Name: TCP/IP NSPI port
    Type: REG_DWORD
    Value: decimal value greater than 1024
    
    

  • Microsoft Exchange Information Store Interface :

    Hive: HKEY_LOCAL_MACHINE
    Key: System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
    Name: TCP/IP port
    Type: REG_DWORD
    Value: decimal value greater than 1024
    
    

• TCP/UDP Ports Used By Exchange 2000 Server
  
• DSProxy Configuration for Static Ports on Exchange Cluster
  
• Exchange 2000 Static Port Mappings
  
• How to Configure a Global Catalog Server to Use a Specific Port When Servicing MAPI Clients
  
• How MAPI Clients Access Active Directory