12-27-2010 01:41 PM - edited 03-04-2019 10:54 AM
I need to open ports 25, 993, 995, 443 and 465 to setup MS-Exchange. I don't have an inhouse IT guy and this seems pretty straight-forward in theory but I can't figure it out and need help.
Solved! Go to Solution.
12-28-2010 03:28 AM
Actually it all depends.
you have not given enough information in your post for us to help you.
BUT I will try to show you how to do it.
If you only wants the answer go to -----------------------
but there might be a thing or two to make you think about stuff if you read this too.
Ok here is what I think its harsh non sugercoated but honest and in the best of intentions.
First of all, people like yourself (now I am generalising so do not take it personal) have no idea what they are doing and why.
That means that they open up to much or the wrong things and get hacked/botnet/virus and so on. and all for what ?
To save a buck just to loose it and then some to cleanupkosts after beeing hacked instead ?
its all good and well to want to try things yourself but the real issue is to learn why things needs to be done in certain ways.
Things are very easy to do today when it comes to the actual doing, there is a lot of info on the Internet, you can go to websites such as this and get the answer on how to do it, the web interfaces are quite capable, but the question is actually not how, thats easy, but why and how does it impact the big picture of the security at the site.
These are things why you should have professionals doing the work. or atleast a discussion with them.
----------------------------------------------
you need to do two things but since I do not know your setup i will have to generalize a bit.
FX I do not know what version of software you have, so I i will give you the answer on an 8.2 version.
I do not know your setup or ip addresses, (nor do I want to, this is an open channel that anyone can read)
First you need a static
then an access list to let the traffic through.
then an access-group to add the access-list to the correct interface and direction of the traffic
it looks something like this but you will have to change it so that it works in your environment.
static (inside,outside) tcp interface 25 192.168.1.100 25 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any interface outside eq 25
access-group outside_access_in in interface outside
broken down explanation
static is the command
(inside,outside) the interfaces
tcp = protcol to use (could be fx udp, icmp or ip and so on)
Interface = the interface ip adress, this is a little special, you can replce this with an ip address (not the interface ip address)
25 = the recieveing port
192.168.1.100 = the destination ie in your case the exchange server
25 = the destination port on the exchange server
netmask 255.255.255.255 = this is for one address only.
Access-list outside_access_in extended permit tcp any interface outside eq 25
broken down explanation
12-28-2010 08:35 AM
You are most welcome
Thank you for the rating.
Its never wrong to want to learn more things its all good !
Sometimes its hard to know what questions to ask so that the results comes out the best way.
What is it that you are trying to do ?
If you are trying to have the users connect from home or other place ?
Maybe a vpn klient would be a safer choise ?
or maybe the exchange webmail ?
Just a thought.
HTH
12-28-2010 03:28 AM
Actually it all depends.
you have not given enough information in your post for us to help you.
BUT I will try to show you how to do it.
If you only wants the answer go to -----------------------
but there might be a thing or two to make you think about stuff if you read this too.
Ok here is what I think its harsh non sugercoated but honest and in the best of intentions.
First of all, people like yourself (now I am generalising so do not take it personal) have no idea what they are doing and why.
That means that they open up to much or the wrong things and get hacked/botnet/virus and so on. and all for what ?
To save a buck just to loose it and then some to cleanupkosts after beeing hacked instead ?
its all good and well to want to try things yourself but the real issue is to learn why things needs to be done in certain ways.
Things are very easy to do today when it comes to the actual doing, there is a lot of info on the Internet, you can go to websites such as this and get the answer on how to do it, the web interfaces are quite capable, but the question is actually not how, thats easy, but why and how does it impact the big picture of the security at the site.
These are things why you should have professionals doing the work. or atleast a discussion with them.
----------------------------------------------
you need to do two things but since I do not know your setup i will have to generalize a bit.
FX I do not know what version of software you have, so I i will give you the answer on an 8.2 version.
I do not know your setup or ip addresses, (nor do I want to, this is an open channel that anyone can read)
First you need a static
then an access list to let the traffic through.
then an access-group to add the access-list to the correct interface and direction of the traffic
it looks something like this but you will have to change it so that it works in your environment.
static (inside,outside) tcp interface 25 192.168.1.100 25 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any interface outside eq 25
access-group outside_access_in in interface outside
broken down explanation
static is the command
(inside,outside) the interfaces
tcp = protcol to use (could be fx udp, icmp or ip and so on)
Interface = the interface ip adress, this is a little special, you can replce this with an ip address (not the interface ip address)
25 = the recieveing port
192.168.1.100 = the destination ie in your case the exchange server
25 = the destination port on the exchange server
netmask 255.255.255.255 = this is for one address only.
Access-list outside_access_in extended permit tcp any interface outside eq 25
broken down explanation
12-28-2010 07:39 AM
I appreciate your candidness and decided to bring in a Certified Cisco Engineer. It is definitely over my head and I want it done right. Sometimes you have to try but recognize when knowledge and experience required. I'm there. Thanks.
12-28-2010 08:35 AM
You are most welcome
Thank you for the rating.
Its never wrong to want to learn more things its all good !
Sometimes its hard to know what questions to ask so that the results comes out the best way.
What is it that you are trying to do ?
If you are trying to have the users connect from home or other place ?
Maybe a vpn klient would be a safer choise ?
or maybe the exchange webmail ?
Just a thought.
HTH
12-28-2010 08:49 AM
I'm trying to configure Exchange Server running on Windows Small Business Server 2003. The Exchange guy told me to open up 5 ports. I thought I could just jump in and do it but little did I know.
12-28-2010 09:47 AM
ok lets see here.
I would think that you would need to open port 25 from the internet this is so that anyone can send you email. and maybe 443 if you want webmail.
Right about here it would be good, I think, to point out that as a general rule one wants to put any server facing the internet out on a dmz, in the case of SBS that is just not possible, however if/when you are thinking of getting a mailfilter you can put that on a dmz leading the mails into the exchange server from the internet.
Tthe other ports are.
Port 993 = IMAP4 over SSL
Port 995 Is POP3 over SSL
http://support.microsoft.com/kb/176466
Port 465 = SMTPS (secure smtp/smtp over SSL)
It seems to me that they all are for users that are connecting from another place.
If I where you I would atleast take a look if you could use the Cisco VPN klient. Together with webmail I think you can get quite far with that.
and as a bonus you can get other services up and running in a secure way.
As a general rule the less ports you open from the internet to your servers the better.
and PS if you do not have a syslog server, then i would recomend taking a look at it or atleast talking it over with the person you are to consult with.
Best of luck
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide