Microsoft KB Archive/155831

= XCCC: Setting TCP/IP Ports for Exchange and Outlook Client Connections Through a Firewall =

PSS ID Number: 155831

Article Last Modified on 4/28/2005

-

The information in this article applies to:


 * Microsoft Exchange Server 5.5
 * Microsoft Exchange Server 4.0
 * Microsoft Exchange Server 5.0

-



This article was previously published under Q155831



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SUMMARY
This article tells you how to allow the Microsoft Exchange Client to connect to Microsoft Exchange Server over an existing connection to the Internet and through a firewall. In order to do this, make the ports assigned to these connections static. This requires you to add entries to the registry.

For additional information about configuring Exchange Server services for Internet firewalls, please click the article number below to view the article in the Microsoft Knowledge Base:

148732 XADM: Setting TCP/IP Port Numbers for Internet Firewalls



MORE INFORMATION
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

You must restart the computer for these changes to take effect.

To make the ports static:  Start Registry Editor (Regedt32.exe). Under the HKEY_LOCAL_MACHINE subtree, locate the following subkey:

System\CurrentControlSet\Services\MSExchangeDS\Parameters

 Add a REG_DWORD TCP/IP Port value to this key, with a decimal data value of 5000.

NOTE: Microsoft recommends that you assign ports from the 5000 - 65535 (decimal) range. For additional information about the guidelines for static port assignment of Exchange Server services, see the Microsoft Knowledge Base article in the "More Information" section.

EXAMPLE: "TCP/IP Port"=dword:00001388(5000)

The decimal number 5000 was used for the MSExchangeDS TCP/IP Port (0X1388 in hexadecimal format). Locate the following subkey:

System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem

 Add a REG_DWORD TCP/IP Port value to this key, with a decimal data value of 5001.

NOTE: Microsoft recommends that you assign ports from the 5000 - 65535 (decimal) range. For additional information about the guidelines for static port assignment of Exchange Server services, see the Microsoft Knowledge Base article in the More Information section.

EXAMPLE: "TCP/IP Port"=dword:00001389(5001)

The decimal number 5001 was used for the MSExchangeIS TCP/IP Port (0X1389 in hexadecimal format). Quit Registry Editor.</li></ol>

After this, you must configure the packet filter (or firewall) to allow Transmission Control Protocol (TCP) connections to be made to these ports in addition to port 135.

Additional Explanation
A packet filter (or firewall) denies connection attempts that are made to any port for which you have not explicitly allowed connections. Microsoft Exchange Server does use a well-known static port (port 135) to listen for client connects to the Remote Procedure Call (RPC) Endpoint Mapper Service. However, after the client connects to this socket, Microsoft Exchange Server then re-assigns the client two random ports to use when communicating with the directory and the information store. This makes it impossible to allow these through the firewall without forcing them to be statically assigned.

You can statically map the Exchange Services that are listed in this article to any free TCP/IP port number in the full range (1-65535). However, mapping the Exchange Services to a port number lower than 1024 (below the ephemeral port range) can cause behavior that is not wanted. Therefore, the valid ports for setting these mappings are 1024-65535. Microsoft recommends that you use the range 5000-65535 because most services that automatically choose an ephemeral port higher than 1023 usually start with the ports on the lower range (1024-4999). If you issue a netstat -an command at a command prompt, you receive a listing of all the ports that are currently registered on the server. You can use this to help determine a new valid (unused) port that you can use to statically map the Exchange Services.