How can I lock down the remote procedure call (RPC) ports that Microsoft Exchange 2000 Server and later use?
July 13, 2005
A. Usually the Exchange RPC protocol dynamically assigns a port between 1024 and 65535 for its System Attendant, Information Store, and Name Service Provider Interface (NSPI) services. Opening up such a port range on a firewall isn't desirable, so you can set the three mentioned services to use a specific port by making a registry change on each back-end Exchange server.
To set the System Attendant to a static port, navigate to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchangeSAParameters registry subkey and set the TCP/IP Port value to the required port. Also under this key, set the TCP/IP NSPI Port to the required static port (different from the TCP/IP Port) for the Exchange Directory NSPI Proxy Interface.
Finally, configure the Information Store static port by setting the TCP/IP Port value to the required port under the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchangeISParametersSystem subkey. Microsoft recommends you use ports in the 5000 to 65535 range for these values.
Additionally, when Microsoft Outlook 2000 and later clients request address book content from the Exchange server, the Exchange DSProxy service initially passes back address book information based on Global Catalog (GC) information for the first query. However, it subsequently refers address book queries to a GC to avoid making the Exchange DSProxy service perform additional tasks.
To avoid having the Outlook clients talk directly to a domain controller (DC) and thus avoid having to open additional firewall ports, you can stop the Exchange server from referring clients to DCs by setting the HKEY_LOCAL_MACHINESystemCurrentControlSetServicesMSExchangeSAParametersNo RFR Service registry subkey value to 1.
It's important to note that turning on the No RFR Service will also cause the Exchange server to authenticate the client, which means that during the entire Outlook client connection no Active Directory (AD) communication is required. Ordinarily, the Exchange server would instruct the Outlook client to authenticate to a DC. You can find more information about these settings in the Microsoft article "Exchange 2000 and Exchange 2003 static port mappings" (http://support.microsoft.com/?kbid=270836 ).
Here's the registry file you can use to set these values for the test Exchange environment. In our example, we used ports 40000, 40002, and 40004.
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchangeSAParameters]"No RFR Service"=dword:00000001"TCP/IP Port"=dword:00009c40"TCP/IP NSPI Port"=dword:00009c42[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchangeISParametersSystem]"TCP/IP Port"=dword:00009c44
After you make these configuration changes, you need to restart the Exchange server. Now the only ports that you need to open on the firewall between the clients and the server are ports 135 (the RPC end point mapper) and 40000, 40002, and 40004.
Note that if you're using Microsoft Office Outlook 2003 on Windows XP Service Pack 1 (SP1) or later with Exchange Server 2003, you can use RPC over HTTP functionality, which means you would need to open only port 443 for HTTP Secure (HTTPS) communication.
Read more about:
MicrosoftAbout the Author
You May Also Like