Protocol: LDAPPort (TCP/UDP): 389 (TCP)Description: Lightweight Directory Access Protocol (LDAP), used by Active Directory, Active Directory Connector, and the Microsoft Exchange Server 5.5 directory.

Protocol: LDAP/SSLPort (TCP/UDP): 636 (TCP)Description: LDAP over Secure Sockets Layer (SSL). When SSL is enabled, LDAP data that is transmitted and received is encrypted. To enable SSL, you must install a Computer certificate on the domain controller or Exchange Server 5.5 computer.

Protocol: LDAPPort (TCP/UDP): 379 (TCP)Description: The Site Replication Service (SRS) uses TCP port 379.

Protocol: LDAPPort (TCP/UDP): 390 (TCP)Description: While not a standard LDAP port, TCP port 390 is the recommended alternate port to configure the Exchange Server 5.5 LDAP protocol when Exchange Server 5.5 is running on a Microsoft Windows 2000 Active Directory domain controller.

Protocol: LDAPPort (TCP/UDP): 3268 (TCP)Description: Global catalog. The Windows 2000/2003 Active Directory global catalog listens on TCP port 3268. When you are troubleshooting issues that may be related to a global catalog, connect to port 3268 in LDP.

Protocol: LDAP/SSLPort (TCP/UDP): 3269 (TCP)Description: Global catalog over SSL. Applications that connect to TCP port 3269 of a global catalog server can transmit and receive SSL encrypted data. To configure a global catalog to support SSL, you must install a Computer certificate on the global catalog.

Protocol: IMAP4Port (TCP/UDP): 143 (TCP)Description: Internet Message Access Protocol version 4, may be used by “standards-based” clients such as Microsoft Outlook Express or Netscape Communicator to access the e-mail server. IMAP4 runs on top of the Microsoft Internet Information Service (IIS) Admin Service (Inetinfo.exe), and enables client access to the Exchange 2000/2003 information store.

Protocol: IMAP4/SSLPort (TCP/UDP): 993 (TCP)Description: IMAP4 over SSL uses TCP port 993. Before an Exchange 2000 server supports IMAP4 (or any other protocol) over SSL, you must install a Computer certificate on the Exchange 2000/2003 server.

Protocol: POP3Port (TCP/UDP): 110 (TCP)Description: Post Office Protocol version 3, enables “standards-based” clients such as Outlook Express or Netscape Communicator to access the e-mail server. As with IMAP4, POP3 runs on top of the IIS Admin Service, and enables client access to the Exchange 2000/2003 information store.

Protocol: POP3/SSLPort (TCP/UDP): 995 (TCP)Description: POP3 over SSL. To enable POP3 over SSL, you must install a Computer certificate on the Exchange 2000/2003 server.

Protocol: NNTPPort (TCP/UDP): 119 (TCP)Description: Network News Transport Protocol, sometimes called Usenet protocol, enables “standards-based” client access to public folders in the information store. As with IMAP4 and POP3, NNTP is dependent on the IIS Admin Service.

Protocol: NNTP/SSLPort (TCP/UDP): 563 (TCP)Description: NNTP over SSL. To enable NNTP over SSL, you must install a Computer certificate on the Exchange 2000/2003 Server.

Protocol: HTTPPort (TCP/UDP): 80 (TCP)Description: the protocol used primarily by Microsoft Outlook Web Access (OWA), but also enables some administrative actions in Exchange System Manager. HTTP is implemented through the World Wide Web Publishing Service (W3Svc), and runs on top of the IIS Admin Service.

Protocol: HTTP/SSLPort (TCP/UDP): 443 (TCP)Description: HTTP over SSL. To enable HTTP over SSL, you must install a Computer certificate on the Exchange 2000/2003 server.

Protocol: SMTPPort (TCP/UDP): 25 (TCP)Description: Simple Mail Transfer Protocol, is the foundation for all e-mail transport in Exchange 2000/2003. The SMTP Service (SMTPSvc) runs on top of the IIS Admin Service. Unlike IMAP4, POP3, NNTP, and HTTP, SMTP in Exchange 2000/2003 does not use a separate port for secure communication (SSL), but rather, employs an “in-band security sub-system” called Transport Layer Security (TLS).

Protocol: SMTP/LSAPort (TCP/UDP): 691 (TCP)Description: The Microsoft Exchange Routing Engine (also known as RESvc) listens for routing link state information on TCP port 691. Exchange 2000/2003 uses routing link state information to route messages and the routing table is regularly updated. The Link State Algorithm (LSA) propagates outing status information between Exchange 2000/2003 servers. This algorithm is based on the Open Shortest Path First (OSPF) protocol from networking technology, and transfers link state information between routing groups by using the X-LSA-2 command verb over SMTP and by using a Transmission Control Protocol (TCP) connection to port 691 in a routing group.

Protocol: X.400Port (TCP/UDP): 102 (TCP)Description: ITU-T Recommendation X.400 is really a series of recommendations for what an electronic message handling system (MHS) should look like. TCP port 102 is defined in IETF RFC-1006, which describes OSI communications over a TCP/IP network. In brief, TCP port 102 is the port that the Exchange message transfer agent (MTA) uses to communicate with other X.400-capable MTAs.

Protocol: MS-RPCPort (TCP/UDP): 135 (TCP)Description: Microsoft Remote Procedure Call is a Microsoft implementation of remote procedure calls (RPCs). TCP port 135 is actually only the RPC Locator Service, which is like the registrar for all RPC-enabled services that run on a particular server. In Exchange 2000/2003, the Routing Group Connector uses RPC instead of SMTP when the target bridgehead server is running Exchange 5.5. Also, some administrative operations require RPC. To configure a firewall to enable RPC traffic, many more ports than just 135 must be enabled. Please take note… however, you can static the port by changing the registry. Let me share with you all in future articles…

Protocol: DNSPort (TCP/UDP): 53 (TCP)Description: Domain Name System (DNS) is at the heart of all of the services and functions of Windows 2000/2003 Active Directory and Exchange 2000/2003 Server. You cannot underestimate the impact that a DNS issue can have on the system. Therefore, when service issues arise, it is always good to verify proper name resolution.

This definately clear all of your mind when you want to put in Front End in DMZ…

Last not least, we will always recommend to put in ISA rather than opening ports. This is also the recommended way from MSFT.