What ports need to be opened for MessageStats to gather information from an Exchange server? (4318452)

What ports need to be opened for MessageStats to gather information from an Exchange server?

What ports need to be opened for MessageStats to gather information from an Exchange server that is on the other side of the firewall.

The way native Microsoft technologies (i.e. Explorer, Exchange System Manager, etc.) traverse Firewalls, would be similar to the way MessageStats would communicate.

Also confirm that the Firewall is allowing multiple ports to be open at a given time. Sometimes there are limits on firewalls to only allow a couple ports to be open at one time.

The following ports need to be opened to allow for dynamic RPC communication:

• Windows 2003 Ephemal Ports - TCP/UDP Ports 1024-5000
• Windows 2008 Ephemal Ports - TCP/UPD Ports 49152 - 65535

To access file shares to read and copy Message tracking logs the following Ports are required for SMB:

• Microsoft file sharing SMB: TCP/UDP 135-139
• Direct-hosted SMB traffic: TCP/UDP 445

Further Communication from MessageStats to retrieve Active Directory Information, and for name resolution the following ports will need to be open to the appropriate Servers:

• LDAP - AD Lookups: TCP/389
• Kerberos: TCP/UDP 88
• LDAP Global Catalog: TCP/3268
• DNS: TCP/UDP 53
• WINS: TCP/UDP 137

Ports required for Remote Powershell:

• Remote Powershell for Exchange - TCP Port 80 and access to the IIS /powershell virtual directory on your Exchange 2010 servers
• Remote Powershell for Lync - TCP Port 443 and access to the IIS /OcsPowershell virtual directory on your Lync Servers

Note: Host Headers defined in IIS can restrict access to IIS and any virtual directories.

According to Microsoft KB 929851 (http://support.microsoft.com/kb/929851), installing Microsoft Exchange on a Windows 2008 computer can expand the range of dynamic RPC TCP/UDP ports from the range 49,152 – 65,535 to the range 1,024 – 60,000.  This greatly increases the range of possible dynamic ports used by the WMI and MAPI access that MessageStats requires to the Exchange CAS and mailbox servers.

If this is not acceptable there are ways of configuring Exchange to use static ports:

Here is how to configure WMI and the MAPI interface to the Microsoft Exchange Information Store service to use fixed ports:

WMI, on Windows Server 2008 and later, can be configured to use a fixed port by opening a command prompt and typing

winmgmt /standalonehost

and restarting the Windows Management Instrumentation service.  That will configure WMI to use port 24158.

One can change that port 24158 to a different port by editing the properties of DCOM object "Windows Management and Instrumentation" in

Administrative Tools -> Component Services -> Computer -> My Computer -> DCOM Config

The fixed port for WMI is in the properties of the "Connection-oriented TCP/IP" endpoint listed in Endpoints property page of the DCOM object.

Subsequently that port (either 24158 or the one set in the DCOM settings would also need to be opened in the Firewall).

MAPI interface to Microsoft Exchange Information Store service on Exchange mailbox servers can be configured to use a fixed port.

According to Microsoft KB article 270836, the DWORD value "TCP/IP Port" under registry key

HKLM\SYSTEM\CurrentControlSet\services\MSExchangeIS\ParametersSystem

specifies the fixed port for the service.

The KB article was written for Exchange 2000 and Exchange 2003. However we were able to confirm in our lab that information about that particular key also applies to Exchange 2010.

Additionally, some more recent "intelligent" firewalls are able to handle MAPI or WMI traffic and open ports dynamically as and when requested. This however would depend on the particular feature to exist on the firewall.

CR0148400

Refer to the below for Microsoft articles for more information: Exchange Server static port mappings - http://support.microsoft.com/kb/270836/en-us The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008 - http://support.microsoft.com/kb/929851/en-us Enhancement request CR0148400 has been submitted to Development for further testing of what the exact Ports are required to be open.