Configuring a Firewall to Allow RPC Communication

For client computers to gain access to Microsoft Exchange Server computers remotely over the Internet, the clients and servers must be able to communicate using RPCs. If you are not using an Internet firewall, RPC communication is enabled by default. This configuration is risky because an attacker can gain access to the server and possibly compromise the security of Microsoft Exchange Server resources such as mailboxes and public folders.

If you are using a firewall to increase your system's security, you might have to configure the firewall to allow RPC communication. Some Internet firewalls do not accept TCP/IP port numbers that Microsoft Exchange Server uses for RPC communication. To solve this problem, add port 135 to your firewall and configure Microsoft Exchange Server to use the same ports as your firewall.

To configure Microsoft Exchange Server, set two unique port numbers, one for the information store and one for the directory. The registry value TCP/IP Port controls this setting. This DWORD value is a 16-bit number. This value is set for the port that the firewall will accept.

For the directory, you can modify the port numbers in the following registry location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
MSExchangeDS\Parameters\TCP/IP Port

For the information store, modify the port number in the following registry location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
MSExchangeIS\ParametersSystem\TCP/IP Port

If you are using a packet filter, you must configure it to allow TCP connections to the information store and directory ports in addition to port 135 (for the RPC End-Point Mapper service) on the Microsoft Exchange Server computer.

    To add TCP/IP port numbers

  1. In the Windows NT registry, select the following key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    MSExchangeIS\ParametersSystem

  2. From the Edit menu, choose New and DWORD value.
  3. Type TCP/IP Port in the Name field , and then choose Enter.
  4. Double-click TCP/IP Port. In Value data box, type the number of the port that the firewall will accept. Set the base to a decimal when entering the value.