Taget fra
http://support.microsoft.com/kb/270836:Statically map the ports for a front-end server in a perimeter network Ethernet environment so that the computer can log on to the network and communicate with the back-end servers
To install Exchange Server 2003 or Exchange 2000 Server on computers that are isolated from their Microsoft Windows Server 2003 or Microsoft Windows 2000 networks by a firewall and that are in a perimeter network Ethernet environment, follow these steps:
1. To enable Windows Server 2003-based computers or Windows 2000-based computers to log on to the domain through the firewall, open the following ports for incoming traffic:
* 53 (Transmission Control Protocol [TCP], User Datagram Protocol [UDP]) - Domain Name System (DNS).
* 80 (TCP) - Required for Outlook Web Access access for communication between front-end and back-end Exchange servers.
* 88 (Transmission Control Protocol [TCP], UDP) - Kerberos authentication.
* 123 (UDP) - Windows Time Synchronization Protocol (NTP). This is not required for Windows 2000 logon capability. However, it may be configured or required by the network administrator.
* 135 (TCP) - EndPointMapper.
* 389 (TCP, UDP) - Lightweight Directory Access Protocol (LDAP).
* 445 (TCP) - Server message block (SMB) for Netlogon, LDAP conversion, and Microsoft Distributed File System (DFS) discovery.
* 3268 (TCP) - LDAP to global catalog servers.
* One port for the Active Directory logon and directory replication interface (universally unique identifiers [UUIDs] 12345678-1234-abcd-ef00-01234567cffb and 3514235-4b06-11d1-ab04-00c04fc2dcd2). This is typically assigned port 1025 or 1026 during startup. This value is not set in the DSProxy or System Attendant (MAD) source code. Therefore, you must map the port in the registry on any domain controllers that the Exchange server must contact through the firewall to process logons. Then, open the port on the firewall.
To map the port in the registry, follow these steps:
1. Start Registry Editor.
2. Locate and then click to select the following key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
3. Add the following registry value:
Value name: TCP/IP Port
Value type: REG_DWORD
Base: Decimal
Value: A value that is more than 1024
4. Exit Registry Editor.
Make sure that the slash in "TCP/IP" is a forward slash. Additionally, make sure that you assign a value that is more than 1024 (decimal). This number is the additional port that you must open (TCP, UDP) on the firewall. Setting this registry value on every domain controller inside the firewall does not affect performance. Additionally, setting this registry value covers any logon request redirects that occur because of servers that are down, roles that change, or bandwidth requirements.
Notes
* For the server inside the firewall to communicate through the firewall to the external server, you must also have ports 1024 through 65535 configured for outgoing communications. Computers that initiate the communication through the firewall use a client-side port that is dynamically assigned and cannot be configured.
* Windows 2000 takes the form of a sequence of TCP/IP ping requests to the destination server when Windows 2000 Server-based computers log on to the domain through the firewall. Windows 2000 does this to determine whether a client computer is gaining access to a domain controller over a slow link to apply Group Policy or to download a roaming user profile.
2. Install Exchange Server 2003 or Exchange 2000 Server on the external computer. You do not need any more ports open to install Exchange Server 2003 or Exchange 2000 Server on the external computer.
3. Configure Exchange Server 2003 or Exchange 2000 Server front-end and back-end connectivity. Exchange Server 2003 or Exchange 2000 Server front-end and back-end connectivity only requires that other ports be open as required for whatever communication is appropriate. For example, Web client front-end and back-end connectivity requires port 80 [TCP] open, IMAP 143 [TCP], and so on. Additionally, any connectivity by secure protocols, such as Ipsec or Secure Sockets Layer (SSL)-secured HTTP, Internet Message Access Protocol (IMAP), or Post Office Protocol version 3 (POP3), that you need requires additional configuration that is not specified in this article. If the front-end server in the perimeter network has a different subnet, make sure that you add that subnet in the Active Directory Sites and Services snap-in.
Note You do not have to add the subnet if you have not created a separate subnet object in Active Directory Sites and Services.
In a perimeter network Ethernet environment, you must also define TCP/IP routes from the computer in the perimeter network Ethernet environment to every computer in the internal network that you must communicate with.
Note In a perimeter network firewall scenario, there is no Internet Control Message Protocol (ICMP) connectivity between the Exchange server and the domain controllers. By default, Directory Access (DSAccess) uses ICMP to ping each server to which it connects to determine whether the server is available. When there is no ICMP connectivity, Directory Access responds as if every domain controller were unavailable. For more information about how to turn off the Directory Access ping by creating a registry key, click the following article numbers to view the articles in the Microsoft Knowledge Base:
320529 (
http://support.microsoft.com/kb/320529/ ) Using DSAccess in a perimeter network firewall scenario requires a registry key setting
320228 (
http://support.microsoft.com/kb/320228/ ) The "DisableNetLogonCheck" registry value and how to use it
Slettet bruger
Ny bruger
Nybegynder
Opret
Preview
