Firewall Configuration
Connecting without VPN (Virtual
Private Network)...
Exchange server and Outlook communicate over a wide
range of port numbers, some of which are dynamically
assigned. Outlook makes initial contact with an Exchange
server over port 135, and is assigned a higher port
number. The Outlook client then opens a new connection
over the higher port number.
For best results, open the firewall to all UDP and
TCP traffic both ways, based on the IP addresses of our
network, not on specific port numbers. This is often
described as a trusted site, or trusted zone, in
firewall configurations. Most firewalls give you the
ability to configure a trusted site. You will need the
IP addresses of our network to complete the
configuration.
Our network address is: 24.73.223.2/30
That is, 24.73.223.2 through 24.73.223.5
The trusted site (zone) configuration is actually
much safer than opening particular ports on the firewall
to the entire world. This way, you are able to
communicate with a specific trading partner, but your
firewall remains intact, with no additional ports
open.
Connecting with VPN...
If you can't use port 135, because your Internet
provider or another firewall blocks it, and you aren't
able to change that, the best workaround is to connect
through our VPN server.
If you use a personal firewall or broadband router,
or if there are firewalls between the VPN client and the
VPN server, TCP port 1723 and IP protocol 47 (GRE) must
be enabled on all firewalls and routers that are between
the VPN client and the VPN server. By default, most
firewalls will prevent VPN connections, and will need to
be configured to allow VPN.
Please refer to VPN
setup instructions in our tech support section for
step-by-step and screen shots.
See these Microsoft Knowledge Base articles for
details on the ports and protocols used by Exchange and
Outlook:
Q278339 TCP/UDP Ports Used By Exchange
Server 2000
305572 OL2002: You Cannot Receive New
E-mail Notifications in Environments That Use Network
Address Translation
314076 HOW TO: Configure a Connection
to a Virtual Private Network (VPN) in Windows XP
Internet Service Provider issues
Various cable companies, including Cox and Comcast,
have gone back and forth over the issue of blocking
their customers' ability to use port 135 over the
Internet. Port 135 is used by Outlook to make initial
contact with an Exchange server. If you attempt to use
Outlook through a network or a firewall that blocks port
135 traffic, you will receive a message from Outlook
indicating the Exchange server is unavailable.
Cox cable began blocking port 135 last fall, and
after a few weeks of being deluged with complaints from
their customers, reversed the policy. Comcast cable went
through the exact same process this Spring. Recently,
the blaster worm prompted many other Internet providers
to react.
If you suspect an Internet provider has taken away
your access to port 135, there are various methods
available to troubleshoot the issue and get around the
restriction.
The best workaround currently is to use a Virtual
Private Network (VPN) connection. See our VPN instructions page for
more on that. VPN will get you around the problem
because it connects over a different port and routes all
traffic over that port. Exchange Hosting Service
maintains a VPN server and our customers always have the
option of using it. If your Internet provider ever
decides to experiment with port blocking, you will be
able to quickly adapt if you're a customer of ours.
How To Determine if Port 135 is
Blocked
You can use a free port scanner tool such as
Microsoft Portqry.exe to find out if port 135 is
blocked. See KB article 310099 and KB article 310298 for instructions and
a link to download the tool directly from Microsoft for
free. Portqry can tell you whether or not you have
access to port 135. If you get a response of "filtered"
when you query port 135 on the Exchange server, then
your Internet provider or your firewall is blocking port
135.
ZoneAlarm
ZoneAlarm
blocks the type of communication necessary for Outlook
to communicate with an Exchange server. If you have
ZoneAlarm or a similar personal firewall product, you
will need to reconfigure it, or temporarily disable it,
in order to successfully connect Outlook to
Exchange.
It may be possible to configure ZoneAlarm so it
allows you to use Outlook. Our brief review of their
tech support section found no useful information
whatsoever. If you know how to configure the thing,
please let us know so we can help our other
clients.
SonicWall
Users of SonicWall firewalls should increase
the timeout value to 60 minutes. See screenshot1 and screenshot2 for details. Without this
change, you may get error messages and be required to
login again when attempting to switch back to Outlook
after working on something else for a while, (to
postpone a reminder for example).
RedHat
One of our clients has provided the following
information for those using RedHat
firewalls:
If running behind a masquerading Redhat 6.2 server
(probably 6.1, too) and getting frequent network
connection errors, increase the masquerade timeout to
about an hour. The command is:
ipchains -M -S
3600 3600 3600
Please let
us know if you have any firewall related information
or experience that might benefit other clients.
| 
