|
Firewall Configuration
Connecting without VPN (Virtual Private
Network)...
Exchange server and Outlook communicate
over a wide range of port numbers, some of which are
dynamically assigned. Outlook makes initial contact with
an Exchange server over port 135, and is assigned a
higher port number. The Outlook client then opens a new
connection over the higher port number.
For best results, open the firewall to
all UDP and TCP traffic both ways, based on the IP
addresses of our network, not on specific port numbers.
This is often described as a trusted site, or trusted
zone, in firewall configurations. Most firewalls give
you the ability to configure a trusted site. You will
need the IP addresses of our network to complete the
configuration.
Our network address is: 24.73.223.2/30
That is, 24.73.223.2 through 24.73.223.5
The trusted site (zone) configuration is
actually much safer than opening particular ports on the
firewall to the entire world. This way, you are able to
communicate with a specific trading partner, but your
firewall remains intact, with no additional ports
open.
Connecting with VPN...
If you can't use port 135, because your
Internet provider or another firewall blocks it, and you
aren't able to change that, the best workaround is to
connect through our VPN server.
If you use a personal firewall or
broadband router, or if there are firewalls between the
VPN client and the VPN server, TCP port 1723 and IP
protocol 47 (GRE) must be enabled on all firewalls and
routers that are between the VPN client and the VPN
server. By default, most firewalls will prevent VPN
connections, and will need to be configured to allow
VPN.
Please refer to VPN
setup instructions in our tech support section for
step-by-step and screen shots.
![]()
See these Microsoft Knowledge Base
articles for details on the ports and protocols used by
Exchange and Outlook:
Q278339 TCP/UDP Ports Used By Exchange Server 2000
305572 OL2002: You Cannot Receive New E-mail Notifications in Environments That Use Network Address Translation
314076 HOW TO: Configure a Connection to a Virtual Private Network (VPN) in Windows XP
![]()
Internet Service Provider
issues
Various cable companies, including Cox
and Comcast, have gone back and forth over the issue of
blocking their customers' ability to use port 135 over
the Internet. Port 135 is used by Outlook to make
initial contact with an Exchange server. If you attempt
to use Outlook through a network or a firewall that
blocks port 135 traffic, you will receive a message from
Outlook indicating the Exchange server is
unavailable.
Cox cable began blocking port 135 last
fall, and after a few weeks of being deluged with
complaints from their customers, reversed the policy.
Comcast cable went through the exact same process this
Spring. Recently, the blaster worm prompted many other
Internet providers to react.
If you suspect an Internet provider has
taken away your access to port 135, there are various
methods available to troubleshoot the issue and get
around the restriction.
The best workaround currently is to use
a Virtual Private Network (VPN) connection. See our VPN instructions page for more on
that. VPN will get you around the problem because it
connects over a different port and routes all traffic
over that port. Exchange Hosting Service maintains a VPN
server and our customers always have the option of using
it. If your Internet provider ever decides to experiment
with port blocking, you will be able to quickly adapt if
you're a customer of ours.
![]()
How To Determine if Port 135 is
Blocked
You can use a free port scanner tool
such as Microsoft Portqry.exe to find out if port 135 is
blocked. See
KB article 310099 and
KB article 310298 for instructions and
a link to download the tool directly from Microsoft for
free. Portqry can tell you whether or not you have
access to port 135. If you get a response of "filtered"
when you query port 135 on the Exchange server, then
your Internet provider or your firewall is blocking port
135.
![]()
ZoneAlarm
ZoneAlarm blocks the type
of communication necessary for Outlook to communicate
with an Exchange server. If you have ZoneAlarm or a
similar personal firewall product, you will need to
reconfigure it, or temporarily disable it, in order to
successfully connect Outlook to
Exchange.
It may be possible to configure
ZoneAlarm so it allows you to use Outlook. Our brief
review of their tech support section found no useful
information whatsoever. If you know how to configure the
thing, please let us know so we can help our other
clients.
![]()
SonicWall
Users of SonicWall firewalls should increase
the timeout value to 60 minutes. See
screenshot1 and
screenshot2 for details. Without this
change, you may get error messages and be required to
login again when attempting to switch back to Outlook
after working on something else for a while, (to
postpone a reminder for example).
![]()
RedHat
One of our clients has provided the
following information for those using RedHat firewalls:
If running behind a masquerading
Redhat 6.2 server (probably 6.1, too) and getting
frequent network connection errors, increase the
masquerade timeout to about an hour. The command
is:
ipchains -M -S 3600 3600
3600
![]()
Please let
us know if you have any firewall related information
or experience that might benefit other clients.
| 
