Setting up firewall rules for Microsoft Exchange
In this scenario we will be setting up a simple Microsoft Exchange mail server to be accessed by the internet. We will assume all Exchange services are on the same host, and all clients are on the internet.
To begin, we start by looking at the available documentation. A brief internet search turns up https://docs.microsoft.com/en-us/exchange/plan-and-deploy/deployment-ref/network-ports?view=exchserver-2019 , which appears to include everything needed for this very brief scenario. NOTE: If you are setting up an Exchange mail server, look beyond my simple search to confirm things will work.
Reading through the documentation, we see that we need the below ports. The direction of the traffic is just as important as the ports listed as they help describe the desired flow of data. The directions are assuming we are viewing the flow from the Exchange server.
Several of the ports identified in the document are struck through because there were found to be unnecessary. For example, the documentation states that POP3 and IMAP4 services are disabled by default, therefore the ports do not need to be open.
Allow / Deny | Source | Port | Direction | Rule Name |
Allow | Internet | 443/TCP | In | InboundExchange |
Allow | Internet | 587/TCP | In | InboundExchange |
Allow | Exchange | 25/TCP | out | OutboundExchange |
Allow | Exchange | 53/TCP | out | OutboundExchange |
Allow | Exchange | 53/UDP | out | OutboundExchange |
Now that we know how the data flows in and out of the mail server, the process of converting this to firewall rules are fairly easy. We simply research the correct command and format to convert the desired flows to access lists.