Troubleshooter: Opening High-Numbered Ports When Using OWA 2000 in a DMZ

Why must I open high-numbered (e.g., 1024 and higher) ports when I use Outlook Web Access (OWA) 2000 in a demilitarized zone (DMZ)? This requirement seems to go against the idea that I can use OWA in a DMZ without special configuration of the firewall.

When Outlook clients use Messaging API (MAPI) to connect to an Exchange server, the remote procedure call (RPC) portmapper service assigns port numbers greater than 1024 for their connections, so you're right to wonder why an OWA-only front-end server would require that these ports be open. The answer is that the Exchange System Attendant service running on the OWA machine will refuse to start if you block the high-numbered ports. Fortunately, the front-end server doesn't have to run the Exchange System Attendant service. You can stop the service and run OWA with only port 80 or port 443 open. However, before you switch off the service, consider these caveats: The Exchange System Attendant service is required to run the Store service. If you want to use your OWA front-end server as an SMTP server, the SMTP service requires that the Store be running, so stopping the Exchange System Attendant service won't work. You also can't stop the Exchange System Attendant service and the Store service if you want to access a mailbox server, because the Store depends on the Exchange System Attendant.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.