Firewall Configuration
Option 1 - Outlook Anywhere (RPC over HTTP)
Most consumer Internet providers block port 135. The best
workaround is to use Outlook Anywhere, formerly known as RPC-over-HTTP. Please refer to
Outlook Profiles for step-by-step
instructions with screen shots. It is not necessary to make any firewall
configuration changes if you use Outlook Anywhere.
Option 2 - Open a trusted site (zone)
If you don't use Outlook Anywhere, Exchange server and Outlook communicate over a wide range of port
numbers, some of which are dynamically assigned. Outlook makes initial
contact with an Exchange server over port 135, and is assigned a higher
port number. The Outlook client then opens a new connection over the
higher port number.
For best results, open the firewall to all UDP and TCP traffic both
ways, based on the IP addresses of our network, not on specific port
numbers. This is often described as a trusted site, or trusted zone, in
firewall configurations. Most
firewalls give you the ability to configure a trusted site. You will need
the IP addresses of our network to complete the configuration.
Our network address is: 65.115.231.128/27
That is, 65.115.231.129 through 65.115.231.158
The trusted site (zone) configuration is actually much safer than
opening particular ports on the firewall to the entire world. This way,
you are able to communicate with a specific trading partner, but your
firewall remains intact, with no additional ports open.
Option 3 - VPN (Virtual Private Network)
Another
option is to connect through our VPN server. If you use a personal firewall or broadband router, or if there are
firewalls between the VPN client and the VPN server, TCP port 1723 and IP
protocol 47 (GRE) must be enabled on all firewalls and routers that are
between the VPN client and the VPN server. By default, most firewalls will
prevent VPN connections, and will need to be configured to allow VPN.
Please refer to VPN setup instructions
in our tech support section for step-by-step and screen shots.
How To Determine if Port 135 is Blocked
You can use a free port scanner tool such as Microsoft Portqry.exe to
find out if port 135 is blocked. See
KB
article 310099 and
KB
article 310298 for instructions and a link to download the tool
directly from Microsoft for free. Portqry can tell you whether or not
you have access to port 135. If you get a response of "filtered" when you
query port 135 on the Exchange server, then your Internet provider or your
firewall is blocking port 135.
See these Microsoft Knowledge Base articles for details on the ports
and protocols used
by Exchange and Outlook:
Q278339 TCP/UDP Ports Used By Exchange Server 2000
305572
OL2002: You Cannot Receive New E-mail Notifications in Environments That Use Network Address Translation
314076 HOW TO: Configure a Connection to a Virtual Private Network (VPN)
in Windows XP
ZoneAlarm
ZoneAlarm blocks the type of
communication necessary for Outlook to communicate with an Exchange
server, unless you use Outlook Anywhere (RPC over HTTP). If you have ZoneAlarm or a similar personal firewall product, you
will need to reconfigure it, or temporarily disable it, in order to successfully connect
Outlook to Exchange without Outlook Anywhere.
The following was provided by one of our users:
The trick to successfully running ZA on any client is to
make sure your programs are given proper access permissions (Programs
tab on the Program Control page) and that the required IP addresses for
sites/servers you trust are listed in the trusted sites zone (Zones tab
on the Firewall Page). The same applies to the Pro version, though the
locations of these entries may be in a different interface.
Outlook is given full internet and server permissions, and the IP's
and/or subnets of servers have been added to the trusted sites zone. I
also added the URL of such sites as www.dslreports.com so that the
benchmark utilities will get ping responses for benchmarking. I had to
do this on my home system as well for the servers hosting online games (Freespace,
Diablo, etc) so that I could get into the game join screens and host
games on my PC.
The trick is knowing what programs need what permissions (server or just
internet access) and what sites need normal access to your system. Then,
you just need to add them to the trusted zones. It is actually kind of
easy once you see it done.
| Click
on thumbnails to see configuration |
 |
 |
SonicWall
Users of SonicWall
firewalls should increase the timeout value to 60 minutes. See
screenshot1
and screenshot2 for
details. Without this change, you may get error messages and be required
to login again when attempting
to switch back to Outlook after working on something else for a while, (to
postpone a reminder for example).
RedHat
One of our clients has provided the following information for those
using RedHat firewalls:
If running behind a masquerading Redhat 6.2 server (probably 6.1, too)
and getting frequent network connection errors, increase the masquerade
timeout to about an hour. The command is:
ipchains -M -S 3600 3600 3600
Please
let us know if you have any firewall related information or experience
that might benefit other clients.
|
Copyright
2007, Webville
Networks. All rights reserved.
This page updated:
03/06/07 |
|
