Exchange 2016 and network segmentation

Question

Exchange 2016 and network segmentation

AdamTyler-3751 431

I'd like to confirm the firewall policy requirements around an Exchange 2016 deployment. My goal is to allow only required ports to and from Exchange.

I've found that it is not recommended to restrict any traffic between Domain Controllers and Exchange servers in either direction. It's also a good idea to have more than one Domain Controller within the AD site where the Exchange server resides.

It not recommended to restrict any traffic between Exchange Servers in any AD site.

From clients to Exchange it appears you need only TCP:443, unless you need to run the Exchange tools local on that client, then you need TCP:80. This is only inbound from the client to Exchange server. Yes remote PowerShell is an alternative to this, but let's ignore that for the sake of this conversation.

Are these statements still valid?

If that is still all true, I have a question regarding Domain Controllers in OTHER AD sites. I would venture to guess that Exchange needs no connectivity in/out to these servers?

Regards,
Adam Tyler

Joyce Shen - MSFT 16,701 Reputation points

2021-04-23T08:39:03.033+00:00

Hi @AdamTyler-3751

Any update about your issue?

3 answers

Your answer

Joyce Shen - MSFT 16,701 Reputation points

2021-04-23T08:39:03.033+00:00

Hi @AdamTyler-3751

Any update about your issue?

Answer 1

Andy David - MVP 157.8K MVP Volunteer Moderator

Hi @AdamTyler-3751 ,
Its really about support versus what works. You can certainly block those remote DCs with firewall rules and set the Exchange Servers to only use local DCs:

(Exluding the remote DCs)

-StaticExcludedDomainControllers

https://learn.microsoft.com/en-us/powershell/module/exchange/set-exchangeserver?view=exchange-ps

set-exchangeServer <ex01> -StaticExcludedDomainControllers  <RemoteDC1>, <RemoteDC2>

If that works and Exchange is fine, do that. If you find it doesn't work , undo it.

The support issue comes if you open a ticket and then support determines the issue is because Exch is trying to contact a Remote DC , then they will tell you what you are doing is not suported. :)

AdamTyler-3751 431 Reputation points

2021-04-19T15:48:39.9+00:00

Hello @Andy David - MVP , well that is something. Sort of terrible you have to come back and manually babysit this setting as Domain Controllers are decommissioned and replaced. In our case, we plan to always have redundant Domain Controllers in the same Exchange AD site, so theoretically Exchange should never need to reach out to different AD sites for Domain Controller services.

Any thoughts on using a stateful firewall rule to allow Domain Controllers to respond to queries, but not initiate traffic? If this works and is supported, it should prevent a threat actor from spreading through the network from an infected Domain Controller. Or at least make it more difficult for them.

Regards,
Adam Tyler
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator

2021-04-19T15:52:18.387+00:00

Well, it wouldn't be supported to have anything but ANY/ANY between Exch and DCs, but not supported doesn't mean "It wont work".
Its an important distinction. You can do what you want and whatever works. Its only an issue if it doesn't work - Then you can't go back to Microsoft support and say "Why doesn't this work" since its not supported.

I hope that makes sense :)
AdamTyler-3751 431 Reputation points

2021-04-19T15:58:34.953+00:00

@Andy David - MVP , Right... I guess what I am getting at is, will it work? My role in the organization is still to provide maximum uptime at the end of the day and I'd hate to break Exchange by implementing network security changes that break the mail system. I tend to heed Microsoft best practices, but in this case it just seems reckless. Is there no network security focused paper on this topic, no other recommendations from them?

We're still in the process of rolling out Exchange 2016 right now, I'd hate to bork the install process because it can't connect to required resources.. Maybe get through the deployment with everything wide open and lock things down afterward, I'm not sure yet.

Regards,
Adam Tyler
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator

2021-04-19T16:00:53.617+00:00

Yea, sorry, cant tell if you if that will work since I've never needed to set it that way. I think its one of those things you will have to test for your environment.

Answer 2

Ashok M 6,846

Hi @AdamTyler-3751 ,

As you have stated, yes, its not recommended to restrict firewall ports between Exchange servers and Domain controllers. This includes domain controllers in other sites as well. This is because the exchange will get the list of all domain controllers and keep a track of reachability/SACL rights, etc. Event ID 2080 provides more details. Lets assume there is only one domain controller in the Exchange server site and in an event if that goes down, exchange should be able to communicate with the other domain controllers which are listed as out of site in event 2080. Thus, it has to be allowed.

https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/msexchangedsaccess-event-id-2080

Also, for the clients, SMTP/IMAP/POP protocol ports to be allowed.

https://learn.microsoft.com/en-us/exchange/plan-and-deploy/deployment-ref/network-ports?view=exchserver-2016#network-ports-required-for-clients-and-services

If the above suggestion helps, please click on "Accept Answer" and upvote it.

AdamTyler-3751 431 Reputation points

2021-04-19T15:20:26.367+00:00

Hello @Ashok M , there is a silly 1000 character limit, so this response is going to have to be spread over two posts. My apologies.

I think I expected your answer, however it is unfortunate. I can see why a ransomware attacker would seek to query AD sites and Services first thing, get a list of Domain Controllers, then focus their efforts as the primary target. Once one of these servers is owned, there is no restriction to moving throughout the entire network. In my opinion, the fact this is by Microsoft design is absolutely nuts.

End part 1..
AdamTyler-3751 431 Reputation points

2021-04-19T15:21:11.617+00:00

@Ashok M

Reply Part 2:

So that said, I am wondering what else can be done to make an attackers life just a little harder. You've confirmed that Exchange Servers and Domain Controllers all need to be able to talk uninhibited. However, in my experience Domain Controllers aren't typically initiating TCP/UDP communications to Domain Joined workstations or member servers. Usually it is the client that is reaching out to get a copy of the sysvol directory or the latest version of group policy on a regular basis. If this understanding of how Domain Controllers serve clients is accurate, wouldn't it be possible to leverage a stateful firewall at least to prevent a potentially infected Domain Controller from "Initiating" unsolicited IP traffic to clients and member servers? In other words only allow Domain Joined systems to initiate connections and allow the stateful response only.

Regards,
Adam Tyler
Ashok M 6,846 Reputation points

2021-04-21T07:58:03.517+00:00

Hi @AdamTyler-3751 ,

From network security standpoint, what you are trying to achieve is for your environment which has to be tested. on the other hand, we also have to consider service requirement. Here, we can provide suggestions on the recommendations, best practices, supportability for Exchange. With that said, restricting traffic between Exchange and DC's aren't supported which doesn't mean that it won't work. Like @Andy David - MVP said, exclusions can be set and tested, however there might be issues while working with support :)

Also, for the stateful firewall, there are instances wherein DC's can initiate traffic to the clients/member servers as well. One of the instances is to force GPO from DC which is one of the common administrative tasks which does require ports to be allowed from DC to Clients/member servers.
AdamTyler-3751 431 Reputation points

2021-04-21T15:43:51.237+00:00

It is absolutely unreal to me that Microsoft has designed an enterprise server solution that is not securable with network segmentation. They've given us a set of servers (Exchange and DCs) that must communicate with EVERYTHING everywhere at all times.

At the rate that privilege escalation and RCE vulnerabilities are discovered for Windows and Exchange Server, it makes one wonder if Microsoft doesn't have a foot in the ransomware business. It seems they are actively working toward their customers being vulnerable and powerless against such an infection. No other self respecting IT professional would point a Windows server at the public internet and then not restrict it's access to the most vulnerable internal portions of the network. This cannot be a "best practice". I cannot be the only one to express this concern.

Regards,
Adam Tyler
Ashok M 6,846 Reputation points

2021-04-22T06:04:07.263+00:00

Sorry to hear that. You can submit your feedback to Microsoft or open a ticket with Microsoft support to see if it can be achieved for your environment.

Answer 3

Hi @AdamTyler-3751

Do suggestions above from AshokM help? We could also refer to the discussion in below thread about Exchange 2013 firewall ports

And a previous article introduces the relationship between Exchange and firewall for your reference as well: https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-firewalls-and-support-8230-oh-my/ba-p/595710

If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Share via

Exchange 2016 and network segmentation

3 answers

Your answer