Small Business Server 2008 (SBS 2008) requires a number of ports open on your firewall to allow inbound traffic from the Internet in to your network. SBS 2008 needs a lower number of ports open than SBS 2003 did. You will only need to open the ports below to enable all SBS 2008 functionality if you are using all facilities. If you do not need a specific function open then there is no need to allow that port to be open inbound to the server.
Port 25 This is required for inbound mail using the SMTP protocol – this will be needed on MOST SBS 2008 servers. If you are using an external third party mail filtering service such as Trend Micro Internet Messaging Security then you will want to restrict this port to be open ONLY to their servers. Closing this port to all traffic will prevent ANY inbound mail to your SBS 2008 server.
Port 80 This port is used to redirect requests to the Remote Web Workplace for http://remote.mycompany.com through to the secured site on port 443. You do not need to have this port open for SBS 2008 to work, but if you close it then you must get your users to use https://remote.mycompany.com to get to their Remote Web Workplace. Closing this port will result in errors when users try to access Remote Web Workplace via http://remote.mycompany.com
Port 443 This is the secured sockets layer (SSL) access to the Remote Web Workplace. All traffic over this port is encrypted for security. This port needs to be open in order for Remote Web Workplace to work. Closing this port will result in the Remote Web Workplace not being accessible outside of the office from the Internet.
Port 987 This is another secured sockets layer (SSL) port that is used to allow access to the Companyweb from the Internet. It uses the same digital certificate as that on port 443. Closing this port will result in the Companyweb not being accessible outside of the office from the Internet.
Port 1723 This port is used for the PPTP VPN in SBS 2008. It only needs to be enabled if you have already configured the SBS 2008 server to be used as a VPN server. You can do this via the SBS 2008 console on the Network Tab using the Enable VPN wizard. Closing this port will result in the VPN not being accessible from the Internet.
SBS 2008 does NOT require the following ports to be opened BY DEFAULT.
Port 21 This port is used for FTP access from the Internet to the SBS 2008 server. The SBS 2008 server is NOT configured as an FTP server by default. It is NOT recommended that you configure your SBS 2008 server as an FTP server as by default any password used to access it will go over the Internet in clear or plain text. This means that someone else can easily read your password and potentially compromise your network security.
Port 3389 This port is used for DIRECT access to the SBS 2008 servers console via the RDP protocol of the Remote Desktop Connection software. Allowing this port to be open to the Internet WILL increase the potential of your server being compromised via a password brute force attack. If you MUST have this port open to the Internet, it is recommended that you implement a two factor authentication solution called AuthAnvil from Scorpion Software