• Home
  • Consulting
  • Contact Us
    • About this site
    • Contact Wayne
    • Media Room
    • Wayne’s Bio

SBSFAQ.COM

Supporting IT Pro's & MSP's since 2000

  • Blog
  • FAQs
  • Reviews
  • Downloads

What inbound ports do I need to open on my firewall for Windows Server 2012 Essentials?

October 10, 2012 by Wayne Small 3 Comments

Windows Server 2012 Essentials is different from previous versions of SBS as it’s designed to work with 3 different types mail systems.  As a result the ports you need to have open on your firewall is also different.

If you have a uPnP router then the configuration wizards in Windows Server 2012 Essentials will do the work for you.  If you like me elect to disable uPnP then you will need to configure the firewall port forwarding manually.

Here’s the list of ports you need to open on your firewall for Windows Server 2012 Essentials.  Note that not ALL of them need to be open in order for things to work.

Port 25 – is NOT required to be open if you are using a cloud based mail system such as Office 365 then this port can and should be closed.  ONLY if you have an onpremise Exchange or other mail server should you open this port to your network.  If you have an onpremise Exchange or other mail server, then you will port forward this port to that server and not the Windows Server 2012 Essentials server.   If you have no external email filtering or antispam software then you will need to leave this open for all external IPs. If however you are using something like ExchangeDefender or Trend IMHS then you will need to lock down the external IPs that this port can talk to.

Port 80 – does NOT need to be open at all in reality. It’s there to provide an easy redirect for our users when they go to access the Anywhere Access feature of Windows Server 2012 Essentials (formerly known as Remote Web Access). Having this port open allows the user to type in remote.mycompany.com into a web browser which will then go direct to our server. The server will immediately redirect the user to https://remote.mycompany.com/remote so that all traffic is encrypted. You can safely close this port to reduce your attack profile but you will need to train your users to type in the full URL of https://remote.mycompany.com/remote. My advice is to train your users – put this URL on the back of a business card for them to make it easy to handle.

Port 443 – this is a mandatory one. This needs to be open and forwarded to your Windows Server 2012 Essentials server to allow access to the Anywhere Access  website. All traffic over this connection is encrypted so it’s safe and secure. If this is not open then none of these functions will work outside your office.  This port is also used by default for the SSTP VPN protocol which is the default protocol in Windows Server 2012 Essentials.

Port 1723 – is an optional port on Windows Server 2012 Essentials.  You see – the default protocol for VPN is now SSTP which runs over port 443.  You will only need to open port 1723 if you have client PCs that can not use SSTP to access your server. Make sure if you have a more advanced router to also allow the GRE protocol (type 47) over this port.

Share this:

  • Click to share on Facebook (Opens in new window)
  • Click to share on Twitter (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • Click to print (Opens in new window)

Filed Under: FAQs Tagged With: Configuration, Firewall, Security, Windows Server 2012 Essentials

About The Author

Wayne has been working with Microsoft Server products in the SMB market for over 20 years. He has a passion for technology and been a Microsoft MVP for over 15 years. Read More…

Comments

  1. Matt S says

    December 20, 2012 at 1:04 pm

    Thanks, this was exactly what I was looking for!

    Reply
  2. Steve S says

    January 7, 2013 at 9:13 pm

    Can port 443 be changed to another port?
    We share a broadband connection with someone else and they already use that port for remote access, which means we can not use it.

    Anywhere access would be very handy to use but this stops it.

    Reply
    • Wayne Small says

      January 8, 2013 at 11:46 am

      No – it can’t easily be changed and is not supported – sorry 🙁

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Connect Online With Us

  • Facebook
  • Twitter

Reviews

Splashtop – Cost Effective Remote Control Software

September 22, 2017 By Wayne Small 2 Comments

Western Digital DL4100 NAS

March 3, 2015 By Wayne Small Leave a Comment

SBS 2011 Configuring Certification Guide (70-169)

August 7, 2012 By Wayne Small 4 Comments

Site News

Exchange Bug Stops Mail Delivery in 2022

January 2, 2022

Huge bug found in Intel CPU that could permit hackers to steal your data

January 4, 2018

Recent Posts

  • MS Exchange Zero Day and RemotePowerShell Disabling on Admin accounts
  • Setup changes for Exchange 2016 and Exchange 2019
  • Bluetooth Mouse and Keyboard Randomly Stop Responding
  • Exchange Bug Stops Mail Delivery in 2022
  • How to open and search extremely large text log files

Tags

Antivirus Backup Business Focus Cloud Computing Community Conferences Disaster Recovery Exchange 2010 Exchange Server Future Products Hyper-V Installation Microsoft Migration Patches Personal Rants SBS 4.5 SBS 2000 SBS 2000 SP1 SBS 2003 SBS 2003 Premium SBS 2003 R2 SBS 2003 R2 Premium SBS 2003 R2 Standard SBS 2003 SP1 Premium SBS 2003 SP1 Standard SBS 2003 Standard SBS 2008 SBS 2008 R2 SBS 2011 SBS 2011 Essentials SBS 2011 Standard Security Service Packs ShadowProtect SMB Community Software Software I use StorageCraft Training TrendMicro Troubleshooting Virtualisation Windows Server 2012 Essentials

Terms of Use

Privacy Policy

Copyright © 2023 · Magazine Pro Theme on Genesis Framework · WordPress · Log in