Small Business Server 2011 Standard (SBS 2011 Standard) needs to have a few ports open on your firewall router to allow specific traffic to flow into your SBS 2011 server for proper operation. You can use the uPnP protocol to automatically configure your firewall if you permit it. To do so ensure that uPnP is enabled on your firewall and run the Internet Address Management Wizard – it will do the rest. If however you, like me are more security conscious, you will want to manually make any changes to your firewall settings and you will want to disable uPnP. I do this routinely as I’ve had scenarios where a user on the network has loaded a third party application and that application has then redirected critical ports such as port 443 to it and therefore breaking remote access to applications o the SBS 2011 server.
So if you are going to control things manually you will need to have the following ports open. Note that you do NOT have to have them ALL open – but you need to open them IF you wish to use that functionality. Certain ports such as port 25 and 3389 may well need additional configuration to secure them in the best manner.
Port 25 – is required for all SMTP inbound mail. If you have no external email filtering or antispam software then you will need to leave this open for all external IPs. If however you are using something like ExchangeDefender or Trend IMHS then you will need to lock down the external IPs that this port can talk to. If this port is NOT open then you will not be able to receive external email.
Port 80 – does NOT need to be open at all in reality. It’s there to provide an easy redirect for our users when they go to access the Remote Web Access feature of SBS 2011. Having this port open allows the user to type in remote.mycompany.com into a web browser which will then go direct to our server. The server will immediately redirect the user to https://remote.mycompany.com/remote so that all traffic is encrypted. You can safely close this port to reduce your attack profile but you will need to train your users to type in the full URL of https://remote.mycompany.com/remote
Port 443 – this is a mandatory one. This is the secret behind SBS 2011 and over this encrypted channel you will be able to access Remote Web Access (RWA), Outlook Web Access, Activesync for your mobile devices and Outlook Anywhere. If this is not open then none of these functions will work outside your office.
Port 987 – this port is used for SSL encrypted access to the CompanyWeb. It uses the same SSL certificate as the one you installed with the Certificate Wizard and will provide external access to Companyweb. If this port is not open then you will not have external access tom Companyweb at all.
Port 1723 – is an optional port. You will need this open if you wish to use VPN to access the network remotely.
Port 3389 – DOES NOT NEED TO BE OPEN at all. May people believe they need this open to access the server from remote locations – that is incorrect. Having this port open to the Internet without restriction is a security issue as it then gives remote people direct console access to attempt to penetrate your server. If you must have it open for remote support purposes then install a two factor authentication agent like AuthAnvil or lock the port down so it’s accessible from your remote IP only.
So in a nutshell, you only really need port 25 and 443 open to the Internet on your firewall to allow MOST of the functionality of SBS 2011 and it’s Remote Web Access.
Mark Wilton says
Thanks Wayne. Good points. Regards the port 80, I think you can just train them to go to https://remote.mycompany.com without the /remote at the end, and it will automatically redirect. Just remembering to add the “s” on https is easier for some people than adding something at the end as well.
Heinz Raab says
This Article was very helpfull.
Its Easy, but I did’nt have my System Documentations here in the hospital and it Helps to remember
Phil Wisch says
All of the ports are TCP ports.