Firewall Configuration for Multi Server Mode

Revision as of 13:41, 25 August 2020 by Dweuthen (talk | contribs)

It is highly recommended to protect any MailStore Service Provider Edition service with appropriate firewall rules. This document should help with setting up the required rules. The firewall rules for running the SPE in Single Server Mode can be found in this document.

Important Notices:

  • The communication channels described below MUST NOT be intercepted by any kind of email or web proxies that are provided as part of antivirus software or unified threat management gateways.
  • The Windows Advanced Firewall is activated on any Windows Server installation by default. In order to connect to services (e.g. MailStore Management Console) of the MailStore Service Provider Edition, it is required that the appropriate firewall rules are added (see below).

The below table lists all TCP ports that need to be opened in the firewall when using MailStore Service Provider Edition in multi server mode. The following abbreviations are used in the source and target columns:

  • ANY = Any computer from private or public networks
  • ADM = Computer or network used for administration
  • CAS = Server hosting Client Access Server role
  • IH = Server hosting Instance Host role
  • MGMT = Server hosting Management Server role
Port Source Target Description
110 IH ANY Access to email servers for archiving via POP3 (Unencrypted/STARTTLS).
143 IH ANY Access to email servers for archiving via IMAP (Unencrypted/STARTTLS).
143 ANY CAS IMAP access to archives secured by TLS (STARTTLS) encryption.
389 IH ANY Access to LDAP servers (including Microsoft Active Directory) using an unencrypted or STARTTLS-encrypted session.
443 IH ANY Access to Microsoft Exchange Server for archiving via Exchange Web Services (EWS) secured by SSL encryption.
443 ANY CAS HTTPS access to instances used by E-mail Archive Client, Outlook Add-in, and MailStore Web Access.
443 MGMT my.mailstore.com Usage reporting and license update.
Important: DNS hostname MUST be used in firewall rules due to periodically changing IP addresses of my.mailstore.com.
636 IH ANY Access to LDAP servers (including Microsoft Active Directory) using a SSL encrypted connection.
993 ANY CAS IMAP access to archives secured by TLS (SSL) encryption.
993 IH ANY Access to email servers for archiving via IMAP (SSL).
995 IH ANY Access to email servers for archiving via POP3 (SSL).
8470 ADM MGMT Web-based access to the MailStore Management Console.
8471 CAS, IH MGMT Internal communication with Management Server
8472 MGMT, CAS IH Internal communication with Instance Hosts
8473 MGMT CAS Internal communication with Client Access Servers
8474 ADM MGMT Access to the MailStore Management API.
8474 IH, CAS MGMT Optional: Required for initial pairing with Management Server in Multi Server Mode. If not available, manual registration of Instance Hosts and Client Access Servers in Management Server is required.