What inbound ports do I need to open on my firewall for SBS 2011 Standard?

Small Business Server 2011 Standard (SBS 2011 Standard) needs to have a few ports open on your firewall router to allow specific traffic to flow into your SBS 2011 server for proper operation.  You can use the uPnP protocol to automatically configure your firewall if you permit it.  To do so ensure that uPnP is enabled on your firewall and run the Internet Address Management Wizard – it will do the rest.  If however you, like me are more security conscious, you will want to manually make any changes to your firewall settings and you will want to disable uPnP.  I do this routinely as I’ve had scenarios where a user on the network has loaded a third party application and that application has then redirected critical ports such as port 443 to it and therefore breaking remote access to applications o the SBS 2011 server.

So if you are going to control things manually you will need to have the following ports open.  Note that you do NOT have to have them ALL open – but you need to open them IF you wish to use that functionality.  Certain ports such as port 25 and 3389 may well need additional configuration to secure them in the best manner.

Port 25 – is required for all SMTP inbound mail.  If you have no external email filtering or antispam software then you will need to leave this open for all external IPs.  If however you are using something like ExchangeDefender or Trend IMHS then you will need to lock down the external IPs that this port can talk to.  If this port is NOT open then you will not be able to receive external email. 

Port 80 – does NOT need to be open at all in reality.  It’s there to provide an easy redirect for our users when they go to access the Remote Web Access feature of SBS 2011.  Having this port open allows the user to type in remote.mycompany.com into a web browser which will then go direct to our server.  The server will immediately redirect the user to https://remote.mycompany.com/remote so that all traffic is encrypted.  You can safely close this port to reduce your attack profile but you will need to train your users to type in the full URL of https://remote.mycompany.com/remote

Port 443 – this is a mandatory one.  This is the secret behind SBS 2011 and over this encrypted channel you will be able to access Remote Web Access (RWA), Outlook Web Access, Activesync for your mobile devices and Outlook Anywhere.  If this is not open then none of these functions will work outside your office.

Port 987 – this port is used for SSL encrypted access to the CompanyWeb.  It uses the same SSL certificate as the one you installed with the Certificate Wizard and will provide external access to Companyweb.  If this port is not open then you will not have external access tom Companyweb at all.

Port 1723 – is an optional port.  You will need this open if you wish to use VPN to access the network remotely.

Port 3389 – DOES NOT NEED TO BE OPEN at all.  May people believe they need this open to access the server from remote locations – that is incorrect. Having this port open to the Internet without restriction is a security issue as it then gives remote people direct console access to attempt to penetrate your server.  If you must have it open for remote support purposes then install a two factor authentication agent like AuthAnvil or lock the port down so it’s accessible from your remote IP only.

So in a nutshell, you only really need port 25 and 443 open to the Internet on your firewall to allow MOST of the functionality of SBS 2011 and it’s Remote Web Access.

Tags: , , , ,

This entry was posted on Tuesday, February 22nd, 2011 at 8:00 am and is filed under FAQs. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

30 Responses to “What inbound ports do I need to open on my firewall for SBS 2011 Standard?”

  1. Tweets that mention What inbound ports do I need to open on my firewall for SBS 2011 Standard? -- Topsy.com Says:

    February 22nd, 2011 at 9:46 am

    [...] This post was mentioned on Twitter by Wayne Small, David Bridges. David Bridges said: RT @sbsfaq: What inbound ports do I need to open on my firewall for SBS 2011 Standard? http://goo.gl/fb/J4tOP [...]

  2. Mark Wilton Says:

    February 23rd, 2011 at 12:45 pm

    Thanks Wayne. Good points. Regards the port 80, I think you can just train them to go to https://remote.mycompany.com without the /remote at the end, and it will automatically redirect. Just remembering to add the “s” on https is easier for some people than adding something at the end as well.

  3. Heinz Raab Says:

    November 17th, 2012 at 4:42 am

    Hello,
    This Article was very helpfull.
    Its Easy, but I did’nt have my System Documentations here in the hospital and it Helps to remember

  4. read more Says:

    November 6th, 2013 at 7:20 pm

    An interesting discussion is definitely worth comment.
    I do believe that you should write more on this issue, it might not be a taboo matter but
    usually folks don’t discuss such topics. To the
    next! Cheers!!

    Here is my blog read more

  5. christianity.com phil robertson Says:

    November 17th, 2013 at 7:58 pm

    Hello to all, how is all, I think every one is getting more from this web site, and your views are pleasant in support of new users.

  6. insidlisP Says:

    November 28th, 2013 at 3:16 pm

    クロノグラフセイコー ブライセイコー ブラ バッグ イツ 限定 ブライツ グランドセイコーセイコー ブライツ 評価 http://www.clickanimation.info/ プラダ セイコー腕時計 セイコー ブライツ 価格ブライツ 口コミ トリーバーチ

  7. Phil Wisch Says:

    January 16th, 2014 at 1:50 am

    All of the ports are TCP ports.

  8. Mavis Says:

    April 19th, 2014 at 4:01 am

    Everyone loves it when folks get together and share views.
    Great website, keep it up!

  9. Charlotte Foundation Pros Says:

    April 19th, 2014 at 11:46 am

    Hi! This is my first visit to your blog! We are a team
    of volunteers and starting a new initiative in a
    community in the same niche. Your blog provided us beneficial
    information to work on. You have done a outstanding job!

  10. Houston TX Foundation Pros Says:

    April 20th, 2014 at 6:47 am

    Wonderful work! This is the type of information that are
    meant to be shared across the internet. Disgrace on Google for not
    positioning this publish upper! Come on over and visit my site
    . Thank you =)

  11. pleskl argentina Says:

    April 24th, 2014 at 8:57 pm

    Why users still use to read news papers when in this technological globe all
    is presented on net?

  12. irrigation Says:

    May 3rd, 2014 at 8:24 pm

    Wow that was odd. I just wrote an extremely long comment but after I clicked submit my comment didn’t show
    up. Grrrr… well I’m not writing all that over again.
    Regardless, just wanted to say superb blog!

  13. Buy rdp Says:

    May 8th, 2014 at 5:42 pm

    Nice blog right here! Also your web site so much up very fast!
    What host are you the use of? Can I get your associate link to your host?
    I want my website loaded up as fast as yours lol

  14. Google Says:

    June 19th, 2014 at 8:57 pm

    is updated frequently with free advice about Google Ad – Words
    strategy, tactics, tips tricks and techniques for
    success in Ad – Words advertising. The website speed test at Secret Search
    Engine Labs will analyze how fast a page on your site is loading
    and give you tips on how to improve it. There are other ways to improve your ranking
    in Googlemaps, the purpose of this blog post is not to tell you
    EVERYTHING Frederick Web Promotions can do to improve your
    ranking, the purpose of this particular blog post is to:.

  15. cash for house houston Says:

    June 30th, 2014 at 10:21 am

    I like the valuable information you provide in your
    articles. I’ll bookmark your blog and check again here frequently.

    I am quite certain I will learn plenty of
    new stuff right here! Best of luck for the next!

  16. Houston Foundation Repair Pros. LLC. Says:

    July 8th, 2014 at 6:58 pm

    Houston Foundation Repair Pros. LLC….

    What inbound ports do I need to open on my firewall for SBS 2011 Standard?…

  17. web site Says:

    July 26th, 2014 at 1:51 am

    What’s Taking place i’m new to this, I stumbled upon this I have discovered It positively helpful and
    it has helped me out loads. I’m hoping to contribute
    & help other customers like its helped me. Great job.

  18. site Says:

    July 26th, 2014 at 7:04 am

    Very nice post. I just stumbled upon your weblog and wanted to say that I have really enjoyed browsing your blog posts.
    In any case I will be subscribing to your rss feed and I hope you write again very soon!

  19. dish network Fontana, CA, California pay as you go Says:

    July 26th, 2014 at 5:56 pm

    What’s up everybody, here every one is sharing these kinds of know-how, so it’s nice to
    read this weblog, and I used to pay a visit this webpage daily.

  20. dish network Warren, MI, Michigan boxes Says:

    July 27th, 2014 at 9:19 am

    That is a very good tip particularly to those fresh to the blogosphere.
    Brief but very precise info… Thanks for sharing this one.
    A must read post!

  21. satilite internet Says:

    August 1st, 2014 at 9:17 am

    Currently it appears like Drupal is the preferred blogging platform out there right now.
    (from what I’ve read) Is that what you’re using on your blog?

  22. farmville 2 cheat codes for farm cash Says:

    August 2nd, 2014 at 8:49 am

    Everything is very open with a really clear description of the challenges.
    It was definitely informative. Your site is very helpful.
    Many thanks for sharing!

  23. farmville cheat generator password Says:

    August 13th, 2014 at 3:01 pm

    Fabulous, what a blog it is! This weblog presents helpful data to
    us, keep it up.

  24. concrete foundation crack repair Says:

    August 14th, 2014 at 11:13 am

    I think that is among the such a lot significant information for me.
    And i’m glad reading your article. But want to remark on few basic
    things, The website taste is perfect, the articles is in point
    of fact excellent : D. Excellent activity, cheers

    For an incredible answer please click the link to this post – concrete foundation crack repair

  25. fifa 14 crack skidrow v3 Says:

    August 21st, 2014 at 9:21 am

    Excellent post however , I was wondering if you could write a litte more on this subject?
    I’d be very thankful if you could elaborate a little bit
    further. Thanks!

  26. cheats sims 3 Says:

    August 22nd, 2014 at 4:57 pm

    Fine way of explaining, and good piece of writing to obtain information about my presentation subject, which i am going to convey in university.

    my weblog cheats sims 3

  27. GT RACING 2 HACK download Says:

    August 24th, 2014 at 10:06 am

    Thankfulness to my father who stated to
    me about this blog, this webpage is really awesome.

    My website … GT RACING 2 HACK download

  28. how do i get platinum in warframe Says:

    August 26th, 2014 at 8:42 pm

    I think this is one of the most vital info for me.
    And i am glad reading your article. But wanna remark on few general things, The site style is great, the articles is really nice : D.
    Good job, cheers

    my site; how do i get platinum in warframe

  29. far cry 4 download free pc Says:

    August 30th, 2014 at 5:02 pm

    Greate pieces. Keep writing such kind of information on your site.
    Im really impressed by your site.
    Hello there, You’ve performed an excellent job. I will certainly digg it and individually suggest to my friends.
    I’m confident they will be benefited from this web site.

    my site :: far cry 4 download free pc

  30. for news on natural skin care click this Says:

    September 7th, 2014 at 11:16 pm

    for news on natural skin care click this…

    What inbound ports do I need to open on my firewall for SBS 2011 Standard?…

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>