Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Exchange 2000 in DMZ won't work

We are having a problem putting an Exchange 2000 server in a DMZ on a PIX 525. We have opened all ports tcp, udp and icmp to all servers on the inside. The Exchange server passes all the netdiag tests and appears to be able to communicate. However, the Information Store on the Exchange 2000 server will not start. When we take the firewall out of the puzzle the Inforamtion Store starts up fine. Has anyone experienced this problem or know anything. We are running 6.2.1.


Re: Exchange 2000 in DMZ won't work

Can you put a sniffer on the subnet to see what the server is trying to do? Also, are you using NAT between them (ie are the servers seeing each other as on the same subnet or are you not using NAT)?


New Member

Re: Exchange 2000 in DMZ won't work

We share at least the same problem. I have a 501 PIX firewall with 1 email server on the inside. It worked well until I configured PPTP on it, then it just ceased to function after a while. Surfing is fine but if i inject a static statement, the email server will not be able to surf now and will not receive email from the outside. I removed the PPTP statements but still it didnt worked until I cleared the configuration and configure it again from scratch. After that, It went fine. I will burn test it for a while before i will configure back the PPTP.

Im just confused why it needed to configure from scratch to make it work. Does that mean to say that I need to start from the beginning every time I will add some configuration? Sounds illogical. I hope they can shed a light on this one.

New Member

Re: Exchange 2000 in DMZ won't work

Plz, send to us how youre building yours "translations slots". I think you problem is in this direction

New Member

Re: Exchange 2000 in DMZ won't work

open up the fowwling ports

make sure you open up

445 (TCP) - Server message block (SMB) for Netlogon, LDAP conversion and distributed file system (Dfs) discovery.

3268 (TCP) - LDAP to global catalog servers.

389 (TCP, UDP) - Lightweight Directory Access Protocol (LDAP).

135 (TCP) - EndPointMapper.

123 (TCP) - Windows Time Synchronization Protocol (NTP).

88 (Transmission Control Protocol [TCP], UDP) - Kerberos authentication

53 (Transmission Control Protocol [TCP], User Datagram Protocol [UDP]) - Domain Name System (DNS).

make the this change to the registry

Locate the following key in the registry:


On the Edit menu, click Add Value, and then add the following registry value:

Value Name: TCP/IP Port

Data Type: REG_DWORD

Radix: Decimal

Value: greater than 1024


using active directory sites and tools

create a site name and subnet for the dmz

New Member

Re: Exchange 2000 in DMZ won't work

Yes, I did have this exact problem upgradin from OS 6.1 to 6.2

The problem is not due to the access lists but to the fixup of LDAP protocol wich was added in versione 6.2.

Disable it (no fixup protocol) and it will work fine.

Also make sure you have disabled fixup of SMTP protocol, that could cause problems too.

For the rest I warmly recomend to close up all unneeded ports.

Please let me know if it helped.


New Member

Re: Exchange 2000 in DMZ won't work

Makes sense. We are going to try this. I will let you know the outcome.


CreatePlease login to create content