Topic Last Modified: 2009-01-21

The Microsoft Exchange Best Practices Analyzer reads the following registry entries to determine the ports that are used by the Active Directory Application Mode (ADAM) directory service on the Edge Transport server:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\v8.0\EdgeTransportRole\AdamSettings\MsExchangeAdam\LdapPort

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\v8.0\EdgeTransportRole\AdamSettings\MsExchangeAdam\SslPort

ADAM is a Lightweight Directory Access Protocol (LDAP) directory service that is designed specifically for use with directory-enabled applications. ADAM stores and replicates only application-specific information and does not require deployment on a domain controller or depend on the Active Directory directory service. ADAM does not provide network operating system authentication or authorization.

In Microsoft Exchange Server 2007, the Edge Transport server role uses ADAM to store configuration information and recipient data for content filtering. When ADAM is synchronized with Active Directory, it can also be used to perform recipient lookup for message security.

When data is sent to ADAM from Active Directory, it is sent by using an LDAP connection through the following nondefault ports:

LDAP: Port 50389/TCP
Secure LDAP: Port 50636/TCP

When the Exchange Analyzer identifies the ports that are used by ADAM, the Analyzer generates a best practices message.

As a best practice, we recommend blocking all nonessential ports to outside access.

To address this issue, check that the ports that are identified by the Exchange Analyzer as used for ADAM are not open to outside access.

Caution:
Port 50636/TCP is used for the Exchange EdgeSync service and should remain open if EdgeSync functionality is desired.

To block the identified ADAM ports to outside access using Windows Firewall

Click Start, Run, type firewall.cpl, and then click OK.
Click the Exceptions tab.
Select each Program or Service listed in the Name box and then click Edit to review the ports that are open.
Verify that the ports reported by the Exchange Analyzer as used for ADAM are not listed.
If the identified ports are listed, make sure that they are not used for other necessary communication, and close them by deselecting them in the Edit a Service window.
Click OK two times to exit Windows Firewall configuration.

For More Information

For more information about ports, authentication and encryption for all data paths used by Exchange 2007, see Data Path Security Reference.