For an internet-facing, all-roles-in-one Exchange server, what do I need to let through the firewall?

Question

As the result of a recent penetration test, in which we did not fare well, it has been brought to my attention that our internet facing, all-roles-in-one, Exchange 2010 SP3 server has no firewall in place, and is therefore completely exposed to the internet. I verified the results myself, and it is indeed pretty bad. SMB, LDAP, remote registry, RDP, and every other default service you'd find in a Windows Active Directory environment are exposed to the internet through our Exchange server.

Naturally, I'd like to fix this, and plan to do so with Windows Firewall, but in Googling about, all I've been able to find on point from official sources are port references which seem to apply to internal Exchange traffic, and a Technet blog posting saying not to use those references to configure your firewalls, because the only supported configuration between Exchange servers is the equivalent of an ANY:ANY allow rule. :/

Given that we use Active Sync, OWA, IMAP, calendar/address book sharing, autodiscover and Outlook client access, does anyone know what firewall rules are required for an all-roles-in-one Exchange server that's internet facing? (Bonus points in the form of a small bounty to anyone who has an official MS source, too.)

Off the top of my head, with a bunch of experience as an accidental Exchange admin and accidental IT security guy, I've come up with the list below (which seems both too long and too short to me), but before I go and potentially break email for a thousand whiny users, I'd really like some verification of what I'm planning to do.

TCP:25 for SMTP
TCP:465 for SMTPS
TCP:587 for SMTP
TCP:80 for OWA http to https redirect
TCP:443 for https/OWA/Active Sync/EWS/Autodiscover
TCP:143 for Endpoint Mapper/IMAP4 Client Access
TCP:993 for IMAP4 Client Access (also)
TCP:110 for POP3 (because some technological dinosaur of a VIP probably uses POP3 at his beach house/ski cabin/where ever)
TCP:995 for POP3 (because some technological dinosaur of a VIP probably uses POP3 at his beach house/ski cabin/where ever)

Answer 1

What mfinni said, except that we forward three ports to a behind-the-firewall all-in-one Exchange box:

25:  SMTP
80:  HTTP (redirect to OWA HTTPS)
443: HTTPS

This works fine for people with Androids, iPhones, etc. Generally, people at home use OWA or their phone, anyway.

Edit: Since you asked for a Microsoft source, this is a link to a TechNet article on firewalls and SBS 2008, which has an all in one Exchange config. They recommend:

Service or Protocol     Port
SMTP e-mail             TCP 25
HTTP Web traffic        TCP 80
HTTPS Web traffic       TCP 443
SharePoint Services     TCP 987
VPN                     TCP 1723
Remote Desktop Protocol TCP 3389

You clearly don't need Sharepoint, VPN, or RDP, which leaves 25, 80, and 443.

And here's a link for SBS 2011, which has Exchange 2010. Same ports (minus RDP).

Answer 2

That looks mostly correct for a wide-open all-protocols implementation. Some suggestions:

Unless you have mail clients, with a business justification, that require all that, limit it to just 25, 80, 443. Don't allow POP access, that's a plaintext password. Don't allow client SMTP access, that's a plaintext password. (Of course, to accept mail from the internet, you need TCP 25 open.)

Anyone using a mobile device or Outlook Anywhere will be using HTTPS for Outlook Anywhere or EWS/Activesync.

If we wanted to write a whole essay on security, you'd be accepting email to an MX record that is not part of your domain, and your Exchange server would only accept TCP 25 from that/those hosts. You could use Edge Transport, or a 3rd-party product, or a hosted service.