SteelHead™ Deployment Guide - Protocols : Microsoft Exchange Email Optimization : MAPI Destination Port Handling
  
MAPI Destination Port Handling
If you place an Exchange server behind a firewall, you must use static MAPI ports for the firewall to statefully inspect traffic to and from the MAPI servers. Default dynamic port mapping is not available in this scenario. You must enable static MAPI ports to Exchange Client Access servers that are placed behind load balancers for RiOS to correctly track connections.
A typical MAPI connection has the following flow:
The client initiates a connection to the Exchange server on port 135. The EPM requests a dynamic port from the Exchange server.
The Exchange server responds with a dynamic port from which the client can connect to MAPI.
The client-side SteelHead intercepts the dynamic port response and moves it to port 7830. Port 7830 is the standard SteelHead MAPI port.
The client finishes initiating the MAPI connection with the client-side SteelHead.
The inner channel connection or optimized connection is established between the client-side SteelHead and server-side SteelHead.
The server-side SteelHead finishes the connection to the Exchange server on the dynamic port.
Figure 2‑18. Flow of a Typical MAPI Connection
In high-security environments it is desirable to hard code the Exchange server port in the event that multiple Exchange servers need multiple static ports. With a firewall between the clients and the Exchange server, an issued dynamic port cannot always be interpreted. The default behavior of the SteelHead is to remap the port to a single dynamic port. This causes a problem for MAPI servers running on multiple defined ports and the operation fails.
To disable the remapping capabilities of the MAPI software
  • On the client-side SteelHead, connect to the CLI and enter the following commands:
    • no protocol mapi port-remap enable
    write memory
    service restart
    After you disable remapping capabilities of the MAPI software, MAPI has the following flow:
    The client sends the EPM request to the Exchange server.
    The Exchange server responds with a static MAPI port.
    The client-side SteelHead intercepts the response.
    The client-side SteelHead issues the client the Exchange server address and the assigned static port.
    The client-side SteelHead finishes setting up the client side connection
    The inner channel between the client-side SteelHead and the server-side SteelHead is completed.
    The server-side SteelHead completes the connection to the Exchange server on the assigned static port.
    Figure 2‑19. MAPI Flow with Static Ports