Port 593: HTTP RPC Endpoint Mapper — The firewall disguise

What This Port Does

Port 593 carries RPC (Remote Procedure Call) traffic disguised as HTTP. When Outlook needs to talk to an Exchange server but there's a firewall in the way that only allows web traffic, port 593 is how it gets through. The firewall sees HTTP. What's actually flowing is Microsoft's DCOM protocol—the system that lets programs on different computers call functions on each other as if they were local.¹

This is the HTTP RPC Endpoint Mapper. It tells clients where to find the actual RPC services they're looking for, but does it over HTTP instead of the native RPC protocol on port 135.

The Problem It Solved

By 2003, corporate networks had a problem. Employees needed to access email from outside the office. VPNs existed, but they were slow, unreliable, and required IT support calls every time someone's token expired or their client software broke.

Meanwhile, web traffic on port 80 and 443 flowed freely through every firewall. The web was trusted. Everything else was suspect.

Microsoft's solution: make Outlook look like a web browser. RPC over HTTP wrapped remote procedure calls in HTTP packets. Port 593 was part of this system—specifically for the endpoint mapper service that helped clients discover where Exchange services actually lived on the network.²

The firewall saw HTTP traffic and let it through. The Exchange server unwrapped the RPC calls and processed them normally. Nobody had to open additional ports or configure VPN clients.

How It Actually Works

When Outlook connects using RPC over HTTP:

1. Discovery — Outlook contacts port 593 to find the RPC endpoint mapper
2. Mapping — The endpoint mapper tells Outlook which ports the actual Exchange services are listening on
3. Tunneling — All subsequent RPC traffic flows through an HTTP tunnel, typically through an RPC proxy server
4. Translation — The RPC proxy unwraps the HTTP and forwards native RPC to the Exchange server

The entire conversation looks like web traffic to any firewall or network monitor in between. Port 593 specifically handles the initial discovery phase—helping Outlook find the services it needs before the main communication channel opens.³

The Security Reality

Port 593 and the broader RPC system it serves have a complicated security history. MSRPC is consistently listed as one of the most dangerous services on Windows because of the level of control it can grant an attacker. RPC vulnerabilities have been exploited in some of the most damaging worms in Internet history.

If you're not running Exchange or other services that specifically require RPC over HTTP, port 593 should be closed. There's no reason to leave it listening.⁴

For systems that do need it, the standard security measures apply:

• Only allow connections from known client IP ranges
• Require authentication for all RPC connections
• Use HTTPS (port 443) instead of plain HTTP when possible
• Monitor for unusual connection patterns

The irony is that port 593 exists to bypass firewall restrictions, but then requires its own firewall rules to stay secure. You're punching a hole through your perimeter defense and hoping the authentication layer holds.

The Replacement

In 2014, Microsoft introduced MAPI over HTTP as a more modern replacement for RPC over HTTP. By October 31, 2017, RPC over HTTP was officially deprecated for Exchange Online.⁵

MAPI over HTTP is simpler, more reliable through unstable connections, and doesn't require the complex endpoint mapping that port 593 provided. Modern Exchange deployments don't need this port anymore.

But for organizations still running older Exchange servers—2010, 2013, even some 2016 deployments—port 593 might still be part of the infrastructure. Technical debt has a long half-life in enterprise environments.

Related Ports

• Port 135 — The main RPC endpoint mapper for native (non-HTTP) RPC connections
• Port 80/443 — Where the actual RPC over HTTP traffic flows after endpoint discovery
• Port 139/445 — SMB, which can also expose RPC endpoints

Checking What's Listening

On Windows, see if anything is listening on port 593:

netstat -ano | findstr :593

On Linux or macOS:

lsof -i :593
netstat -an | grep 593

If you see something listening and you're not running Exchange or a specific application that requires RPC over HTTP, investigate what's bound to that port and why.

Why This Port Matters

Port 593 represents a specific type of solution to a specific type of problem: when security policy and practical necessity collide, somebody builds a tunnel. The firewall says "no RPC traffic." The business says "employees need email from home." Engineering says "what if we wrapped it in HTTP?"

And for more than a decade, it worked. Millions of Outlook clients connected through port 593 to Exchange servers that were technically unreachable behind firewalls. The disguise held.

Eventually the technology moved on. MAPI over HTTP is cleaner, more efficient, and doesn't need the endpoint mapping complexity. But port 593 was the bridge that kept corporate email working while the Internet figured out better ways to handle remote access.

If you find it listening on your network today, it's either legacy infrastructure that hasn't been upgraded yet, or something you should investigate immediately.