Using the Windows Firewall with RMS


If you are using the Windows Firewall shipped with Windows Server 2003 Service Pack 1, you probably already know that you must create firewall exceptions on each server in your RMS environment in order for RMS to function correctly. If not, read on.

 

When the Windows Firewall is turned on, it blocks all unsolicited inbound packets to the server. Depending on how your RMS environment is configured, several firewall exceptions must be created. Let’s run through the different scenarios:

 

On your Active Directory domain controllers, you must create exceptions for TCP ports 389 (used for LDAP queries to Active Directory) and TCP 3268 (the communication port for the Active Directory global catalog server). These ports exceptions are the minimum that RMS requires. It is likely that if the Windows Firewall is enabled on a domain controller several other non-RMS related ports will have to be opened as well.

 

On the RMS server, you must open either TCP port 80 (used for HTTP communication) or TCP port 443 (used for HTTPS). If SSL is used in your RMS environment, you should use TCP 443.Otherwise, use TCP port 80.

 

If your Logging database is on the same server as your RMS installation, you don’t have to create any additional port exceptions. However, if they are installed on different servers, you will have to open TCP ports 1433 and 445. TCP port 1433 is the default port for the SQL server listener and TCP port 445 is the port used for provisioning the SQL server via Named Pipes.

 

It’s very important to scope these exceptions correctly. If you are not using RMS outside of your organization’s network, you should scope the firewall in such a way that all packets destined to these ports are dropped from computers that are not on your organization’s network. However, if you are using the RMS Extranet cluster URL, it is likely that the RMS port (either TCP 80 or TCP 443) will need to be exposed to the Internet. Additionally, TCP port 445 should never be allowed on the Internet since this is also the file sharing port for all operating systems Windows 2000 and later.

 

Feel free to let us know what you think by posting comments.

 

Brian Lich


Comments (3)
  1. BigJimInDC says:

    All the buzz lately is about Windows Vista, Windows XPS (XML Paper Spec), Office 12, etc., and you’re posting blog entries on how to get RMS and Windows Firewall to work together. Must be something wrong with me.

    Please, start discussing things that don’t belong in TechNet articles, as this blog post does. Please cover MSFT advancements in DPRL, XrML, RMS version 2.0 (hopefully part of Vista), and XPS’s support of dynamic watermarking.

  2. Yuri says:

    Hello, Brian.

    I have just found the RMS team blog and would like to comment upon your previous post. Unfortunately comments are disabled now.

    So, I work in telecom sector and we are currently using the RMS system yet inside the company (with nCipher HSM).

    I and my collegue have recently tried to enable SSL after RMS is provisioned in a test environment.

    To do this:

    1) we changed 2 records in the configuration database – 1st that indicates the location of licensing server (replaced http with https) and 2nd is an exported XML for the certificate request to Microsoft. In that XML we also replaced http with https.

    2) Then renewed the RMS server certificate.

    3) Enabled SSL on IIS.

    4) Reconfigured Service connection point

    5) And launched Office

    Finally the system seems to be working via SSL.

    What could you say about this scenario?

    Also I have some other questions RMS and suggestions for improvement too (they are not related to the current post’s topic).

    So if you should have time and interest to look at them feel free to say.

    Regards,
    Yuri.

  3. Yuri says:

    Hello, Brian. I have just found the RMS team blog and would like to comment upon your previous post. Unfortunately comments are disabled now. So, I work in telecom sector and we are currently using the RMS system yet inside the company (with nCipher HSM). I and my collegue have recently tried to enable SSL after RMS is provisioned in a test environment. To do this: 1) we changed 2 records in the configuration database – 1st that indicates the location of licensing server (replaced http with https) and 2nd is an exported XML for the certificate request to Microsoft. In that XML we also replaced http with https. 2) Then renewed the RMS server certificate. 3) Enabled SSL on IIS. 4) Reconfigured Service connection point 5) And launched Office Finally the system seems to be working via SSL. What could you say about this scenario? Also I have some other questions RMS and suggestions for improvement too (they are not related to the current post’s topic). So if you should have time and interest to look at them feel free to say. Regards, Yuri.

Comments are closed.

Skip to main content