Using the Windows Firewall with RMS

If you are using the Windows Firewall shipped with Windows Server 2003 Service Pack 1, you probably already know that you must create firewall exceptions on each server in your RMS environment in order for RMS to function correctly. If not, read on.

 

When the Windows Firewall is turned on, it blocks all unsolicited inbound packets to the server. Depending on how your RMS environment is configured, several firewall exceptions must be created. Let’s run through the different scenarios:

 

On your Active Directory domain controllers, you must create exceptions for TCP ports 389 (used for LDAP queries to Active Directory) and TCP 3268 (the communication port for the Active Directory global catalog server). These ports exceptions are the minimum that RMS requires. It is likely that if the Windows Firewall is enabled on a domain controller several other non-RMS related ports will have to be opened as well.

 

On the RMS server, you must open either TCP port 80 (used for HTTP communication) or TCP port 443 (used for HTTPS). If SSL is used in your RMS environment, you should use TCP 443.Otherwise, use TCP port 80.

 

If your Logging database is on the same server as your RMS installation, you don’t have to create any additional port exceptions. However, if they are installed on different servers, you will have to open TCP ports 1433 and 445. TCP port 1433 is the default port for the SQL server listener and TCP port 445 is the port used for provisioning the SQL server via Named Pipes.

 

It’s very important to scope these exceptions correctly. If you are not using RMS outside of your organization’s network, you should scope the firewall in such a way that all packets destined to these ports are dropped from computers that are not on your organization’s network. However, if you are using the RMS Extranet cluster URL, it is likely that the RMS port (either TCP 80 or TCP 443) will need to be exposed to the Internet. Additionally, TCP port 445 should never be allowed on the Internet since this is also the file sharing port for all operating systems Windows 2000 and later.

 

Feel free to let us know what you think by posting comments.

 

Brian Lich