Configure Windows Firewall

Applies To: Windows Server 2008

The Windows Firewall is a host-based firewall application that is installed and turned on by default in Windows Server 2008. If you want to use the functionality of the Windows Firewall within your Active Directory Rights Management Services (AD RMS) infrastructure, you must create a few firewall exceptions.

Note

This topic only discusses the firewall exceptions that are specific to AD RMS. Sometimes additional exceptions need to be made for other applications.

The following table shows the port exceptions that should be made on each AD RMS server in the cluster. It is not necessary to open both ports at the same time. For HTTP transmission, you should only open TCP port 80. If your AD RMS environment is using Secure Sockets Layer (SSL) or HTTPS, you should only open TCP port 443. The default port for SSL is TCP port 443. If your organization is using a port number for SSL other than the default, you should use that port instead.

Note

When AD RMS is installed, the appropriate exception described in the following table is created and enabled automatically.

Port Exception Description

TCP 80

HTTP

TCP 443

HTTPS or SSL communication

If there is more than one server in the AD RMS cluster, or the AD RMS database server is not on the AD RMS in a single-server deployment, the following port exceptions should be created on the database server that is hosting the AD RMS databases. This table assumes that you are using Microsoft SQL Server 2000 or later.

Port Exception Description

TCP 1433

Default Microsoft SQL Server listening port

TCP 445

SQL Server Named Pipes (used for provisioning the AD RMS server)

In addition to creating these port exceptions, special considerations should be taken when configuring the firewall scope. Unless your AD RMS environment is used in an extranet scenario, you should restrict all traffic to your organization's network. If your AD RMS environment needs to be available to client computers outside of your organization's network, you should allow any computer on the Internet to connect to only TCP port 443 or TCP port 80.

Warning

In an AD RMS environment, TCP port 445 is used to provision an AD RMS server, but this port is also the file sharing port for all computers that are running Microsoft Windows 2000 or later. Unless you have a specific need for other computers on your network to have access to this port, you should restrict the scope so that only the AD RMS cluster has access to TCP port 445 on the AD RMS database server.

Additional references