Windows Media Services and Internet Communication

Applies To: Windows Server 2003 with SP1

This section provides information about:

  • The benefits of Windows Media® Services on servers running Microsoft Windows Server 2003 with Service Pack 1 (SP1).

    Note

    Windows Media Services 9 Series is included in most editions of Windows Server 2003. However, Windows Media Services is not included in the Web Edition or in the Itanium-based versions of Windows Server 2003.

    Windows Media Services delivers advanced streaming functionality such as multicasting, wireless network support, Internet authentication, server plug-ins, and Cache/Proxy APIs.

  • For servers from which you want to offer content that will be streamed to an intranet or the Internet, the following types of information are provided:

    • Examples of features in Windows Media Services 9 Series that help you control communication to and from a Windows Media server. Windows Media Services 9 Series is the version of Windows Media Services included with Windows Server 2003 SP1.

    • References to more detailed information about Windows Media Services, including information about ports and security-related topics.

    • Information about installing the Windows Media Services and the Windows Media Services subcomponents, along with instructions for viewing the Help that is included with Windows Media Services.

  • For servers from which you do not want to offer content on an intranet or the Internet, information about excluding or removing Windows Media Services.

It is beyond the scope of this white paper to describe all aspects of maintaining appropriate levels of security in an organization running servers that communicate across the Internet. This section, however, provides overview information as well as suggestions for other sources of information about balancing your organization’s requirements for communication across the Internet with your organization’s requirements for protection of networked assets.

Note

This section of the white paper describes Windows Media Services (the server component), but it does not describe Windows Media Player (the client component) or Internet Information Services (IIS), both of which are involved in carrying out communication of multimedia content across the Internet. For information about these components, see the respective sections of this white paper.

Benefits and Purposes of Windows Media Services

Windows Media Services is an optional component in Windows Server 2003. With Windows Media Services, you can manage and deliver Windows Media content over an intranet or the Internet. The clients receiving the content can render it as it is being received, that is, without downloading the content first. Streaming greatly reduces the wait time and storage requirements on the client. It also permits presentations of unlimited length, as well as live broadcasts.

For more information about features in Windows Media Services, see the sources in "Related Documentation and Links," later in this section.

Examples of Features that Help You Control Communication to and from a Windows Media Server

This subsection provides brief descriptions of some features in Windows Media Services 9 Series that help you control communication to and from a Windows Media server. These features are integrated with two aspects of basic functionality built into the Windows Server 2003 operating system:

  • Authentication

  • Authorization

Authentication

Authentication is a fundamental aspect of security for a server running Windows Media Services. It confirms the identity of any unicast client trying to access resources on your Windows Media server. Windows Media Services includes authentication plug-ins that you can enable in order to validate user credentials for unicast clients. Authentication plug-ins work together with authorization plug-ins: after users are authenticated, authorization plug-ins control access to unicast content.

Windows Media Services authentication plug-ins fall into the following categories:

  • Anonymous authentication. These are plug-ins that do not exchange challenge and response information between the server and a player, such as the WMS Anonymous User Authentication plug-in.

  • Network authentication. These are plug-ins that validate unicast clients based on user logon credentials, such as the WMS Negotiate Authentication plug-in.

When you make decisions about how authentication might affect users, consider the following points:

  • For multicast streaming with Windows Media Services 9 Series, clients do not establish a connection, and therefore authentication and authorization do not apply for multicasting. (Multicast streaming is only available if you have Windows Server 2003, Enterprise Edition, Windows Server 2003, Datacenter Edition, or the x64-based versions of these operating systems.)

  • If a player is connected through HTTP, the player disconnects from the server each time the user stops, pauses, fast-forwards, or rewinds the content. If the user tries to continue receiving the content, the authentication and authorization process occurs again.

For more information about authentication and about the specific authentication plug-ins that you can enable for Windows Media Services, see the list in "Related Documentation and Links," later in this section.

Authorization

In order to control access to unicast content on your Windows Media server, unless you identify users only by IP address, you must enable one or more authentication plug-ins and also one or more authorization plug-ins. Authentication plug-ins verify the credentials of unicast clients attempting to connect to the server. Authorization plug-ins verify that the unicast client is allowed to connect to the server. Authorization occurs after authentication is successful.

You can enable authorization plug-ins to control the access to content by authenticated users. If you enable an authorization plug-in, with one exception, you must also enable an authentication plug-in for unicast clients to be able to access your publishing points. The exception is the WMS IP Address Authorization plug-in, which does not require an authentication plug-in to authenticate a unicast client.

Note that for multicast streaming with Windows Media Services 9 Series, clients do not establish a connection, and therefore authentication and authorization do not apply for multicasting. (Multicast streaming is only available if you have Windows Server 2003, Enterprise Edition, Windows Server 2003, Datacenter Edition, or the x64-based versions of these operating systems.)

During the authorization process, the server checks the user against the set of access permissions for the resource to which the user is trying to connect.

For more information about authorization, see the list in "Related Documentation and Links," later in this section.

Firewall Information for Windows Media Services

This subsection provides information about configuring firewalls (or proxy servers or both) for use with Windows Media Services. For more information about firewalls, see the sources in "Related Documentation and Links," later in this section, as well as the Windows Media Web site at:

https://go.microsoft.com/fwlink/?linkid=29862

You can configure each control protocol plug-in (Microsoft Media Server [MMS] protocol, Real Time Streaming Protocol [RTSP], and HTTP) to use a specific port to make firewall configuration easier. If opening ports on your firewall is not possible, Windows Media Services can stream content by using the HTTP protocol over port 80.

Note

Using HTTP to stream content is disabled by default.

Windows Media Services was formerly known as Microsoft NetShow Services; some firewalls have a preconfigured NetShow setting, which may work for Windows Media Services.

Configuring Firewalls for Unicast Streaming

To configure a firewall for unicast streaming, you must open the ports on the firewall that are required for the connection protocols enabled on your server. If you are streaming content by using either the Microsoft Media Server (MMS) protocol or the Real Time Streaming Protocol (RTSP), you need to support both the User Datagram Protocol (UDP) and Transmission Control Protocol (TCP).

To enable Windows Media Player and other clients to use the HTTP, RTSP, or MMS protocols to connect to a Windows Media server that is behind a firewall, open the ports described in the following table.

Ports to Open When Clients are Connecting Using HTTP, RTSP, or MMS Protocols

Ports Description

In: TCP on ports 80, 554, and 1755

The Windows Media server uses the TCP In ports to accept an incoming HTTP connection (port 80), RTSP connection (port 554), or MMS connection (port 1755) from Windows Media Player and other clients.

In: UDP on ports 1755 and 5005

The Windows Media server uses UDP In port 1755 to receive resend requests from clients streaming by using MMSU (MMS used with UDP), and UDP In port 5005 to receive resend requests from clients streaming by using RTSPU (RTSP used with UDP).

Out: UDP on ports 1024 through 5000.

The Windows Media server uses UDP Out ports 1024 through 5000 to send data to Windows Media Player and other clients.

To enable a distribution server that is behind a firewall to use the HTTP or RTSP protocols to stream content that originates from a server outside the firewall, open the ports described in the following table.

Ports to Open When a Distribution Server is Behind a Firewall and Uses HTTP or RTSP to Stream Content that Originates from a Server Outside the Firewall

Ports Description

In: UDP on ports 1024 through 5000

The Windows Media server uses UDP In ports 1024 through 5000 to receive data from another server.

Out: TCP on ports 80 and 554

The Windows Media server uses the TCP Out ports to establish an HTTP connection (port 80) or RTSP connection (port 554) to another server or encoder.

Out: UDP on port 5005

When RTSPU distribution is used, the Windows Media server uses UDP Out port 5005 to send resend requests to another server.

Note

If it is not possible to open all the UDP Out ports on a firewall, UDP packets sent by a Windows Media server may be blocked by the firewall and may not be able to reach the clients on the other side of the firewall. If this is the case, clients may still be able to receive a stream by automatically rolling over to a TCP-based protocol, such as HTTP or RTSPT (RTSP used with TCP). However, the rollover will cause a delay for the client receiving the stream.

Note

If you know you will not be able to support UDP streaming through a firewall, you can decrease the rollover delay by clearing the UDP check box in the Unicast Data Writer plug-in Properties dialog box. For more information, see the Help for Windows Media Services. A procedure for viewing Help is included in "Procedures for Installing, Removing, or Excluding Windows Media Services and Its Subcomponents," later in this section.

For more information, see the sources in "Related Documentation and Links," later in this section.

Configuring Firewalls for Multicast Streaming

If you distribute content using multicast streaming, network traffic is directed through the standard Class D IP addresses (224.0.0.1 through 239.255.255.255). For multicast streaming, you must enable multicast-forwarding on your network. The Internet Group Management Protocol (IGMP), supported by Windows Media Services, ensures that multicast traffic passes through your network only when a player requests a multicast connection, so that enabling multicasting on your routers does not flood your network.

The following firewall configuration enables multicast packets to traverse your firewall:

IP multicast address range: 224.0.0.1 through 239.255.255.255

To enable IP multicasting, you must allow packets sent to the standard IP multicast address range to come through your firewall. This IP multicast address range must be enabled on both the player and server sides, as well as on every router in between. For more information about multicasting, see the section called "Delivering a multicast stream" in the white paper on the Windows Media Web site at:

https://go.microsoft.com/fwlink/?linkid=29862

Enabling Access to an Encoder Outside a Firewall

Encoders use HTTP to connect to a server running Windows Media Services. By default, Windows Media Encoder uses port 80 for HTTP connections; however, the encoder administrator can specify a different port. If a different port is used, you must specify the same port when you identify the encoder connection URL for the Windows Media server and when opening the port on your firewall.

The following example of a firewall configuration allows a computer running Windows Media Encoder outside a firewall to access a Windows Media server behind a firewall by using HTTP:

In/Out: Transmission Control Protocol (TCP) on port 80.

(The In port is the port through which the server accepts connections. The Out port is the port through which the server sends data to clients.)

Answer File Entries and Registry Keys for Windows Media Services Subcomponents

For reference purposes, the following table shows the syntax for answer file entries associated with Windows Media Services in Windows Server 2003. The table also shows the corresponding registry keys. Do not change the registry keys. They are shown for use in a script that could check whether a particular subcomponent is installed on a particular server. A registry key value of 0x00000000 means the subcomponent is not installed, and a value of 0x00000001 means the subcomponent is installed.

Note

For more details about answer-file entries related to Windows Media Services subcomponents, including information about dependencies between the entries, see the references listed in Appendix A: Resources for Learning About Automated Installation and Deployment. Be sure to review the information in the Deploy.chm file (whose location is provided in that appendix).

Answer File Entries and Registry Keys for Windows Media Services Subcomponents for Windows Server 2003

Windows Media Services subcomponent Answer file entry (in the [Components] section) Registry key (for use in a script that checks whether a subcomponent is installed): 0x00000000 means it is not installed; 0x00000001 mean it is installed

Core Windows Media server components

wms = On | Off

No key available (check for subcomponents by using other keys)

Windows Media Services Administrator for the Web

wms_admin_asp = On | Off

HKEY_LOCAL_MACHINE\Software\Microsoft\

Windows\CurrentVersion\Setup\OC Manager\

Subcomponents\wms_admin_asp

Windows Media Services MMC snap-in

wms_admin_mmc = On | Off

HKEY_LOCAL_MACHINE\Software\Microsoft\

Windows\CurrentVersion\Setup\OC Manager\

Subcomponents\wms_admin_mmc

Multicast and Advertisement Logging Agent components

wms_isapi = On | Off

HKEY_LOCAL_MACHINE\Software\Microsoft\

Windows\CurrentVersion\Setup\OC Manager\

Subcomponents\wms_isapi

Windows Media Services server components

wms_server = On | Off

HKEY_LOCAL_MACHINE\Software\Microsoft\

Windows\CurrentVersion\Setup\OC Manager\

Subcomponents\wms_server

Procedures for Installing, Removing, or Excluding Windows Media Services and Its Subcomponents

The following procedures explain how to:

  • Add or remove Windows Media Services on a computer after setup is complete for Windows Server 2003.

  • View the Help that is included with Windows Media Services.

  • Prevent the installation of Windows Media Services during unattended installation by using an answer file.

  • Specify answer file entries that control whether Windows Media Services subcomponents are included during unattended installation.

    Note

    Windows Media Services 9 Series is included in most editions of Windows Server 2003. However, Windows Media Services is not included in the Web Edition or in the Itanium-based versions of Windows Server 2003.

To Add or Remove Windows Media Services on an Individual Computer after Setup is Complete

  1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.

  2. Double-click Add or Remove Programs.

  3. Click Add/Remove Windows Components (on the left).

  4. Select Windows Media Services.

  5. Perform one of the following steps:

    • If Windows Media Services is installed and you want to remove it, clear the check box for Windows Media Services and complete the wizard.

    • If Windows Media Services is not installed and you want to add it, select the check box for Windows Media Services and complete the wizard.

    • If you want to view the list of Windows Media Services subcomponents, after selecting Windows Media Services, click Details.

To View the Help That Is Included with Windows Media Services

  1. Make sure that Windows Media Services is installed by using the previous procedure.

  2. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.

  3. Double-click Administrative Tools and then click Windows Media Services.

  4. Click the Help menu and then click Help Topics.

To Specify Answer File Entries that Control Whether Windows Media Services Subcomponents are Included During Unattended Installation

  1. Using the methods you prefer for unattended installation or remote installation, create an answer file.

  2. In the [Components] section of the answer file, add the appropriate entries listed in the table in "Answer File Entries and Registry Keys for Windows Media Services Subcomponents," earlier in this section. Ensure that the entries specify Off for components you do not want to install and On for components you want to install.

    If no Windows Media Services subcomponents are listed in an answer file for unattended installation of Windows Server 2003, these components are not installed by default.

    Note

    For more information about unattended installation, and for details about dependencies between answer-file entries related to Windows Media Services subcomponents, see the references listed in Appendix A: Resources for Learning About Automated Installation and Deployment. Be sure to review the information in the Deploy.chm file (whose location is provided in that appendix).

To Prevent the Installation of Windows Media Services During Unattended Installation by Using an Answer File

  1. Using the methods you prefer for unattended installation or remote installation, create an answer file. For more information about unattended and remote installation, see Appendix A: Resources for Learning About Automated Installation and Deployment.

  2. In the [Components] section of the answer file, ensure that there are no entries for the subcomponents listed in the table in "Answer File Entries and Registry Keys for Windows Media Services Subcomponents," earlier in this section. If you want to list any of these subcomponents, ensure that the entries specify Off.

If no Windows Media Services subcomponents are listed in an answer file for unattended installation of Windows Server 2003, these subcomponents are not installed by default.

The following list of resources can help you as you plan or modify your implementation of Windows Media Services and Windows Media Player in your organization:

  • For technical information about Windows Media, see “Windows Media in the Enterprise,” on the Microsoft Web site at:

    https://go.microsoft.com/fwlink/?LinkId=46006

    A variety of technical resources are available on the preceding Web site, including:

    • The Windows Media 9 Series Deployment Guide.

    • The Enterprise Deployment Pack (EDP) for Windows Media Player 9 Series, a downloadable packaging tool that simplifies the configuration, deployment, and management of Windows Media Player 9 Series.

    • Other technical articles.

  • For information about deploying over an intranet, see “Deploying Windows Media 9 Series over an Intranet,” on the Microsoft Web site at:

    https://go.microsoft.com/fwlink/?LinkId=46008

  • For information about using Windows Media Services 9 Series with a firewall, see "Firewall Information for Windows Media Services 9 Series" on the Windows Media Web site at:

    https://go.microsoft.com/fwlink/?linkid=29862

  • For conceptual and how-to information about using Windows Media Services, including information about authentication, authorization, ports, and firewall settings, see the Help that is included with Windows Media Services. For information about installing Windows Media Services and viewing Help, see "Procedures for Installing, Removing, or Excluding Windows Media Services and Its Subcomponents," earlier in this section.

  • For general information about features, and information about ports and firewall or proxy settings, search for the latest information on the Windows Media Web site at:

    https://www.microsoft.com/Windows/WindowsMedia/

  • For information about Windows Media Services Software Development Kits (SDKs), see the Microsoft Developer Network Web site at:

    https://go.microsoft.com/fwlink/?LinkId=46019

Printed Reference

  • Birney, B., Tricia Gill, and members of the Microsoft Windows Media Team. Microsoft Windows Media Resource Kit. Redmond, WA: Microsoft Press, 2003.

    You can read a sample chapter and view information about the Microsoft Windows Media Resource Kit on the MS Press Web site at:

    https://go.microsoft.com/fwlink/?LinkId=46020