Windows Media Services and Resulting Internet Communication in Windows Server 2008
Applies To: Windows Server 2008
In This Section
Benefits and Purposes of Windows Media Services
Examples of Features that Help You Control Communication to and from a Windows Media Server
Firewall Information for Windows Media Services
Installable Features Associated with Windows Media Services
Procedures for Installing or Removing Windows Media Services and Its Associated Features
Additional References
Section Summary
This section provides information about:
- The benefits of Windows Media Services on servers running Windows Server 2008.
Note
Windows Media Services 2008, which is part of the server role called Streaming Media Services, is not included in Windows Server 2008. Instead, it is available for download from the Microsoft Web site. Also, the functionality supported in Windows Media Services depends on the version of Windows Server 2008 that you are running. For more information, see "Requirements for Windows Media Services" in Benefits and Purposes of Windows Media Services, later in this section.
Windows Media Services delivers advanced streaming functionality such as multicasting, wireless network support, Internet authentication, server plug-ins, and Cache/Proxy APIs.
For servers from which you want to offer content that will be streamed to an intranet or the Internet, the following types of information are provided:
Examples of features in Windows Media Services 2008 that help you control communication to and from a Windows Media server.
References to more detailed information about Windows Media Services, including information about ports and security-related topics.
Information about installing and removing Windows Media Services and associated features.
It is beyond the scope of this white paper to describe all aspects of maintaining appropriate levels of security in an organization running servers that communicate across the Internet. This section, however, provides overview information as well as suggestions for other sources of information about balancing your organization’s requirements for communication across the Internet with your organization’s requirements for protection of networked assets.
Note
This section of the white paper describes Windows Media Services (the server feature), but it does not describe Windows Media Player (the client feature) or Internet Information Services (IIS), both of which can be involved in carrying out communication of multimedia content across the Internet. For information about these features, see Windows Mail, Windows Media Player, and Other Features in the Desktop Experience in Windows Server 2008 and Internet Information Services and Resulting Internet Communication in Windows Server 2008 in this white paper.
Benefits and Purposes of Windows Media Services
Windows Media Services is an optional feature in Windows Server 2008. With Windows Media Services, you can manage and deliver Windows Media content over an intranet or the Internet. The clients receiving the content can render it as it is being received, that is, without downloading the content first. Streaming greatly reduces the wait time and storage requirements on the client. It also permits presentations of unlimited length, as well as live broadcasts.
For more information about features in Windows Media Services, see Installable Features Associated with Windows Media Services and the sources in Additional References, later in this section.
Requirements for Windows Media Services
The Streaming Media Services role in Windows Server 2008 is somewhat different from other server roles. This subsection provides information about what is required when you install this role.
The server role called Streaming Media Services uses Windows Media Services 2008, which is not included in Windows Server 2008. Instead, Windows Media Services 2008 is available for download from the Microsoft Web site. For information about downloading Windows Media Services, see the Microsoft Web site at:
https://go.microsoft.com/fwlink/?LinkId=106407
Also, the functionality supported in Windows Media Services depends on the version of Windows Server 2008 that you are running. The following list provides more information.
For unicast streaming, server-side playlists, and other basic streaming functionality: You can install Windows Media Services on Windows Server 2008 Standard or Windows Web Server 2008. (Windows Server 2008 Enterprise and Windows Server 2008 Datacenter also support this functionality.)
For multicast streaming and other advanced streaming functionality: You must install Windows Media Services on Windows Server 2008 Enterprise or Windows Server 2008 Datacenter.
Windows Media Services is not supported on Windows Server 2008 for Itanium-Based Systems.
For more information about choosing a version of Windows Server 2008 to support the functionality you want in Windows Media Services, see the Microsoft Web site at:
https://go.microsoft.com/fwlink/?LinkId=106568
When planning and installing media servers, it is also important to consider hardware requirements. For information about hardware requirements, see the Microsoft Web site at:
https://go.microsoft.com/fwlink/?LinkId=106576
Examples of Features that Help You Control Communication to and from a Windows Media Server
This subsection provides brief descriptions of some features in Windows Media Services 2008 that help you control communication to and from a Windows Media server. These features are integrated with two aspects of basic functionality built into the Windows Server 2008 operating system:
Authentication
Authorization
Authentication
Authentication is a fundamental aspect of security for a server running Windows Media Services. It confirms the identity of any unicast client trying to access resources on your Windows Media server. Windows Media Services includes authentication plug-ins that you can enable in order to validate user credentials for unicast clients. Authentication plug-ins work together with authorization plug-ins: after users are authenticated, authorization plug-ins control access to unicast content.
Windows Media Services authentication plug-ins fall into the following categories:
Anonymous authentication. These are Windows Media Services (WMS) plug-ins that do not exchange challenge and response information between the server and a player, such as the WMS Anonymous User Authentication plug-in.
Network authentication. These are plug-ins that validate unicast clients based on user logon credentials, such as the WMS Negotiate Authentication plug-in.
When you make decisions about how authentication might affect users, consider the following points:
For multicast streaming with Windows Media Services 2008, clients do not establish a connection, and therefore authentication and authorization do not apply for multicasting. (Multicast streaming is only available with Windows Server 2008 Enterprise or Windows Server 2008 Datacenter.)
If a player is connected through HTTP, the player disconnects from the server each time the user stops, pauses, fast-forwards, or rewinds the content. If the user tries to continue receiving the content, the authentication and authorization process occurs again.
For more information about authentication and about the specific authentication plug-ins that you can enable for Windows Media Services, see the list in Additional References, later in this section.
Authorization
In order to control access to unicast content on your Windows Media server, unless you identify users only by IP address, you must enable one or more authentication plug-ins and also one or more authorization plug-ins. Authentication plug-ins verify the credentials of unicast clients attempting to connect to the server. Authorization plug-ins verify that the unicast client is allowed to connect to the server. Authorization occurs after authentication is successful.
You can enable authorization plug-ins to control the access to content by authenticated users. If you enable an authorization plug-in, with one exception, you must also enable an authentication plug-in for unicast clients to be able to access your publishing points. The exception is the WMS IP Address Authorization plug-in, which does not require an authentication plug-in to authenticate a unicast client.
Note that for multicast streaming with Windows Media Services 2008, clients do not establish a connection, and therefore authentication and authorization do not apply for multicasting. (Multicast streaming is only available with Windows Server 2008 Enterprise or Windows Server 2008 Datacenter.)
During the authorization process, the server checks the user against the set of access permissions for the resource to which the user is trying to connect.
For more information about authorization, see the list in Additional References, later in this section.
Firewall Information for Windows Media Services
This subsection provides information about configuring firewalls (or proxy servers or both) for use with Windows Media Services. For more information about firewalls, see the Windows Media Web site at:
https://go.microsoft.com/fwlink/?LinkId=106570
You can configure each control protocol plug-in—Real Time Streaming Protocol (RTSP) and HTTP—to use a specific port to make firewall configuration easier. If opening ports on your firewall is not possible, Windows Media Services can stream content by using the HTTP protocol over port 80.
Note
Using HTTP to stream content is disabled by default.
Configuring Firewalls for Unicast Streaming
To configure a firewall for unicast streaming, you must open the ports on the firewall that are required for the connection protocols enabled on your server. If you are streaming content by using the Real Time Streaming Protocol (RTSP), you need to support both the User Datagram Protocol (UDP) and Transmission Control Protocol (TCP).
To enable Windows Media Player and other clients to use the RTSP or HTTP protocols to connect to a Windows Media server that is behind a firewall, open the ports described in the following table.
Ports to Open When Clients are Connecting Using RTSP or HTTP Protocols
| Protocols and Ports | Description |
|---|---|
RTSP over TCP (RTSPT): Port 554 (In/Out) |
Port 554 is used for accepting incoming RTSP client connections and for delivering data packets to clients that are streaming by using RTSPT. |
RTSP over UDP (RTSPU): Port 5004 (Out) and Port 5005 (In/Out) |
Port 5004 (Out) is used for delivering data packets to clients that are streaming by using RTSPU. Port 5005 (In/Out) is used for receiving packet loss information from clients and providing synchronization information to clients that are streaming by using RTSPU. |
HTTP over TCP: Port 80 (In/Out) |
Port 80 is used for accepting incoming HTTP client connections and for delivering data packets to clients that are streaming by using HTTP. |
To enable a distribution server that is behind a firewall to use the HTTP or RTSP protocols to stream content that originates from a server outside the firewall, open the ports described in the following table.
Ports to Open When a Distribution Server is Behind a Firewall and Uses HTTP or RTSP to Stream Content that Originates from a Server Outside the Firewall
| Protocols and Ports | Description |
|---|---|
RTSP over TCP (RTSPT): Port 554 (Out) |
The Windows Media distribution server uses this TCP Out port to establish an RTSP connection to the origin server. |
RTSP over UDP (RTSPU): Ports 1024-5000 (In) and Port 5005 (Out) |
The Windows Media distribution server uses a port within the UDP In port range 1024-5000 to receive data packets from the origin server. The Windows Media distribution server uses UDP Out port 5005 to send correction-oriented control messages to the origin server. |
HTTP over TCP: Port 80 (Out) |
The Windows Media distribution server uses this TCP Out port to establish an HTTP connection to the origin server. |
Media Stream Broadcast (MSB) over UDP: Ports 1-65535 (In) |
The Windows Media distribution server uses a port within this UDP In port range when receiving a multicast stream from the origin server. The UDP In port number on the distribution server must match the UDP Out port number of the origin server that is delivering the multicast. |
For more information, see the sources in Additional References, later in this section.
Configuring Firewalls for Multicast Streaming
When you distribute content by using multicast streaming, network traffic is directed through one of the class D IP addresses. Multicast IP addresses are class D addresses that fall within the following ranges:
Ipv4: 224.0.0.0 to 239.255.255.255
Ipv6: FF00:0000:0000:0000:0000:0000:0000:0000 to FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
For multicast streaming, you must enable multicast-forwarding on your network. The Internet Group Management Protocol (IGMP), supported by Windows Media Services, ensures that multicast traffic passes through your network only when a player requests a multicast connection, so that enabling multicasting on your routers does not flood your network.
To enable IP multicasting, you must allow packets sent to the standard IP multicast address range to come through your firewall. This IP multicast address range must be enabled on both the player and server sides, as well as on every router in between. For more information about multicasting, see "Delivering content as a multicast stream" on the TechNet Web site at:
https://go.microsoft.com/fwlink/?LinkId=106569
For additional sources of information, including information about content sources (for example, sourcing from an encoder), see the sources in Additional References, later in this section.
Installable Features Associated with Windows Media Services
The two main features in Windows Media Services are the service itself and the Windows Media Services MMC snap-in. However, other associated features can be installed on various servers in your organization. The following table provides more information:
| Feature associated with Windows Media Services | Description |
|---|---|
Windows Media Services service |
The service that enables you to stream digital media content to clients over an intranet or the Internet. |
Windows Media Services MMC snap-in |
The snap-in that you can use to configure and manage Windows Media Services. |
Windows Media Services Administrator for the Web |
A complete Web site that is hosted on your Windows Media server by Microsoft Internet Information Services (IIS). You can access the Web site from any browser that supports Active Server Pages (ASP). For more information, see the TechNet Web site at: |
Multicast and Advertisement Logging Agent |
An Internet Server Application Programming Interface (ISAPI) logging application extension that runs on a Web server. For important information about the installation and use of this feature, see the TechNet Web site at: |
Test Stream utility, which requires the Desktop Experience feature |
A utility that can be used to test a publishing point configuration and verify that it is working as expected. The Test Stream utility requires the Desktop Experience feature on Windows Server 2008. For information about installing the Desktop Experience feature, see the TechNet Web site at: |
For more information about deploying Windows Media Services, see the following:
Overview and installation information on the TechNet Web site at:
Information about the Server Core installation option, which can help reduce the attack surface of servers running various roles including the Windows Media Services role. Information about the Server Core installation option is available on the TechNet Web site at:
Deployment information and links to additional topics on the TechNet Web site at:
Procedures for Installing or Removing Windows Media Services and Its Associated Features
The following procedures explain how to:
Add Windows Media Services on a server after setup is complete for Windows Server 2008.
Remove Windows Media Services from a server on which it was previously installed.
For information about using the Server Core installation option for a server that will run Windows Media Services, see Additional References, later in this section.
To Add Windows Media Services to an Individual Server after Setup is Complete for Windows Server 2008
Review hardware requirements and operating system requirements, review the choices of installable features, and plan your installation. For more information, see the following:
Installable Features Associated with Windows Media Services, earlier in this section.
The information in "Requirements for Windows Media Services" in Benefits and Purposes of Windows Media Services, earlier in this section.
Follow the instructions at the following Web site for downloading Windows Media Services:
If you recently installed Windows Server 2008, and the Initial Configuration Tasks interface is displayed, under Customize This Server, click Add roles. Then skip to step 5.
If the Initial Configuration Tasks interface is not displayed and Server Manager is not running, click Start, click Administrative Tools, and then click Server Manager. (If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.)
Then, in Server Manager, under Roles Summary, click Add Roles.
In the Add Roles Wizard, if the Before You Begin page appears, click Next.
Select the Windows Media Services role and follow the instructions in the wizard to complete the installation process.
To Remove Windows Media Services from an Individual Server
If Server Manager is not already open, click Start, click Administrative Tools, and then click Server Manager. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
Under Roles Summary, click Remove Roles.
In the Remove Roles wizard, clear the check box for Streaming Media Services.
In this wizard, you remove a role by clearing a check box (not checking a check box).
Follow the instructions in the wizard to complete the removal.
Click Start, and then either click Control Panel or point to Settings and then click Control Panel.
Double-click Programs and Features.
Under Tasks, click View installed updates.
Under Uninstall an update, click Streaming Media Services update for Server (KB934518), and then click Uninstall.
Additional References
The following table of resources can help you as you plan or modify your implementation of Windows Media Services and Windows Media Player in your organization.
| Topic related to Windows Media Services | Link |
|---|---|
Downloading |
|
Links to technical information |
|
Installation information and Help (to view Help from the Windows Media Services snap-in, press F1) |
|
Server Core installation option |
|
Deployment |
|
Product information |
|
Hardware requirements |
|
Operating system choices |
|
Firewalls |
|
Multicasting |
|
Content sources |
|
Logs (sent from clients to servers) |
|
Writing applications |
Printed Reference
Birney, B., Tricia Gill, and members of the Microsoft Windows Media Team. Microsoft Windows Media Resource Kit. Redmond, WA: Microsoft Press, 2003.
You can read a sample chapter and view information about the Microsoft Windows Media Resource Kit on the MS Press Web site at: