Create an Inbound Port Rule on Windows XP or Windows Server 2003

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

To allow inbound network traffic to a specified port number, use the Windows Firewall node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows inbound network traffic addressed to a specified port number to be received by a program that is listening on that port.

Note

Unlike in Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2, Windows Firewall in earlier versions of Windows does not support the creation of a rule that restricts network traffic to both a specified program and a specified port number. If you create a program rule, then that program can receive inbound network traffic on any port on which it listens. If you create a port rule, then any program listening on the specified port receives the inbound network traffic. For information about creating a program rule, see Create an Inbound Program Rule on Windows XP or Windows Server 2003.

Administrative credentials

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the relevant GPOs.

To create an inbound firewall rule for a TCP or UDP port

  1. On a computer that has the Group Policy Management feature installed, click Start, click Administrative Tools, and then click Group Policy Management.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. In the navigation pane, expand Forest: YourForestName, expand Domains, expand YourDomainName, expand Group Policy Objects, right-click the GPO in which you want to create the rule, and then click Edit.

  4. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Administrative Templates, expand Network, expand Network Connections, and then expand Windows Firewall.

  5. Expand Domain Profile or Standard Profile. Rules created in the Domain Profile section apply whenever the client computer is connected to a network on which it can contact a domain controller for its assigned Active Directory domain. Rules created in the Standard section apply when the computer cannot contact a domain controller for its domain.

  6. In the details pane, double-click Windows Firewall: Define inbound port exceptions.

  7. On the Setting tab, click Enabled, and then click Show.

  8. In the Show Contents dialog box, click Add.

  9. In the Add item dialog box, type the string that represents the port on which you want to allow inbound network traffic. The text string must conform to the following syntax, with each parameter separated by a colon (:).

    Port:Transport:Scope:Status:Name

    Parameter Meaning

    Port

    The decimal port number to which inbound network traffic is allowed.

    Transport

    The protocol for the port number. Either TCP or UDP.

    Scope

    Select one of the following options:

    • An asterisk (*) to represent all networks.

    • A comma-separated list of IP address or subnets, such as: 10.0.0.1, 10.2.3.0/24.

    • The string localsubnet.

    Status

    Either Enabled or Disabled.

    This allows you to disable a single port rule without disabling any others or deleting the rule and losing its configuration.

    Name

    The name for the rule.

  10. Click OK three times to save your changes.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.