Windows Media Services and Resulting Internet Communication in Windows Server 2008 R2
Applies To: Windows 7, Windows Server 2008 R2
In this section
Benefits and purposes of Windows Media Services
Examples of features that help you control communication to and from a server running Windows Media Services
Firewall information for Windows Media Services
Installable features associated with Windows Media Services
Procedures for installing or removing Windows Media Services and its associated features
Additional references
This section provides information about how Microsoft® Windows Media® Services on servers running Windows Server® 2008 R2 communicates across the Internet, and it explains steps to take to limit, control, or prevent that communication in an organization with many users. It is beyond the scope of this document to describe all aspects of maintaining appropriate levels of security in an organization that is running servers that communicate across the Internet. This section, however, provides overview information and suggestions for other sources of information about balancing your organization’s requirements for communication across the Internet with your organization’s requirements for protection of networked assets.
Note
This section describes Windows Media Services (the server feature), but it does not describe Windows Media Player (the client feature) or Internet Information Services (IIS), both of which can be involved in carrying out communication of multimedia content across the Internet. For information about these features, see the following sections of this document:
- Windows Media Player and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2
- Internet Information Services and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2
Benefits and purposes of Windows Media Services
Windows Media Services is an optional feature in Windows Server 2008 R2. In addition to basic on-demand and live streaming of Windows Media content, Windows Media Services delivers advanced streaming functionality such as multicasting, support for wireless and mobile networks, MP3 streaming, Internet authentication, customizable server plug-ins, built-in caching and proxying, and an optional Web-based administration console. With Windows Media Services, you can manage and deliver Windows Media content over an intranet or the Internet. The client computers that receive the content can render it as it is received (that is, without downloading the content first). Streaming greatly reduces the wait time and storage requirements for the client computer. It also permits presentations of unlimited length and live broadcasts.
For servers from which you want to offer content that will be streamed to an intranet or the Internet, the following types of information are provided in this document:
Examples of features in Windows Media Services 2008 that help you control communication to and from a server running Windows Media Services.
Information about installing and removing Windows Media Services and associated features.
References to more detailed information about Windows Media Services, including information about ports and security-related topics.
For more information about the features in Windows Media Services, see the following subsections of this document:
Installable features associated with Windows Media Services
Additional references
Note
Windows Media Services 2008, which is part of the server role called Streaming Media Services, is not included in Windows Server 2008 R2. Windows Media Services is available for download from the Microsoft® Web site. Also, the functionality that is supported in Windows Media Services depends on the version of Windows Server 2008 R2 that you are running.
Requirements for Windows Media Services
The Streaming Media Services role in Windows Server 2008 R2 is somewhat different from other server roles. This subsection provides information about what is required when you install this role.
The server role called Streaming Media Services uses Windows Media Services 2008, which is not included in Windows Server 2008 R2. For more information, see Windows Media Services 2008 for Windows Server 2008 R2 in the Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkId=160708).
For more information about requirements and installing Streaming Media Services on Windows Server 2008 R2, see article 963697 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkID=160709).
Examples of features that help you control communication to and from a server running Windows Media Services
This subsection provides brief descriptions of some features in Windows Media Services 2008 that help you control communication to and from a server running Windows Media Services. These features are integrated with two aspects of basic functionality built into the Windows Server 2008 R2 operating system: Authentication and Authorization.
Authentication
Authentication is a fundamental aspect of security for a server running Windows Media Services. It confirms the identity of any unicast client computer that is trying to access resources on your server. Windows Media Services includes authentication plug-ins that you can enable to validate user credentials for unicast client computers. Authentication plug-ins work together with authorization plug-ins—after users are authenticated, authorization plug-ins control access to unicast content.
Windows Media Services authentication plug-ins include the following categories:
Anonymous authentication. These are plug-ins that do not exchange challenge and response information between the server and a player, such as the WMS Anonymous User Authentication plug-in.
Network authentication. These are plug-ins that validate unicast client computers based on user logon credentials, such as the WMS Negotiate Authentication plug-in.
When you make decisions about how authentication might affect users, consider the following:
For multicast streaming with Windows Media Services 2008, client computers do not establish a connection, and therefore authentication and authorization do not apply for multicasting.
If a player is connected through HTTP, the player disconnects from the server each time the user stops, pauses, fast-forwards, or rewinds the content. If the user tries to continue receiving the content, the authentication and authorization process occurs again.
For more information about authentication and about the specific authentication plug-ins that you can enable for Windows Media Services, see Additional references later in this section.
Authorization
To control access to unicast content on your server running Windows Media Services, unless you identify users only by IP address, you must enable one or more authentication plug-ins and one or more authorization plug-ins. Authentication plug-ins verify the credentials of unicast client computers that attempt to connect to the server. Authorization plug-ins verify that the unicast client computer is allowed to connect to the server. Authorization occurs after authentication is successful.
You can enable authorization plug-ins to control the access to content by authenticated users. If you enable an authorization plug-in, with one exception, you must also enable an authentication plug-in for unicast client computers to access your publishing points. The exception is the WMS IP Address Authorization plug-in, which does not require an authentication plug-in to authenticate a unicast client computer.
Note
For multicast streaming with Windows Media Services 2008, client computers do not establish a connection, and therefore authentication and authorization do not apply for multicasting.
During the authorization process, the server checks the user against the set of access permissions for the resource to which the user is trying to connect.
For more information about authorization, see Additional references later in this section.
Firewall information for Windows Media Services
This subsection provides information about configuring firewalls or proxy servers for use with Windows Media Services. For more information, see Using firewalls on the Microsoft Web site.
You can configure each control protocol plug-in (Real Time Streaming Protocol (RTSP) and HTTP) to use a specific port to make firewall configuration easier. If opening ports on your firewall is not possible, Windows Media Services can stream content by using the HTTP protocol over port 80, which is typically open in most firewalls.
Note
Using HTTP to stream content is disabled by default.
Configuring firewalls for unicast streaming
To configure a firewall for unicast streaming, you must open the ports on the firewall that are required for the connection protocols that are enabled on your server. If you are streaming content by using the Real Time Streaming Protocol (RTSP), you need to support the User Datagram Protocol (UDP) and Transmission Control Protocol (TCP).
To enable Windows Media Player and client computers to use the MMS, RTSP or HTTP protocols to connect to a server running Windows Media Services that is behind a firewall, open the ports described in the following table.
Note
Clients that connect to a server running Windows Media Services by using the MMS URL moniker (for example, mms://) enable the server to use protocol rollover to stream the content to the client. Automatic protocol rollover from RTSP/MMS to RTSP with UDP-based or TCP-based transports (RTSPU or RTSPT), or HTTP (if the WMS HTTP Server Control Protocol plug-in is enabled) can occur as the server tries to negotiate the best protocol and provide an optimal streaming experience for the client.
Ports to open when client computers are connecting by using RTSP or HTTP protocols
| Protocols and Ports | Description |
|---|---|
MMS over TCP (MMST) or MMS over UDP (MMSU):1755 (In) |
Port 1755 (In) accepts incoming MMS client connections. The server uses protocol rollover to deliver the data packets to clients using RTSP or HTTP. |
RTSP over TCP (RTSPT): Port 554 (In/Out) |
Port 554 accepts incoming RTSP client connections and delivers data packets to client computers that are streaming by using RTSPT. |
RTSP over UDP (RTSPU): Port 5004 (Out) and Port 5005 (In/Out) |
Port 5004 (Out) delivers data packets to client computers that are streaming by using RTSPU. Port 5005 (In/Out) receives packet loss information from client computers and provides synchronization information to client computers that are streaming by using RTSPU. |
HTTP over TCP: Port 80 (In/Out) |
Port 80 accepts incoming HTTP client connections and delivers data packets to client computers that are streaming by using HTTP. |
To enable a distribution server that is behind a firewall to use the HTTP or RTSP protocols to stream content that originates from a server outside the firewall, open the ports described in the following table.
Ports to open when a distribution server is behind a firewall and uses HTTP or RTSP to stream content that originates from a server outside the firewall
| Protocols and Ports | Description |
|---|---|
RTSP over TCP (RTSPT): Port 554 (Out) |
Port 554 (Out) establishes an RTSP connection to the origin server. |
RTSP over UDP (RTSPU): Ports 1024-5000 (In) and Port 5005 (Out) |
A port within the UDP In port range 1024-5000 receives data packets from the origin server. UDP Out port 5005 sends correction-oriented control messages to the origin server. |
HTTP over TCP: Port 80 (Out) |
Port 80 (Out) establishes an HTTP connection to the origin server. |
Media Stream Broadcast (MSB) over UDP: Ports 1-65535 (In) |
A port within this UDP In port range receives the multicast stream from the origin server. The UDP In port number on the distribution server must match the UDP Out port number of the origin server that is delivering the multicast. |
For more information, see Additional references later in this section.
Configuring firewalls for multicast streaming
When you distribute content by using multicast streaming, network traffic is directed through one of the class D IP addresses. Multicast IP addresses are class D addresses that fall within the following ranges:
IPv4: 224.0.0.0 to 239.255.255.255
IPv6: FF00:0000:0000:0000:0000:0000:0000:0000 to FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
For multicast streaming on an intranet, you must enable multicast forwarding on your network’s routers. Windows Media Services supports the Internet Group Management Protocol (IGMP), which ensures that multicast traffic passes through your network only when a player requests a multicast connection, so that enabling multicasting on your routers does not exceed the capacity of your network.
Important
Multicast streaming typically will not work over the Internet because forwarding of multicast IP packets is not enabled on Internet routers.
To enable multicast streaming, you must allow packets that are sent to the standard multicast IP address range to come through your firewall. This multicast IP address range must be enabled on the player, the server, and every router in between.
For more information, see Delivering content as a multicast stream on the Microsoft TechNet Web site.
For additional sources of information, including information about content sources (for example, sourcing from an encoder), see Additional references later in this section.
Installable features associated with Windows Media Services
The two main features in Windows Media Services are the service and the Windows Media Services MMC snap-in. However, associated features can be installed on various servers in your organization. The following table provides more information:
| Feature Associated with Windows Media Services | Description |
|---|---|
Windows Media Services service |
The service that enables you to stream digital media content to client computers over an intranet or the Internet. |
Windows Media Services MMC snap-in |
The snap-in that you can use to configure and manage Windows Media Services. |
Windows Media Services Administrator for the Web |
A complete Web site that is hosted by Microsoft Internet Information Services (IIS) on your server running Windows Media Services. You can access the Web site from any browser that supports Active Server Pages (ASP). For more information, see Installing Web-based Administration. |
Multicast and Advertisement Logging Agent |
An Internet Server Application Programming Interface (ISAPI) logging application extension that runs on a Web server. For more information, see Installing Logging Agent. |
Test Stream utility |
A utility that can be used to test a publishing point configuration and verify that it is working as expected. The Test Stream utility requires the Desktop Experience feature on Windows Server 2008 R2. For more information, see Install Desktop Experience. |
For more information about deploying Windows Media Services, see the following resources on the Microsoft TechNet Web site:
Procedures for installing or removing Windows Media Services and its associated features
The following procedures explain how to:
Add Windows Media Services on a server after setup is complete for Windows Server 2008 R2.
Remove Windows Media Services from a server on which it was previously installed.
For information about using the Server Core installation option for a server that will run Windows Media Services, see Additional references later in this section.
To add Windows Media Services to an individual server after setup is complete for Windows Server 2008 R2
Review hardware requirements and operating system requirements, review the choices of installable features, and plan your installation.
Follow the instructions at the following Web site to download Windows Media Services: Windows Media Services 2008 for Windows Server 2008 R2.
If you recently installed Windows Server 2008 R2, and the Initial Configuration Tasks interface is displayed, under Customize This Server, click Add roles. Then skip to step 5.
If the Initial Configuration Tasks interface is not displayed and Server Manager is not running, click Start, click Administrative Tools, and then click Server Manager. (If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.) In Server Manager, under Roles Summary, click Add Roles.
In the Add Roles Wizard, if the Before You Begin page appears, click Next.
Select the Streaming Media Services role and follow the instructions in the wizard to complete the installation process.
To remove Windows Media Services from an individual server
If Server Manager is not already open, click Start, click Administrative Tools, and then click Server Manager. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
Under Roles Summary, click Remove Roles.
In the Remove Roles wizard, clear the check box for Streaming Media Services.
(In this wizard, you remove a role by clearing a check box (not by selecting a check box).
Follow the instructions in the wizard to complete the removal.
Click Start, and then click Control Panel.
Double-click Programs and Features.
Under Tasks, click View installed updates.
Under Uninstall an update, click Streaming Media Services update for Server (KB963697), and then click Uninstall.
Additional references
The following table of resources can help you as you plan or modify your implementation of Windows Media Services and Windows Media Player in your organization.
| Topic related to Windows Media Services | Link |
|---|---|
Downloading |
|
Links to technical information |
|
Installation information and Help (To view Help from the Windows Media Services snap-in, press F1) |
|
Server Core installation option |
|
Deployment |
|
Product information |
|
Hardware requirements |
|
Operating system choices |
Windows Media Services: Decide which version of Windows Server is right for you |
Firewalls |
|
Multicasting |
|
Content sources |
|
Logs (sent from clients to servers) |
Printed reference
Birney, B., Tricia Gill, and members of the Microsoft Windows Media Team. Microsoft Windows Media Resource Kit. Redmond, WA: Microsoft Press, 2003.