Setting Firewall Configuration

  • Article

If you have problems delivering or receiving Windows Media streams, you may need to open additional ports in your firewall. This document briefly explains firewalls, describes how Windows Media interacts with firewalls, and offers suggested firewall settings.

General Protocol and Firewall Information

A firewall is a piece of hardware or software that prevents data packets from either entering or leaving a specified network. To control the flow of traffic, numbered ports in the firewall are either opened or closed to types of packets. The firewall looks at two pieces of information in each arriving or departing packet: the protocol through which the packet is being delivered, and the port number to which it is being sent. If the firewall is configured to accept the specified protocol through the targeted port, the packet is allowed through.

Windows Media and Firewalls

Because Windows Media does not use any of the standard or "well-known" ports that would be open by default (except HTTP), you must open special ports. Windows Media Technologies was formerly known as NetShow; many firewalls have a NetShow port setting that can also be used for Windows Media.

When you allocate ports for Windows Media files, you must open all of the UDP and TCP ports corresponding to those port numbers. The number ranges in the documentation below indicate an entire range of available ports; typically, the actual number of ports allocated will be far less.

When deciding how many ports to open, balance security with accessibility by opening just enough ports to allow all clients to make a connection. However, port range restrictions potentially affect all remote procedure call (RPC) and Distributed Componenent Object Model (DCOM) applications sharing the system, not just Windows Media. If the port range is not broad enough, competing services such as Internet Information Server (IIS) will start to fail with random errors. The port range must be able to accomodate all potential applications in the system that will use RPC/COM/DCOM services. The number of open ports is entirely up to the individual corporate security philosophy, but as a starting point, determine how many ports you expect to use for Windows Media, then open 10% more to account for overlap with other programs. Once you've established this number, watch your traffic to determine if adjustments are necessary.

Firewall and Registry Settings for DCOM

DCOM dynamically allocates one port per process. You need to decide how many ports you want to allocate to DCOM processes, which is equivalent to the number of simultaneous DCOM processes through the firewall. You must open all of the UDP and TCP ports corresponding to the port numbers you choose. You also need to open TCP/UDP 135, which is used for RPC End Point Mapping, among other things. In addition, you must edit the registry to tell DCOM which ports you reserved. You do this with the "HKEY_LOCAL_MACHINES \Software \Microsoft \Rpc \Internet" registry key, which you will probably have to create.

The following example tells DCOM to restrict its port range to 10 ports:

Named Value: Ports
Type: REG_MULTI_SZ
Setting: Range of port. Can be multiple lines such as:
3001-3010
135

Named Value: PortsInternetAvailable
Type: REG_SZ
Setting:"Y"

Named Value: UseInternetPorts
Type: REG_SZ
Setting: "Y"

These registry settings must be established in addition to all firewall settings listed below.

Firewall Settings for Windows Media

There are five primary scenarios to consider when setting up a firewall to accomodate Windows Media:

  • Using Windows Media Player behind a firewall to access content outside the firewall

  • Using Windows Media Player outside a firewall to access content on a Windows Media server behind a firewall

  • Using Windows Media Encoder outside a firewall to access a Windows Media server behind the firewall, or communicating between two servers across a firewall

  • Using Windows Media Administrator outside a firewall to manage a Windows Media server behind a firewall

  • IP Multicast

In the examples below, the In port is the port that the server uses to get past the firewall. The Out port is the port that Microsoft Windows Media Player or other clients use to communicate with the server.

Server to Client Behind a Firewall

A firewall configuration that allows users with the Windows Media Player behind a firewall to access Windows Media servers outside the firewall is:

Streaming ASF with UDP
Out: TCP on 1755
Out: UDP on 1755
In: UDP between port 1024-5000 (Only open the necessary number of ports.)

Streaming ASF with TCP
In/Out: TCP on port 1755

Streaming ASF with HTTP
In/Out: TCP on Port 80

Server Behind a Firewall to Client

The following firewall configuration allows users with the Windows Media Player outside of a firewall to access a Windows Media server behind a firewall:

Streaming ASF with UDP
In: TCP on port 1755
In: UDP on port 1755
Out: UDP between port 1024-5000 (Only open the necessary number of ports.)

Streaming ASF with TCP
In/Out: TCP on port 1755

Streaming ASF with HTTP
In/Out: TCP on Port 80

Protocol: MSBD
In/Out: TCP on port 7007
For Server to Encoder communication, you can specify a different port. The default port is 7007, but in the Windows Media Encoder Output dialog box you can choose any other free port; you can also push a button to allow the Encoder to select a different port. If you choose a different port, you must specify the same port in the server when you set up the station.

Encoder to Server Behind a Firewall/Server to Server Across a Firewall

The following firewall configuration allows users with the Windows Media Encoder outside of a firewall to access a Windows Media server behind a firewall:

Protocol: MSBD
In/Out: TCP on port 7007.
For encoder-to-server communication, you can specify a different port. The default port is 7007, but in the Windows Media Encoder Output dialog box you can choose any other free port; you can also push a button to allow the encoder to select a different port. If you choose a different port, you must specify the same port in the server when you set up the station.

Administrator to Server Behind a Firewall

The following firewall configuration allows users with the Windows Media Administrator outside of a firewall to access a Windows Media server behind a firewall:

Protocol: HTTP
In/Out: TCP on port 80

Protocol: DCOM
In: TCP on port 135
You must open TCP and UDP on port 135. This port is used for initial Windows Media server-to-client and server-to-encoder communications, as well as essential processes. The protocol used for these initial communications is DCOM.

IP Multicast

The following firewall configuration enables IP Multicasting:

Streaming ASF with Multicast
IP Multicast Address range: 224.0.0.1 to 239.255.255.255
To enable IP Multicasting you must allow packets sent to the standard IP Multicast address range above to come through your firewall. This IP Multicast address range must be enabled on both client and server sides, as well as every router in between.