Step 2: Allowing Unsolicited Inbound Network Traffic for a Specific Program

  • Article

Updated: December 7, 2009

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

When you use a program that must be able to receive unsolicited inbound network traffic, you must create a rule to permit that traffic to pass through the firewall. Client computers typically do not need this, because incoming network packets are responses to previous outgoing requests to servers elsewhere on the network. However, if you install a network service then your computer will receive unsolicited network traffic from clients to the service. Servers, of course, also expect unsolicited inbound network traffic for the services hosted on them.

By default on Windows 7 and Windows Vista, when you start such a program and it registers with Windows to listen on a specific TCP or UDP port number, Windows blocks the request and displays a dialog box asking for your instructions. If you decide to allow the program then Windows automatically creates a firewall rule to allow all network traffic for that program. You can also create a similar rule manually. If you create such a rule and distribute it by using Group Policy then users do not have to see the dialog box and decide what to do.

By default on computers that are running Windows Server 2008 R2 or Windows Server 2008, the notification dialog box does not appear, but the program is still silently blocked. If firewall logging of dropped packets is enabled, as you did in the last section then the log file is the only indication that these packets arrived and were dropped. So on computers that are running one of those versions of Windows Server, you must create rules for each program or service that requires unsolicited inbound network traffic. Another advantage to creating the rule manually is that you can customize the rule to restrict it to only the specific traffic required by the program.

Note

While not demonstrated in this guide, there is another option of which you should be aware. The IPv6 transition technology called Teredo involves tunneling IPv6 packets inside IPv4 packets with UDP headers. Because UDP can be translated by a network address translator (NAT), Teredo enables IPv6 clients to communicate even if the clients are behind one or more IPv4 NATs. To correctly process this kind of IPv6 embedded in IPv4 traffic, firewall rules support an “edge traversal” option. If your firewall rule is for a client computer that might be receiving inbound traffic from a remote computer over a Teredo tunnel then the firewall rule must specify Allow edge traversal. On the firewall rule Properties page, on the Advanced tab, under Edge traversal, select Allow edge traversal. For more information about Teredo, see Teredo Overview (https://go.microsoft.com/fwlink/?linkid=159757) in the Windows Server Technical Library.

In this section, as a first example, you create a firewall rule that allows inbound traffic for the Telnet service through the firewall, and then you deploy that rule to MBRSVR1 by using Group Policy.

To create a firewall rule that allows inbound traffic for a program

  1. On MBRSVR1, in the Group Policy Management window, right-click Firewall Settings for Windows Servers (not clients), and then click Edit.

  2. In the navigation pane, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, and then expand Windows Firewall with Advanced Security - LDAP://cn={GUID},cn=policies,cn=system,DC=contoso,dc=com.

  3. Right-click Inbound Rules, and then click New rule.

  4. On the Rule Type page, click Custom, and then click Next.

Note

We recommend that you create rules that are as specific as possible. That means you might want to specify both the program, to ensure the rule only allows traffic when that program is running, and the port, to make sure that the program can only receive on the specified port number. To see all the options available in the wizard, use the Custom rule type.

  1. In the text box for This program path, type %systemroot%\system32\tlntsvr.exe.

  2. Because programs can host multiple services, we recommend that you also limit the rule to the specific service you want. Next to Services, click Customize.

  3. Click Apply to this service, select Telnet, click OK, and then click Next.

Note

The list of services includes only the services currently installed on the computer on which you are editing the GPO. If the service you want to specify is not installed on this computer, you can use the option Apply to service with this service short name, and then type the service name in the text box. To discover the service short name, use the Services MMC snap-in on a computer on which the service is installed.

  1. On the Protocols and Ports page, click Next. You restrict the rule to a specific port in the next section.

  2. On the Scope page, click Next.

  3. On the Action page, select Allow the Connection, and then click Next.

  4. On the Profile page, clear the Private and Public check boxes. Confirm that Domain is selected, and then click Next.

  5. On the Name page, type Allow Inbound Telnet, and then click Finish.

Before you deploy the GPO, configure some other settings to make sure that locally defined rules on your server computers cannot interfere with your domain provided rules.

To finish configuring the firewall rule for the member server

  1. In the navigation pane of the Group Policy Management Editor (editing Firewall Settings for Windows Servers), right-click Windows Firewall with Advanced Security - LDAP://cn={GUID},cn=policies,cn=system,DC=contoso,dc=com, and then click Properties.

  2. Set Firewall state to On (recommended).

  3. Set Inbound connections to Block (default).

  4. Set Outbound connections to Allow (default). You will examine outbound rules in the next section.

  5. In the Settings section, click Customize.

  6. Set Display a notification to No.

  7. Set Apply local firewall rules to No.

  8. Set Apply local connection security rules to No.

  9. Click OK two times to save your GPO.

In this procedure, you deploy your GPO to your member server.

To update the GPO on the member server

  1. Open Administrator: Command Prompt, and then run gpupdate /force. Wait for the command to finish.

  2. Open the Windows Firewall with Advanced Security snap-in.

  3. In the navigation pane, expand Monitoring, and then click Firewall. Note that the only currently active rule is the Allow Inbound Telnet rule that you created in the GPO.

In this procedure, you test the deployed firewall rule.

To test the Telnet firewall rule

  1. On CLIENT1, at Administrator: Command Prompt, type telnet mbrsvr1, and then press ENTER.

    After several seconds the following screen appears and indicates that your Telnet firewall rule is working.

  2. Close the Telnet session by typing exit, and then pressing ENTER.

In this procedure, you confirm that it is not the local Telnet rule that was created when the Telnet Server service was installed on MBRSVR1. You disable that rule and confirm that Telnet still works because your GPO applied rule is active.

To confirm that it is your GPO rule that allows Telnet to work

  1. On MBRSVR1, in the Windows Firewall with Advanced Security snap-in, in the navigation pane, click Inbound Rules. Note your GPO-based Telnet firewall rule is listed at the top.

  2. Scroll down to the rule named Telnet Server, right-click it, and then click Disable rule.

  3. On CLIENT1, at the command prompt, run telnet mbrsvr1 again, and then confirm that it is still working.

  4. Close the Telnet session by typing exit, and then pressing ENTER.

Finally, you demonstrate that the Telnet service can listen for network traffic on any port the way the rule is currently configured.

To show that the firewall rule allows Telnet network traffic on a specified port

  1. On MBRSVR1, at an Administrator: Command Prompt, type tlntadmn config port=25, and then press ENTER. This configures your Telnet server to listen on port 25 instead of the default port 23.

  2. On CLIENT1, at a command prompt, type telnet mbrsvr1 25. This instructs the client to use port 25 for its connection instead of the default port 23.

    The connection succeeds.

In the next section, you configure the rule to allow traffic only on a port number you specify. This is an improvement in security, because it allows traffic only on those ports on which you have active services listening.

Next topic: Step 3: Allowing Inbound Traffic to a Specified TCP or UDP Port