Windows Firewall and Message Queuing

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Windows Firewall and Message Queuing

Windows Firewall monitors and restricts information that travels between your computer and a network or the Internet. Windows Firewall drops all incoming traffic that has not been sent in response to a request of the computer (solicited traffic) or specified as traffic from a program or port that has been added to the exceptions list. This behavior of Windows Firewall provides a level of protection from malicious users and programs that use unsolicited incoming traffic to attack computers. By default, Windows Firewall is disabled for Windows Server 2003 Service Pack 1 (SP1).

When Windows Firewall is enabled, there is more protection for Windows computers, however, it can impair some types of communication and affect applications such as Message Queuing. To help overcome this, Windows Server 2003 SP1 allows administrators to define an exceptions list of applications by specifying the path to the file name of each application.

Configuring Windows Firewall for Message Queuing

In Windows Server 2003 Service Pack 1 (SP1), Windows Firewall is disabled by default for all connections including LAN (wired and wireless), dial-up, and virtual private network (VPN) connections. New connections also have Windows Firewall disabled by default. Windows Firewall is enabled by default only when it is explicitly enabled by using Network Setup Wizard or Internet Connection Wizard or if Windows Firewall/Internet Connection Service is enabled when you apply Windows Server 2003 Service Pack 1 (SP1).

By default, when you install Message Queuing or upgrade Message Queuing, Setup automatically adds Message Queuing to the exceptions list in Windows Firewall. You can remove Message Queuing from the exceptions list by running the following command:

netsh firewall delete allowedprogram program=%windir%\system32\mqsvc.exe profile=all

By default, when installing or upgrading to Windows Server 2003 SP1, the Downlevel Client Support component (mqdssvc.exe) is added to the exceptions list. This service is separate from the Message Queuing service (mqsvc.exe) and is not installed by default. To remove mqdssvc.exe from the exceptions list, run the following command:

netsh firewall delete allowedprogram program=%windir%\system32\mqdssvc.exe profile=all

To add Message Queuing to the exceptions list, run the following command:

netsh firewall add allowedprogram program=%windir%\system32\mqsvc.exe name=msmq mode=enable scope=all profile=all

To add Message Queuing Downlevel Client Support component (mqdssvc.exe) to the exceptions list, run the following command:

netsh firewall add allowedprogram program=%windir%\system32\mqdssvc.exe name=mqds mode=enable scope=all profile=all

To view the exceptions list, run the following command:

netsh firewall show allowedprogram ENABLE

When running Message Queuing with Windows Firewall enabled, in order to view public queues on remote computers by using Active Directory Users and Computers, it might be necessary to add Remote Administration to the exceptions list.

netsh firewall set service type=remoteadmin mode=enable scope=all

When installing MSMQ HTTP Support, setup automatically installs Internet Information Services (IIS), which is a World Wide Web Publishing service, and creates an IIS extension for Message Queuing (called MSMQ). Refer to the IIS documentation for information about configuring IIS for Windows Firewall.

You can also use the Security Configuration Wizard included with Windows Server 2003 SP1 to add and remove Message Queuing to and from the exceptions list. For more information, seeSecurity Configuration Wizard Overview.

For computers running Windows Server 2003 SP1 that are joined to a domain, you can also configure Windows Firewall settings by using Active Directory, and the Windows Firewall settings in Computer Configuration Group Policy of Windows 2000 or Windows Server 2003. The domain policy will override the local Windows Firewall settings.