Firewall Settings for your network

When you run the Configure E-mail and Internet Connection Wizard, you can enable the firewall on your server to protect your local network from unauthorized Internet access. If you have a firewall device on your network that supports configuration by the UPnP™ architecture, you can also use the wizard to automatically configure the device. For more information about how the wizard configures a firewall using the UPnP architecture, see Using routers that support UPnP.

When you enable the firewall using the Configure E-mail and Internet Connection Wizard, standard services necessary to ensure your Internet connectivity are allowed through the firewall. Additionally, you can choose to allow predefined Web services or any of the predefined services through the firewall. Or, you can also create custom services that you want to allow through the firewall.

Standard services allowed by the Configure E-mail and Internet Connection Wizard

When you select to enable the firewall using the Configure E-mail and Internet Connection Wizard, the following standard services are allowed through the firewall to ensure Internet connectivity:

Note

  • The protocol type for each of the standard services allowed through the firewall is Transmission Control Protocol (TCP).

 

Service Port number Purpose

ICMP

No port number

Enables you to test connectivity to or from the Internet. For example, you can use the ping command.

CA

Outbound port 80

If you provide a signed certificate and ISA is installed, port 80 outbound packet filter in ISA is opened to allow certification validation.

Note

  • To prevent IP spoofing through the firewall, a filter is created to prevent all network packets that are trying to appear as they are coming from the internal IP address range.

Predefined options for Web services

When you enable the firewall using the Configure E-mail and Internet Connection Wizard, on the Web Services Configuration page, you can choose to allow access to specific Web services or to your entire Web site.

The following predefined options for Web services are available:

Note

  • The protocol type for each of the standard services allowed through the firewall is Transmission Control Protocol (TCP).

 

Service Port Number Purpose

Outlook® Web Access

80 (for http://) and 443 (for https://)

Allows users to access their e-mail from the Internet using a Web browser. This service requires that users type https:// to connect securely from a Web browser to the Web server.

Remote Web Workplace

4125

Allows users to access services on the Windows Small Business Server network from the Internet using a Web browser. This service requires that users type https:// to connect securely from a Web browser to the Web server.

Note

  • If you are using Routing and Remote Access as your firewall, port 443 is used for secure communications. If you are using Microsoft® Internet Security and Acceleration (ISA) Server 2000 as your firewall, secure communications is configured through a Web listening rule.

Server performance and usage reports

443

Allows users to access server performance and usage reports, which contain detailed information about the overall health and use of your server. Users can connect to this service using either an http:// or https:// connection.

Outlook® Mobile Access

80 and 443

Allows users to access their e-mail from a mobile device. Users can connect to this service using either an http:// or https:// connection.

Windows SharePoint Services intranet site

444

Allows users to access the intranet Web site created by Windows® SharePoint® Services. Port 444 is required to secure communications from your server and a Web browser.

To connect to the intranet Web site from the Internet, users must type https:// to securely connect between the Web browser and the Web server. If users are on the local network, users can type http://.

Important

  • If you create sub-level nodes in Windows SharePoint Services, they will also be accessible to the Internet when you allow access to the intranet Web site.

Note

  • In addition to opening the ports for Web server access, you must select to allow access to Web sites on the Web Services Configuration page of the Configure E-mail and Internet Connection Wizard.

Business Web site (wwwroot)

80

Allows users to access the company's Internet Web site from the Internet.

Outlook via the Internet

80

Allows users to remotely access their e-mail from a client computer on the Internet using Microsoft® Office Outlook® 2003, without needing to create a virtual private network (VPN) connection. Outlook connects to an Exchange server through the Internet using remote procedure call (RPC) over HTTP.

This Web service requires that the client computers meet the necessary requirements.

Client computer requirements

  • The client computer is running Microsoft® Windows® XP Service Pack 1 or later.
  • You have installed an update that was released after Windows XP, or you have installed Windows XP Service Pack 2.
  • The client computer is running Outlook 2003 or later.
  • You have an Outlook profile configured for the server.

For more information about configuring the client computers, click Information and Answers at the Remote Web Workplace. For more information about accessing the Remote Web Workplace, see "Connect remotely to the server" in Help and Support Center.

Entire Web site

80, 443, and 444

Allows users on the Internet to access the default Web site and the company's internal Web site or specific Web site services. Port 80 is required for HTTP requests for your default Web site, port 443 is required for Secure Sockets Layer (SSL) for your default Web site, and 444 is required for SSL for the company's internal Web site. SSL secures communications from your server and a Web browser.

Note

  • In addition to opening the ports for Web server access, you must allow access to Web sites on the Web Services Configuration page of the Configure E-mail and Internet Connection Wizard.

Important

  • If your network adapter used to connect to the Internet has a dynamically assigned IP address (using DHCP), your Internet service provider (ISP) must support dynamic updates of Domain Name System (DNS) records. Otherwise, when the adapter receives a new IP address from DHCP, DNS will not be able to resolve your server's Internet domain name with the IP address in the DNS records.
  • Allowing access to Web services on your server is not supported if your server uses ISA Server 2000 as your firewall and you have a dynamically assigned IP address for your ISP network adapter. You must either use a static IP address for your ISP network adapter or remove ISA Server 2000 and use Basic Firewall in Routing and Remote Access Service. For more information on modifying your installation, see "Modify your Window Small Business Server installation" in Help and Support Center.
  • When the default Web site or selected Web services are accessible to the Internet, the IP permissions are set to allow access to all IP addresses. For more information about restricting specific IP addresses, see Internet Information Services Help. Click Start, click Server Management, double-click Advanced Management, right-click Internet Information Services, and then click Help. Search for "Securing Sites with IP Address Restrictions."

Additional services to allow

When you enable the firewall using the Configure E-mail and Internet Connection Wizard, on the Additional Services Configuration page, you can choose to allow access to any of the predefined services listed or create a new service if the one you want to allow is not listed.

The following predefined services are available from the Additional Services Configuration page:

Note

  • The protocol type for each of the standard services allowed through the firewall is Transmission Control Protocol (TCP).

 

Service Port Number Purpose

E-mail

25

Allows incoming and outgoing SMTP traffic so Exchange can send and receive Internet e-mail.

Virtual Private Networking (VPN)

1723

Allows remote clients to connect securely over the Internet to the network and use resources as if the client were connected locally.

Terminal Services

3389

Allows users to connect to the server using Windows Terminal Services remotely over the Internet.

FTP

21

Allows file transfer protocol (FTP) connections to the server.

Note

  • To use your server as an FTP server, you must first install and configure the FTP service. For more information, click Start, and then click Help and Support.

Requirements for using the Configure E-mail and Internet Connection Wizard to configure firewall settings

Whether or not you can use the Configure E-mail and Internet Connection Wizard to configure firewall settings depends on your network configuration.

If you are using the firewall provided by Windows Small Business Server, your server must be the gateway to the Internet, as shown in Figure 1.

Windows Small Business Server network

Figure 1 - Gateway to the Internet

If your server is not the gateway to the Internet, you cannot use the firewall provided by Windows Small Business Server. However, if you have a firewall device on your network that supports configuration using the UPnP architecture, the wizard can automatically configure the firewall settings. For more information about how the wizard configures firewalls that support the UPnP architecture, see Using routers that support UPnP.

If the device does not support the UPnP architecture, you must configure the appropriate firewall settings on your firewall device. For more information about configuring these settings, see Configuration Settings for an Existing Firewall Device in Appendix C, "Network Configuration Settings," of Getting Started (http://go.microsoft.com/fwlink/?LinkId=46897).

See Also

Community Additions

ADD
Show: