To Configure Windows Firewall

Updated: June 1, 2008

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Windows Firewall is a host-based firewall application that is installed with Microsoft Windows XP Service Pack 2 (SP2), Windows Server 2003 with Service Pack 1 (SP1), and Windows Vista®. Unlike Windows XP with SP2 and Windows Vista, Windows Firewall in Windows Server 2003 with SP1 is not turned on by default. If you would like to use the functionality of Windows Firewall within your RMS infrastructure, you must create a few firewall exceptions. These exceptions are described below.

This topic discusses only the firewall exceptions that should be added specific to RMS. It is likely that additional exceptions need to be made for other applications.

On the Active Directory domain controllers, the following Windows Firewall exceptions should be made:


Port Exception Description

TCP 389

Lightweight Directory Access Protocol (LDAP), used by Active Directory

TCP 3268

Active Directory global catalog

The following table shows the port exceptions that should be made on the RMS servers in the RMS cluster. Both of the ports do not have to be open at the same time. For HTTP transmission, you should open only TCP port 80. If your RMS environment is using SSL or HTTPS, you should open only TCP port 443. If your organization is using a port number other than the default for RMS, you should use that port instead.


Port Exception Description

TCP 80


TCP 443

HTTPS or Secure Sockets Layer communication (SSL)

If the logging database server is not on a server in the RMS cluster, the following port exceptions should be created on the database server that is hosting the RMS logging database. This following table assumes that you are using Microsoft SQL Server 2000 or later.


Port Exception Description

TCP 1433

Default SQL Server listening port

TCP 445

SQL Server Named Pipes (used for provisioning the RMS server)

In addition to creating these port exceptions, special considerations should be taken when configuring the firewall scope. Unless your RMS environment is used in an extranet scenario, you should restrict all traffic to your organization's network. If your RMS environment needs to be available to client computers outside of your organization's network, you should allow any computer on the Internet to connect only through TCP port 443 or TCP port 80.

In an RMS environment, TCP port 445 is used to provision the RMS cluster, but this port is also the file sharing port for all computers that are running Microsoft Windows 2000 or later. Unless you have specific need for other computers on your network to have access to this port, you should restrict the scope so that only the servers in the RMS cluster have access to TCP port 445 on the logging database server.

For more information regarding the Windows Firewall, please see the help documentation for Windows Server 2003 with SP1.