Ports Used and Network Topology in Windows Azure Pack: Web Sites

 

Applies To: Windows Azure Pack

System_CAPS_ICON_note.jpg Note

This article only applies to Web Sites deployments using Update Release 5 or earlier.

A complete Web Sites deployment consists of the following five direct web roles. The abbreviations in parentheses are used elsewhere in this document.

  • Controller (CN)

  • Management (MN)

  • Front End (FE)

  • Publisher (PB)

  • Worker (WW)

There can be multiple instances of each role type. The connections described and ports listened upon also apply when roles of the same type are added. Thus, the number of connections increases with the addition of each web role.

There are supporting systems that may or may not be on separate hosts depending on how the system is deployed. For the purpose of this documentation, it is assumed that they are deployed on separate hosts. They are:

  • Database (DB)

  • File Server (FS)

During deployment, some port settings are made on the roles to enable automated deployment. Some port settings are also set by the base operating system. These are reflected in the list of the ports opened below.

System_CAPS_ICON_note.jpg Note

The lists in this section apply only to the five web roles mentioned, and not necessarily to the Database or File Server roles.

Listening ports held in common across each web role

PortApplication/UseNotes
80System/Internet HTTP port
135System/DCOM Service Control ManagerThis port should never be exposed to the internet. Port 135 is required to reboot a role if it cannot be repaired. The technology used is WMI remoting.
139System/Windows File and Printer SharingThis port should never be exposed to the internet.
445System/SMB for IPUsed for file sharing support with the file server. This port should be open only on select roles.
5985System/Windows Remote ManagementWindows Remote Management is a SOAP endpoint used to manage the system remotely.
47001System/Windows Remote Management ServiceThis service supports Windows Remote Management.
49152+Dynamic port range. See the list of dynamic range applications that follows.

Dynamic range applications

Wininit.exe – Windows Start-up Application – Wininit.ini lists all of the changes to be made to Windows when you restart the computer after installing a program. The .exe is the program that starts the .ini file. It can be run only when the computer restarts, so changes to it can be made only when Windows is not running.

Lsass.exe – Local Security Authority Subsystem Service – enforces security such as user verification when signing in, password update change processing, access tokens and more. If the process is killed, the OS must reboot.

Spoolsv.exe – The Spooler Subsystem is responsible for managing printing and fax jobs. This process allows printing to occur in the background without tying up your applications. Not a critical process.

Svchost.exe – This is a generic host process name for services that run from dynamic-link libraries, (.dll files). The .dll files in use for Windows Azure Pack: Web Sites include those providing DHCP client, TCP/IP NetBios, Hyper-V Time Synchronization, and Windows Connection Manager support.

The controller is responsible for administering all of the web roles. It connects to each of the web roles, to the database, and to itself.

Listening ports on the Controller role

UsedPortApplication/UseNotes
*80System/Internet HTTP portUsed for the offline feed.
*135System/DCOM Service Control ManagerThis port should never be exposed to the internet. See note in the Common Ports section.
139System/Windows File and Printer SharingThis port should never be exposed to the internet.
*445System/SMB for IPUsed for file sharing support with the file server. This port should only be opened on selected roles.
5895System/Windows Remote Management
8172System/Web Deploy
*8675WebFarmServiceUsed for .NET remoting.
30101System/Unknown
47001System/Windows Remote Management ServiceThis service supports Windows Remote Management.
49152+Dynamic port range. See the list of dynamic range applications earlier in this document.

Outbound connections from the Controller role

The Destination column lists, in the format DestinationServerRoleAbbreviation: PortNumber, the port that is being connected to on the destination server specified. For example, FS: 445 in the following table indicates that the Controller connects to port 445 on the File Server role.

DestinationApplication/UseNotes
FS: 445System/SMB file shareThere are 4 connections in use on the SMB port.
PB: 445System/SMB file shareThere are 4 connections in use on the SMB port.
MN: 445System/SMB file shareThere are 4 connections in use on the SMB port.
DB: 1433WebFarmServiceThe application uses 5 connections to the same DB port.
DB: 1433ResourceMeteringServiceThe application uses 2 connections to the same DB port.
PB: 8173WebFarmService
MN: 8173WebFarmService
WW: 8173WebFarmService
FE: 8173WebFarmService
Localhost: 8675WebFarmService

The Management role is responsible for the REST interface that is exposed so that the Portal can manage the Web Sites stamp. The Management role communicates with the Database, Controller and File Server roles.

Listening ports on the Management role

UsedPortApplication/UseNotes
*80System/Internet HTTP port
*135System/DCOM Service Control ManagerThis port should never be exposed to the internet. See note in the Common Ports section.
139System/Windows File and Printer SharingThis port should never be exposed to the internet.
443System/HTTPS listen portUsed as the HTTPS listening port for the MN REST interface. The management Portal uses this port.
*445System/SMB for IPUsed for file sharing support with the file server.
3389Svchost/Remote Desktop Services
5895System/Windows Remote Management
8172System/Web Deploy
*8173SystemThe Controller connects through this port.
47001System/Windows Remote Management ServiceThis service supports Windows Remote Management.
49152+Dynamic port range. See the list of dynamic range applications earlier in this document.

Outbound connections from the Management role

DestinationApplication/UseNotes
FS: 445System/SMB file share
DB: 1433w3wp.exeThe w3wp.exe process handles requests sent to application pools. 3 connections are open.
DB: 1433UsageService2 connections are open.
DB: 1433ResourceMeteringServiceThe application uses 2 connections to the same DB port.
FS: 5985WebFarmAgentService6 connections are open.

The Front End role is the web accessible endpoint for web sites. Its primary purpose is to route the request to the appropriate worker holding the web site.

Listening ports on the Front End role

UsedPortApplication/UseNotes
*80System/DCOM Service Control Manager
*135System/DCOM Service Control ManagerThis port should never be exposed to the internet.
139System/Windows File and Printer SharingThis port should never be exposed to the internet.
*443System/HTTPS listenerHTTPS listening port for web sites.
*445System/SMB for IPUsed for file sharing support with the file server.
3389Svchost/Remote Desktop Services
5895System/Windows Remote Management
*8173SystemThe Controller connects through this port.
47001System/Windows Remote Management ServiceThis service supports Windows Remote Management.
49152+Dynamic port range. See the list of dynamic range applications earlier in this document.

Outbound connections from the Front End role

DestinationApplication/UseNotes
DB: 1433w3wp.exeThe w3wp.exe process handles requests sent to an application pool.
DB: 1433ResourceMeteringServiceThe application uses 2 connections to the same DB port.

The publisher handles customer publication of web sites by protocols like FTP.

Listening ports on the Publisher role

UsedPortApplication/UseNotes
21Svchost/FTP
80System/Internet HTTP port
*135System/DCOM Service Control ManagerThis port should never be exposed to the internet. See note in the Common Ports section.
139System/Windows File and Printer SharingThis port should never be exposed to the internet.
443System/HTTPS
*445System/SMB for IPUsed for file sharing support with the file server.
990Svchost/FTP
1231w3wp.exeThe w3wp.exe process handles requests sent to an application pool.
3389Svchost/Remote Desktop Services
5895System/Windows Remote Management
8172System/Web Deploy
*8173SystemThe Controller connects through this port.
8176DWASSVCDynamic WAS Service
47001System/Windows Remote Management ServiceThis service supports Windows Remote Management.
49152+Dynamic port range. See the list of dynamic range applications earlier in this document.

Outbound connections from the Publisher role

DestinationApplication/UseNotes
DB: 1433WebFarmAgentService
DB: 1433ResourceMeteringServiceThe application uses 2 connections to the same DB port.

The Worker (Web Worker) role is responsible for running the web sites themselves. A Web Worker can be deployed as a multitenant system that is capable of supporting multiple customers simultaneously, or it can be reserved for one tenant. The Web Worker connects to the Database and the FileServer.

Listening ports on the Worker role

UsedPortApplication/UseNotes
*80System/Internet HTTP port
*135System/DCOM Service Control ManagerThis port should never be exposed to the internet. See note in the Common Ports section.
139System/Windows File and Printer SharingThis port should never be exposed to the internet.
*445System/SMB for IPUsed for file sharing support with the file server.
3389Svchost/Remote Desktop Services
5985System/Windows Remote Management
*8173SystemThe Controller connects through this port.
8676DWASSVCDynamic WAS Service
47001System/Windows Remote Management ServiceThis service supports Windows Remote Management.
49152+Dynamic port range. See the list of dynamic range applications earlier in this document.

Outbound connections from the Worker role

DestinationApplication/UseNotes
FS: 445System/SMB for IP
DB: 1433DWASSVCDynamic WAS Service
DB: 1433ResourceMeteringServiceThe application uses 2 connections to the same DB port.

Listening ports on the File Server role

UsedPortApplication/UseNotes
135System/DCOM Service Control ManagerThis port should never be exposed to the internet. See note in the Common Ports section.
139System/Windows File and Printer SharingThis port should never be exposed to the internet.
445System/SMB for IPHandles incoming data from the CN, WW, and MN roles.
3389Svchost/Remote Desktop Services
5895System/Windows Remote ManagementHandles incoming data from the MN role.
8173SystemThe Controller connects through this port.
47001System/Windows Remote Management ServiceThis service supports Windows Remote Management.
49152+Dynamic port range. See the list of dynamic range applications earlier in this document.

Outbound connections from the File Server role

None.

The following list of ports used is based on the installation of a standalone database server using SQLEXPRESS that had no outbound connections. A MySQL database instance will have connections if the web sites being serviced require MySQL. The sample database server had no MySQL connections.

Listening ports on the Database role

UsedPortApplication/UseNotes
1sqlservr.exe/SQL Server database
135System/DCOM Service Control ManagerThis port should never be exposed to the internet. See note in the Common Ports section.
139System/Windows File and Printer SharingThis port should never be exposed to the internet.
445System/SMB for IPHandles incoming data from the CN, WW, and MN roles.
*1433sqlservr.exe/Primary listening port for the SQL Server databaseThe CN, WW, MN, PB, and FE roles connect to this port.
*3306mysqld.exe/Listening port for the MySQL database
3389Svchost/Remote Desktop Services
47001System/Windows Remote Management ServiceThis service supports Windows Remote Management.
49152+Dynamic port range. See the list of dynamic range applications earlier in this document.

Outbound connections from the Database role

None.

The following diagram shows the persistent connections within the Windows Azure Pack: Web Sites cloud. The diagram does not reflect transient connections to some of the listen ports noted earlier.

Connections within a Web Sites cloud

Show: