Sunday, 1 March 2009

Opening a Port in the Windows 2008 Firewall

When doing quick and dirty MOSS development in my dev environment, I favour creating new web applications on a non-standard port over using port 80 and host headers. Why? I’ve been working that way for a long time and it’s just easy… no other reason, really!

Because I’m now running on a non-standard port, the Windows 2008 firewall won’t like me anymore. And to tell you the truth, while I like the idea of a strong, configurable firewall baked into the operating system, I’m not up to speed on its intricacies… so the feeling is mutual. Nevertheless, I’ve got to deal with this beast and expose access to my new web site. I bounce back and forth between my virtual server and other machines so having the site accessible is handy.

My previous encounter with this firewall was to enable echo (ping) requests, which I ended up doing through the command line:

netsh firewall set icmpsetting 8 enable

Don't forget to check out my post on enabling PING in Windows Server 2008 R2.

Nice—but today I want to play with the UI.

The Windows Firewall UI is accessible from the Control Panel menu as Windows Firewall and from the Administrative Tools menu as Windows Firewall with Advanced Security. The Control Panel applet is very similar to the regular old Windows Firewall applet (think XP) so choose the Administrative Tools version—it’s got all the goodies.

From that point it’s all about rules and you’ll see Microsoft has taken the liberty of setting up lots and lots of rules for you (paranoid?). You could potentially modify one of these existing rules but while mucking around I noticed some are “predefined” and cannot be changed (in particular, see Inbound Rules/World Wide Web Service (HTTP Traffic-In… there are two of these, one for port 80 and one for port 443 or SSL).

So that’s the background, now here’s how to add a new rule for your new web application:

  1. On the Inbound Rules node, right-click and select New Rule… and the New Inbound Rule Wizard will fire up
  2. On the Rule Type screen, select Port
  3. On the Protocol and Ports screen, ensure TCP is selected and add your port(s) to the Specific local ports list
  4. On the Action screen, ensure Allow the connection is enabled
  5. On the Profile screen, select all or whichever profiles apply to your environment (Private is probably fine)
  6. On the Name screen, supply your new rule with a name and a description for future reference. Finish out the wizard.
Or make life easily repeatable and use the command line:

netsh firewall add portopening protocol=TCP port=30000 name="SharePoint 30000" mode=ENABLE scope=ALL profile=STANDARD

1 comment:

  1. Thanks. This article helped me get me out of a hole today. Cheers.


Spam comments will be deleted

Note: only a member of this blog may post a comment.