Windows Media Services Firewall Information

 

Windows Media and Firewalls

Windows Media normally streams via UDP/IP on a wide range of ports (see below for those port numbers). Microsoft is aware of the possible security issues which this can cause, so we have also enabled Windows Media to stream with TCP/IP through a single port (1755). For those sites where opening a non-"well-known port" is a problem, Windows Media can also stream via HTTP on port 80.

Note HTTP streaming from Windows Media Services is disabled by default.

 
Windows Media was formerly known as NetShow; some firewalls have a pre-configured NetShow setting, which may work for Windows Media.

When you allocate ports for Windows Media files, you must open all of the UDP and TCP ports corresponding to those port numbers. The number ranges in the documentation below indicate an entire range of available ports; typically, the actual number of ports allocated will be far less.

 

In the examples below, the In port is the port that the server uses to get past the firewall. The Out port is the port that Microsoft Windows Media Player or other clients use to communicate with the server. The port assignment is random between 1024 and 5000

 

Server to Client Behind a Firewall

 
A firewall configuration that allows users with the Windows Media Player behind a firewall to access Windows Media servers outside the firewall is:

 

Streaming ASF with UDP
Out: TCP on 1755
Out: UDP on 1755
In: UDP between port 1024-5000 (Only open the necessary number of ports.)

 

Streaming ASF with TCP
In/Out: TCP on port 1755

 

Streaming ASF with HTTP
In/Out: TCP on Port 80

Server Behind a Firewall to Client


The following firewall configuration allows users with the Windows Media Player outside of a firewall to access a Windows Media server behind a firewall:

 

Streaming ASF with UDP
In: TCP on port 1755
In: UDP on port 1755
Out: UDP between port 1024-5000 (Only open the necessary number of ports.)

 

Streaming ASF with TCP
In/Out: TCP on port 1755

 

Streaming ASF with HTTP
In/Out: TCP on Port 80

Encoder to Server Behind a Firewall/Server to Server Across a Firewall

 
The following firewall configuration allows users with the Windows Media Encoder outside of a firewall to access a Windows Media server behind a firewall:

 

Protocol: MSBD
In/Out: TCP on port 7007.
For encoder-to-server communication, you can specify a different port. The default port is 7007, but in the Windows Media Encoder Output dialog box you can choose any other free port; you can also push a button to allow the encoder to select a different port. If you choose a different port, you must specify the same port in the server when you set up the station.

 

Firewall and Registry Settings for DCOM
DCOM dynamically allocates one port per process. You need to decide how many ports you want to allocate to DCOM processes, which is equivalent to the number of simultaneous DCOM processes through the firewall. You must open all of the UDP and TCP ports corresponding to the port numbers you choose. You also need to open TCP/UDP 135, which is used for RPC End Point Mapping, among other things. In addition, you must edit the registry to tell DCOM which ports you reserved. You do this with the "HKEY_LOCAL_MACHINES\Software\Microsoft\Rpc\Internet" registry key, which you will probably have to create using the Registry Editor.

The following example tells DCOM to restrict its port range to 10 ports:

Named Value: Ports
Type: REG_MULTI_SZ
Setting: Range of port. Can be multiple lines such as:
3001-3010
135

Named Value: PortsInternetAvailable
Type: REG_SZ
Setting:"Y"

Named Value: UseInternetPorts
Type: REG_SZ
Setting: "Y"

These registry settings must be established in addition to all firewall settings listed below.

 

Administrator to Server Behind a Firewall


The following firewall configuration allows users with the Windows Media Administrator outside of a firewall to access a Windows Media server behind a firewall:

 

Protocol: HTTP
In/Out: TCP on port 80

 

Protocol: DCOM
In: TCP on port 135
You must open TCP and UDP on port 135. This port is used for initial Windows Media server-to-client and server-to-encoder communications, as well as essential processes. The protocol used for these initial communications is DCOM.

IP Multicast

 
Choosing to allow Windows Media streaming via IP Multicast is simply a choice to allow traffic through which is addressed to the standard Class D IP addresses (224.0.0.0 through 239.255.255.255). As of this writing, most routers have IP Multicast disabled. Microsoft is working with major router vendors to reverse this, now that media streams are compressed and standards are in place which eliminate unwanted multicast traffic. The Internet Group Management Protocol (IGMP) supported by Windows Media assures that multicast traffic only passes through your network when a client has requested it. Remember that Windows Media streams are highly compressed, usually only taking up the bandwidth of a single modem connection, and that router companies made their decision to have their equipment default to disable IP Multicast back when a typical video stream took up 30% of a 10-base-T network.

The following firewall configuration enables IP Multicasting:

 

Streaming ASF with Multicast
IP Multicast Address range: 224.0.0.1 to 239.255.255.255
To enable IP Multicasting you must allow packets sent to the standard IP Multicast address range above to come through your firewall. This IP Multicast address range must be enabled on both client and server sides, as well as every router in between.