Windows
Media Services Firewall Information
Windows
Media and Firewalls
Windows
Media normally streams via UDP/IP on a wide range of ports (see below for those
port numbers). Microsoft is aware of the possible security issues which this
can cause, so we have also enabled Windows Media to stream with TCP/IP through
a single port (1755). For those sites where opening a non-"well-known
port" is a problem, Windows Media can also stream via HTTP on port 80.
Note HTTP streaming from Windows Media Services is disabled by
default.
Windows Media was formerly known as NetShow; some firewalls have a
pre-configured NetShow setting, which may work for Windows Media.
When you allocate ports for Windows Media files, you must open all of the UDP
and TCP ports corresponding to those port numbers. The number ranges in the
documentation below indicate an entire range of available ports; typically, the
actual number of ports allocated will be far less.
In the
examples below, the In port is the port that the server uses to get past the
firewall. The Out port is the port that Microsoft Windows Media Player or other
clients use to communicate with the server. The port assignment is random
between 1024 and 5000
|
Server
to Client Behind a Firewall
A firewall configuration that allows users with the Windows Media Player
behind a firewall to access Windows Media servers outside the firewall is:
|
|
|
Streaming
ASF with UDP
Out: TCP on 1755
Out: UDP on 1755
In: UDP between port 1024-5000 (Only open the necessary number of ports.)
|
|
|
Streaming
ASF with TCP
In/Out: TCP on port 1755
|
|
|
Streaming
ASF with HTTP
In/Out: TCP on Port 80
|
|
|
Server
Behind a Firewall to Client
The following firewall configuration allows users with the Windows Media
Player outside of a firewall to access a Windows Media server behind a
firewall:
|
|
|
Streaming
ASF with UDP
In: TCP on port 1755
In: UDP on port 1755
Out: UDP between port 1024-5000 (Only open the necessary number of ports.)
|
|
|
Streaming
ASF with TCP
In/Out: TCP on port 1755
|
|
|
Streaming
ASF with HTTP
In/Out: TCP on Port 80
|
|
|
Encoder
to Server Behind a Firewall/Server to Server Across a Firewall
The following firewall configuration allows users with the Windows Media
Encoder outside of a firewall to access a Windows Media server behind a
firewall:
|
|
|
Protocol:
MSBD
In/Out: TCP on port 7007.
For encoder-to-server communication, you can specify a different port. The
default port is 7007, but in the Windows Media Encoder Output dialog
box you can choose any other free port; you can also push a button to allow
the encoder to select a different port. If you choose a different port, you
must specify the same port in the server when you set up the station.
|
|
Firewall
and Registry Settings for DCOM
DCOM dynamically allocates one port per process. You need to decide how many
ports you want to allocate to DCOM processes, which is equivalent to the number
of simultaneous DCOM processes through the firewall. You must open all of the
UDP and TCP ports corresponding to the port numbers you choose. You also need
to open TCP/UDP 135, which is used for RPC End Point Mapping, among other
things. In addition, you must edit the registry to tell DCOM which ports you
reserved. You do this with the
"HKEY_LOCAL_MACHINES\Software\Microsoft\Rpc\Internet" registry key,
which you will probably have to create using the Registry Editor.
The following example tells DCOM to restrict its port range to 10 ports:
Named Value: Ports
Type: REG_MULTI_SZ
Setting: Range of port. Can be multiple lines such as:
3001-3010
135
Named Value: PortsInternetAvailable
Type: REG_SZ
Setting:"Y"
Named Value: UseInternetPorts
Type: REG_SZ
Setting: "Y"
These registry settings must be established in addition to all firewall
settings listed below.
|
Administrator
to Server Behind a Firewall
The following firewall configuration allows users with the Windows Media
Administrator outside of a firewall to access a Windows Media server behind a
firewall:
|
|
|
Protocol:
HTTP
In/Out: TCP on port 80
|
|
|
Protocol:
DCOM
In: TCP on port 135
You must open TCP and UDP on port 135. This port is used for initial
Windows Media server-to-client and server-to-encoder communications, as
well as essential processes. The protocol used for these initial
communications is DCOM.
|
|
|
IP
Multicast
Choosing to allow Windows Media streaming via IP Multicast is simply a choice
to allow traffic through which is addressed to the standard Class D IP
addresses (224.0.0.0 through 239.255.255.255). As of this writing, most
routers have IP Multicast disabled. Microsoft is working with major
router vendors to reverse this, now that media streams are compressed and
standards are in place which eliminate unwanted multicast traffic. The
Internet Group Management Protocol (IGMP) supported by Windows Media assures
that multicast traffic only passes through your network when a client has
requested it. Remember that Windows Media streams are highly compressed,
usually only taking up the bandwidth of a single modem connection, and that
router companies made their decision to have their equipment default to
disable IP Multicast back when a typical video stream took up 30% of a
10-base-T network.
The following firewall configuration enables IP Multicasting:
|
|
|
Streaming
ASF with Multicast
IP Multicast Address range: 224.0.0.1 to 239.255.255.255
To enable IP Multicasting you must allow packets sent to the standard IP
Multicast address range above to come through your firewall. This IP
Multicast address range must be enabled on both client and server sides, as
well as every router in between.
|
|