The Windows Firewall is a host-based firewall application that is installed and turned on by default in Windows Server 2008 R2. If you want to use the functionality of the Windows Firewall within your Active Directory Rights Management Services (AD RMS) infrastructure, you must create a few firewall exceptions.
Note | |
This topic only discusses the firewall exceptions that are specific to AD RMS. Sometimes additional exceptions need to be made for other applications. |
The following table shows the port exceptions that should be made on each AD RMS server in the cluster. It is not necessary to open both ports at the same time. For HTTP transmission, you should only open TCP port 80. If your AD RMS environment is using Secure Sockets Layer (SSL) or HTTPS, you should only open TCP port 443. The default port for SSL is TCP port 443. If your organization is using a port number for SSL other than the default, you should use that port instead.
Note | |
When AD RMS is installed, the appropriate exception described in the following table is created and enabled automatically. |
Port Exception | Description |
---|---|
TCP 80 |
HTTP |
TCP 443 |
HTTPS or SSL communication |
If there is more than one server in the AD RMS cluster, or the AD RMS database server is not on the AD RMS in a single-server deployment, the following port exceptions should be created on the database server that is hosting the AD RMS databases. This table assumes that you are using Microsoft SQL Server 2005 or later.
Port Exception | Description |
---|---|
TCP 1433 |
Default Microsoft SQL Server listening port |
TCP 445 |
SQL Server Named Pipes (used for provisioning the AD RMS server) |
In addition to creating these port exceptions, special considerations should be taken when configuring the firewall scope. Unless your AD RMS environment is used in an extranet scenario, you should restrict all traffic to your organization's network. If your AD RMS environment needs to be available to client computers outside of your organization's network, you should allow any computer on the Internet to connect to only TCP port 443 or TCP port 80.
Caution | |
In an AD RMS environment, TCP port 445 is used to provision an AD RMS server, but this port is also the file sharing port for all computers that are running Microsoft Windows 2000 or later. Unless you have a specific need for other computers on your network to have access to this port, you should restrict the scope so that only the AD RMS cluster has access to TCP port 445 on the AD RMS database server. |