Microsoft KB Archive/827562

= How to configure firewalls and Network Address Translation (NAT) for Windows Media Services 9 Series =

Article ID: 827562

Article Last Modified on 4/14/2006

-

APPLIES TO


 * Microsoft Windows Media Services 9 Series

-



SUMMARY
This article discusses the firewall ports that you must open to stream content from a media server that is located behind a firewall.

You can use control protocol plug-ins such as Microsoft Media Server (MMS), Real Time Streaming Protocol (RTSP), or Hypertext Transfer Protocol (HTTP) when you configure a firewall. To make the process of configuring firewalls easier, you can configure each control protocol plug-in on the server to use a specific port. Therefore, if your network administrator has already opened a series of ports for use by your Windows Media servers, you can allocate those ports to the control protocols. If the ports are not yet available, you can request that the default ports for each protocol be opened.

If ports on your firewall cannot be opened, Windows Media Services can stream content by using the HTTP protocol over port 80. For more information about how to configure the control protocol plug-ins, see the server help documentation.

The &quot;More Information&quot; section describes how to configure firewalls for the following list of situations:
 * Firewalls for unicast streaming
 * Firewalls for broadcast distribution
 * Firewalls for multicast streaming
 * Enabling access to an encoder outside a firewall



Firewalls for unicast streaming
To configure a firewall for unicast streaming, you must open the ports on the firewall that are required for the connection protocols that are enabled on your server. If you are streaming content by using either the MMS protocol or the RTSP protocol, you must support both User Datagram Protocol (UDP) and Transmission Control Protocol (TCP).

Open the ports
To enable Windows Media Player and other clients to use the HTTP protocol, the RTSP protocol, or the MMS protocol to connect to a Windows Media server that is behind a firewall, open the following ports.

If you cannot open all the UDP Out ports
If you cannot open all the UDP Out ports on a firewall, UDP packets that are sent by a Windows Media server may be blocked by the firewall and may not be able to reach the clients on the other side of the firewall. If this condition occurs, clients may still be able to receive a stream if the clients automatically roll over to a TCP-based protocol, such as HTTP, MMST, or RTSPT. However, the rollover causes a delay for the client that is receiving the stream. If you know that you will not be able to support UDP streaming through a firewall, you can decrease the rollover delay by clearing the UDP check box in the Unicast Data Writer plug-in Properties dialog box. For more information, see the server help documentation.

Firewalls for broadcast distribution
To enable a distribution server that is behind a firewall to use the HTTP protocol or the RTSP protocol to stream content from an originating server outside the firewall, open the following ports.

Distribution servers cannot use a URL that has an mms:// prefix to request a connection to the origin server.
 * If the distribution server tries to connect by using RTSP, that request is translated as RTSPU.
 * If the server administrator chooses to use a TCP-based transport (either because of a preference or because a TCP-based transport is required), the URL must use an rtspt:// prefix.
 * If the distribution servers must connect by using HTTP, the URL must use an http:// prefix.

Firewalls for multicast streaming
If you distribute content by using multicast streaming, network traffic is directed through the standard Class D IP addresses (224.0.0.0 through 239.255.255.255). To use multicast streaming, you must have enabled multicast-forwarding on your network. The Internet Group Management Protocol (IGMP) makes sure that multicast streaming traffic passes through your network only when a player requests a multicast streaming connection. This protocol makes sure that multicast streaming on your routers does not flood your network. (This protocol is supported by Windows Media Services.)

The following firewall configuration enables multicast streaming packets to traverse your firewall:

IP multicast address range: 224.0.0.1 through 239.255.255.255

To enable IP multicast streaming, you must allow packets that are sent to the standard IP multicast address range to come through your firewall. This IP multicast address range must be enabled on both the player and server sides, and on every router in between the player and the server. IP multicast streaming typically will not work over the Internet because multicast-forwarding is not enabled on routers on the Internet.

Enabling access to an encoder outside a firewall
Encoders use HTTP to connect to a server that is running Windows Media Services. By default, Windows Media Encoder uses port 8080 for HTTP connections. However, the encoder administrator may specify a different port. If a different port is used, you must specify the same port when you identify the encoder connection URL for the Windows Media server and when you open the port on your firewall.

The following example firewall configuration allows a computer that is running Windows Media Encoder outside a firewall to access a Windows Media server that is behind a firewall by using HTTP. The In port is the port where the server accepts connections. The Out port is the port where the server sends data to clients:

In/Out: TCP on port 8080

