How Windows Firewall affects the UPnP framework in Windows XP Service Pack 2

This article describes how Windows Firewall affects the Microsoft Windows UPnP framework in Microsoft Windows XP Service Pack 2 (SP2). This article also describes the changes that have been made in Windows XP SP2 to minimize these effects.

Note This article is intended for technical users and device manufacturers who are familiar with the UPnP architecture and protocols.

By default, Windows Firewall is turned on when you install Windows XP SP2. Windows Firewall may have the following effects on the Windows UPnP framework:

• The UPnP framework may not be able to discover networked UPnP devices.
• The UPnP framework may not be able to control networked UPnP devices or to send events to and receive events from networked devices.
• UPnP control points may not be able to discover devices that are hosted on the Windows XP SP2-based computer.

Background

Because Windows Firewall is turned on when you install Windows XP SP2, you must know about the following Windows Firewall default settings:

• Windows Firewall blocks only incoming, unsolicited messages. Windows Firewall does not block outgoing messages. Solicited incoming packets such as HTTP over port 80 or mail over ports 110 or 25 are allowed without exceptions.
• In Windows XP SP2, Windows Firewall supports the concept of exceptions. When an exception is active, it opens the firewall ports required by a program or a feature. You do not have to know the associated port numbers. Windows Firewall includes an exception for the UPnP framework that opens UDP port 1900 and TCP port 2869.
• By default, for computers in a workgroup, some ports for file and printer sharing and for the UPnP framework are restricted to the local subnet. When these ports are open for the local subnet on an Internet Connection Sharing host, the ports are not open on the Internet Connection Sharing public interface. We do not recommend that you open these ports globally because they will be open on the Internet Connection Sharing public interface. For more information, visit the following Microsoft Web site:
  http://technet.microsoft.com/en-us/library/bb457156.aspx

  (http://technet.microsoft.com/en-us/library/bb457156.aspx)
  This applies only to the computers that are connected to a workgroup. The connections for domain computers in an Active Directory directory service environment are determined by Group Policy.
• If the computer is part of a domain, Group Policy settings may override the local computer's firewall port settings or even turn off the firewall. Therefore, Group Policy may open the UPnP framework's ports even when Windows XP SP2 is installed. In this case, Windows Firewall does not affect the UPnP framework operation. Conversely, Group Policy may close UPnP ports even when the local firewall allows for them.
• The UPnP framework uses UDP port 1900 and TCP port 2869. Simple Service Discovery Protocol (SSDP) uses multicast searches to discover UPnP devices. Multicast searches are sent to UDP port 1900 using dynamic outgoing ports. Windows Firewall accepts matching multicast search replies that are received within three seconds of a multicast search. Afterward, the firewall will block multicast search replies, even if they match the search requests.

Effects of blocked UPnP ports

When Windows Firewall blocks the ports that the UPnP implementation requires, the following behaviors occur:

• The UPnP framework cannot discover networked UPnP devices that announce themselves. The firewall blocks these incoming announcements.
• A control point running on another computer cannot find or control UPnP devices running on the Windows XP SP2-based computer. The firewall blocks the incoming UPnP device-related messages.

If the framework-required firewall ports are blocked because the UPnP framework firewall exception is not selected, the UPnP framework does not try to send UPnP-related device discovery messages to the network or to receive UPnP-related device discovery messages from the network.

• This avoids a problem where the framework issues a multicast search and discovers a networked device, but the networked device disappears after the time-out period because the firewall blocks the SSDP Alive messages. Control points running on the Windows XP SP2-based computer cannot search for or discover networked UPnP devices.
• On Windows XP SP2-based computers with multiple network adaptors, you can configure Windows Firewall so that the UPnP ports are blocked on some adaptors and are open on others. The UPnP framework treats each adaptor's port settings individually. Therefore, if ports are open on one adaptor and the UPnP framework exception is not active, the framework will send multicast searches and device notification messages only on the open adaptor. The framework will not send multicast searches and device notification messages on the blocked adaptors. However, if the UPnP framework exception is active, the framework issues multicast searches and notification messages on all adaptors.
• UPnP devices and control points running on the same Windows XP SP2-based computer can communicate with one another even though the UPnP-required firewall ports are blocked.

Windows Firewall enhancements for the UPnP framework

When you upgrade to Windows XP SP2

If you use UPnP devices before you upgrade to Windows XP SP2, the upgrade will not cause the system to malfunction. However, the Windows XP SP2 installer will automatically enable the UPnP framework firewall exception during the upgrade if one of the following cases is true:

• A hosted UPnP device is installed and registered on the computer.
• The optional UPnP user interface (UI) components are installed.

Note It is not possible to detect all cases of UPnP functionality. For example, hosted control points do not have to register with the framework. Therefore, the framework is not aware of those control points.

After you upgrade to Windows XP SP2

The UPnP framework includes optional UI components that you can install manually. These components display icons in the My Network Places folder for any discovered UPnP devices that also provide Presentation pages. You can double-click an icon to display the Presentation page for that device.

If you choose to install the optional UI components on a computer that is already upgraded to Windows XP SP2, the installer will enable the UPnP framework firewall exception. The help text that is displayed when you select the UPnP user interface installer item notifies you that the ports will be open during the installation. If you remove the UI components, the UPnP framework firewall exception is disabled. However, if a hosted UPnP device is installed, removing the UI does not clear the exception. The hosted device continues to operate as usual.

Installing and removing UPnP UI components

Note You must log on to the computer as an administrator to install the optional UPnP UI components or to change the Windows Firewall port status.

To install the optional UPnP UI components and to open the required Windows Firewall ports, use one of the following methods.

Note If you remove the optional UPnP UI components, and no hosted UPnP devices are registered on the computer, the uninstaller will disable the UPnP framework firewall exception. However, if a hosted UPnP device is registered on the computer, the UPnP framework firewall exception remains active so that the device can continue to function.

Method 1: Use Control Panel

You can use Control Panel to install the UPnP UI components and to open the required Windows Firewall ports. To do this, follow these steps:

1. Click Start, and then click Control Panel.
2. Click Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. In the Components list, click to select the Networking Services check box, and then click Details.
5. In the Subcomponents of Networking Services list, click to select the UPnP User Interface check box, and then click OK.
   
   Note To remove the UPnP UI components, click to clear the UPnP User Interface check box.
6. In the Windows Components Wizard, click Next.

Method 2: Use My Network Places

You can use My Network Places to install the UPnP UI components and to open the required Windows Firewall ports. To do this, follow these steps:

1. Click Start, and then click Control Panel.
2. Click Network and Internet Connections.
3. Under See Also, click My Network Places.
4. Under Network Tasks, click Show icons for networked UPnP devices.
5. You receive the following message:
   To help protect your computer, Windows Firewall has blocked the UPnP device software from receiving information from the network. This information is necessary for displaying the icons.
   
   Do you want to open the Windows Firewall port settings so the software can detect networked UPnP devices? If you click No, the icons will not be displayed
   If you click No, the icons will not be displayed, the UPnP UI components are not installed, and the installation program quits.
   
   If you click Yes, the UPnP UI components are installed and the UPnP framework firewall exception is enabled.

To remove the UPnP UI components by using My Network Places, follow these steps:

1. Click Start, and then click Control Panel.
2. Click Network and Internet Connections.
3. Under See Also, click My Network Places.
4. Under Network Tasks, click Hide icons for networked UPnP devices.
5. You receive the following message:
   You have chosen to hide UPnP device icons. This will also close the Windows Firewall ports so that the UPnP device software can no longer discover networked UPnP devices.
   
   Do you want to continue?
   If you click No, the UPnP UI components are not removed, and the installation program quits.
   
   If you click Yes, the UPnP UI components are removed. Also, the UPnP framework firewall exception is disabled, unless a hosted UPnP device is installed.

Manually enable the Windows Firewall exception for the UPnP framework

To manually open the required Windows Firewall ports for the UPnP framework, you must enable the UPnP framework exception. To enable the exception and open UDP port 1900 and TCP port 2869, follow these steps:

1. Click Start, click Control Panel, click Security Center, and then click Windows Firewall.
2. On the General tab, make sure that the On (recommended) option is selected.
   
   Note If the On (recommended) option and the Don't allow exceptions option are selected, the UPnP framework ports remain closed even if you complete the rest of the steps in this procedure.
3. On the Exceptions tab, click to select the UPnP Framework check box.
   
   Note This will set up both UDP port 1900 and TCP port 2869 on all network adaptors to accept messages from your local subnet only. To change the settings, click UPnP Framework, and then click Edit. When you complete the firewall configuration, click OK, and the settings take effect. You might want to change the setting to receive messages from all IP addresses, for example.

Important notes

• You can manually configure Windows Firewall to block only one of the UPnP framework-required ports. However, we do not recommend doing this.
• If you disable Windows Firewall, or if Group Policy overrides the local machine's firewall settings, you may not be able to change the exceptions settings. Even if you can make changes, the settings may have no effect if Group Policy overrides them.
• When the Internet Connection Sharing feature is turned on, it automatically enables the UPnP framework ports on the private interfaces only.
• If the Internet Connection Sharing feature is on, you should not manually enable the exception. This turns off firewall protection for the UPnP ports on all network interfaces, including the Internet Connection Sharing public interface. This could expose the computer directly to the Internet.

UPnP device and control point vendors

UPnP vendors should examine the Windows Firewall port status when they install hosted UPnP devices or control points. Vendors should write device and control point installers so that the installers examine the status of the UPnP framework firewall exception. To write the installer, use the following guidelines:

• If the exception is active, the installation proceeds.
• If the exception is not active and the ports are blocked, the installer should confirm that the user wants to open the ports during the installation.
  • If the user agrees to open the ports, the installer should enable the exception and continue with the installation.
  • If the user declines to open the ports, the installer should not enable the exception or open any ports.
    
    Note If the user declines, it is the vendor's decision whether to continue with the installation. However, we recommend that the installer cancel the installation.
• As noted earlier, the UPnP framework exception should not be enabled if Internet Connection Sharing is already running. This applies to UPnP device and control point installers and also to end users.
  
  To programmatically determine whether Internet Connection Sharing is running, your installer program can use the IEnumNetSharingPublicConnection and IEnumNetSharingPrivateConnection application programming interfaces. If you find both a public and a private connection, Internet Connection Sharing is running, and your installer should not enable the UPnP framework exception.

Additional information

For details about how to examine and set port configuration in Windows Firewall, visit the following Microsoft Web site: