How To Configure a Firewall for MSMQ Access


This article describes how to configure a firewall to allow Internet access to Microsoft Message Queue Server (MSMQ). This article discusses the effects of different port restrictions.

For security, use the HTTP/HTTPS messaging that is available in MSMQ 3.0 as a solution for messaging with MSMQ through firewalls, instead of statically opening the ports that are detailed in this article.

More Information

For additional information about ports used by MSMQ, please see the following article in the Microsoft Knowledge Base:
178517 INFO: TCP, UDP, and RPC Ports Used by MSMQ
Terminology used in the following examples:
DC = dependent client
IDC = independent client
Server = any of the MSMQ server installations
MQIS = Message Queue information store
RPC = remote procedure call

Example 1: Minimal Send-Only Access for IDC and Server

At a minimum, you must allow incoming traffic to destination TCP port 1801. This is the port over which IDCs and Servers send messages. IDCs and servers also send MSMQ internal packets for establishing sessions and so forth. DCs do not use this port.

If traffic is restricted to this port, outside clients can only send messages, and can only do so by using a direct format name. The MQIS is not available on this port, therefore calls that consult the MQIS will fail. This includes Lookups, Queue open with a non-direct format name, and so forth. Note that MSMQ routing is not used in this case. The client must be able to contact the remote queue manager directly over this port.

Example 2: Full Send Access for IDC, MQIS Operations

If you also allow incoming traffic to TCP ports 135, 2101, and UDP port 3527, packets that request operations involving the MQIS (for example, queue create, queue open (for send)) with a non-direct format name are permitted. Port 135 is the RPC discovery port, used to discover the ports for the different queue manager interfaces. Port 2101 carries the MQIS traffic. Allowing traffic to TCP port 3527 is necessary for full and efficient operation between queue managers. Queue managers attempt to ping each other on this port before opening a session. Note that a DC doesn't have a queue manager. This functionality is performed by the server on the DC's behalf.

One benefit is that messages can be sent to queues that are looked up and opened with non-direct format names, and as a result are routed through the MSMQ enterprise to their destination queue.

Example 3: Full Send-Receive Access

Allowing traffic to ports 2103 and 2105 permits the outside IDCs to read from queues on the server and from computers on its connected network. This also allows send-receive for DCs. No send or receive from a DC is possible unless these ports are open.

Additional Ports

Assuming that multicast network packets can reach the firewall, allowing traffic to User Datagram Protocol (UDP) port 1801 permits independent clients to discover and/or confirm their site controller on start and also to detect a halted site controller and take steps to discover a new one.

NOTE: Ports 2xxx are not necessarily fixed. For additional information about this issue, refer to the Knowledge Base article cited earlier.