How to configure firewalls and Network Address Translation (NAT) for Windows Media Services 9 Series
This article discusses the firewall ports that you must open to stream content from a media server that is located behind a firewall.
You can use control protocol plug-ins such as Microsoft Media Server (MMS), Real Time Streaming Protocol (RTSP), or Hypertext Transfer Protocol (HTTP) when you configure a firewall. To make the process of configuring firewalls easier, you can configure each control protocol plug-in on the server to use a specific port. Therefore, if your network administrator has already opened a series of ports for use by your Windows Media servers, you can allocate those ports to the control protocols. If the ports are not yet available, you can request that the default ports for each protocol be opened.
If ports on your firewall cannot be opened, Windows Media Services can stream content by using the HTTP protocol over port 80. For more information about how to configure the control protocol plug-ins, see the server help documentation.
The "More Information" section describes how to configure firewalls for the following list of situations:
Firewalls for unicast streamingTo configure a firewall for unicast streaming, you must open the ports on the firewall that are required for the connection protocols that are enabled on your server. If you are streaming content by using either the MMS protocol or the RTSP protocol, you must support both User Datagram Protocol (UDP) and Transmission Control Protocol (TCP).
Open the portsTo enable Windows Media Player and other clients to use the HTTP protocol, the RTSP protocol, or the MMS protocol to connect to a Windows Media server that is behind a firewall, open the following ports.
|In: TCP on port 80, 554, and 1755||The Windows Media server uses the TCP In ports to accept an incoming HTTP connection (port 80), an RTSP connection (port 554), or an MMS connection (port 1755) from Windows Media Player and other clients.|
|In: UDP on port 1755 and 5005||The Windows Media server uses UDP In port 1755 to receive resend requests from clients that are streaming by using MMSU and UDP In port 5005 to receive resend requests from clients that are streaming by using RTSPU.|
|Out: UDP ports 1024 through 5000 and 5004||The Windows Media server uses UDP Out ports 1024 through 5000 and 5004 to send data by means of MMSU and RTSPU to Windows Media Player and other clients.|
If you cannot open all the UDP Out portsIf you cannot open all the UDP Out ports on a firewall, UDP packets that are sent by a Windows Media server may be blocked by the firewall and may not be able to reach the clients on the other side of the firewall. If this condition occurs, clients may still be able to receive a stream if the clients automatically roll over to a TCP-based protocol, such as HTTP, MMST, or RTSPT. However, the rollover causes a delay for the client that is receiving the stream. If you know that you will not be able to support UDP streaming through a firewall, you can decrease the rollover delay by clearing the UDP check box in the Unicast Data Writer plug-in Properties dialog box. For more information, see the server help documentation.
Firewalls for broadcast distributionTo enable a distribution server that is behind a firewall to use the HTTP protocol or the RTSP protocol to stream content from an originating server outside the firewall, open the following ports.
Distribution servers cannot use a URL that has an mms:// prefix to request a connection to the origin server.
|In: UDP ports 1024 through 5000||The Windows Media server uses UDP In ports 1024-5000 to receive data from another server.|
|Out: TCP on port 80 and 554||The Windows Media server uses the TCP Out ports to establish an HTTP connection (port 80) or RTSP connection (port 554) to another server or encoder.|
|Out: UDP on port 5005||When RTSPU distribution is used, the Windows Media server uses UDP Out port 5005 to send resend requests to another server.|
- If the distribution server tries to connect by using RTSP, that request is translated as RTSPU.
- If the server administrator chooses to use a TCP-based transport (either because of a preference or because a TCP-based transport is required), the URL must use an rtspt:// prefix.
- If the distribution servers must connect by using HTTP, the URL must use an http:// prefix.
Firewalls for multicast streamingIf you distribute content by using multicast streaming, network traffic is directed through the standard Class D IP addresses (22.214.171.124 through 126.96.36.199). To use multicast streaming, you must have enabled multicast-forwarding on your network. The Internet Group Management Protocol (IGMP) makes sure that multicast streaming traffic passes through your network only when a player requests a multicast streaming connection. This protocol makes sure that multicast streaming on your routers does not flood your network. (This protocol is supported by Windows Media Services.)
The following firewall configuration enables multicast streaming packets to traverse your firewall:
IP multicast address range: 188.8.131.52 through 184.108.40.206To enable IP multicast streaming, you must allow packets that are sent to the standard IP multicast address range to come through your firewall. This IP multicast address range must be enabled on both the player and server sides, and on every router in between the player and the server. IP multicast streaming typically will not work over the Internet because multicast-forwarding is not enabled on routers on the Internet.
Enabling access to an encoder outside a firewallEncoders use HTTP to connect to a server that is running Windows Media Services. By default, Windows Media Encoder uses port 8080 for HTTP connections. However, the encoder administrator may specify a different port. If a different port is used, you must specify the same port when you identify the encoder connection URL for the Windows Media server and when you open the port on your firewall.
The following example firewall configuration allows a computer that is running Windows Media Encoder outside a firewall to access a Windows Media server that is behind a firewall by using HTTP. The In port is the port where the server accepts connections. The Out port is the port where the server sends data to clients:
In/Out: TCP on port 8080
For more information about firewalls and ports for Windows Media Services 4.0 and 4.1, click the following article number to view the article in the Microsoft Knowledge Base:
189416 Firewalls and ports used by Windows Media Services
Firewall Port Proxy "9 Series"
Article ID: 827562 - Last Review: 09/27/2011 14:30:00 - Revision: 4.0
Microsoft Windows Media Services 9 Series
- kbinfo KB827562