For security, use the HTTP/HTTPS messaging that is available in MSMQ 3.0 as a solution for messaging with MSMQ through firewalls, instead of statically opening the ports that are detailed in this article.
IDC = independent client
Server = any of the MSMQ server installations
MQIS = Message Queue information store
RPC = remote procedure call
Example 1: Minimal Send-Only Access for IDC and ServerAt a minimum, you must allow incoming traffic to destination TCP port 1801. This is the port over which IDCs and Servers send messages. IDCs and servers also send MSMQ internal packets for establishing sessions and so forth. DCs do not use this port.
If traffic is restricted to this port, outside clients can only send messages, and can only do so by using a direct format name. The MQIS is not available on this port, therefore calls that consult the MQIS will fail. This includes Lookups, Queue open with a non-direct format name, and so forth. Note that MSMQ routing is not used in this case. The client must be able to contact the remote queue manager directly over this port.
Example 2: Full Send Access for IDC, MQIS OperationsIf you also allow incoming traffic to TCP ports 135, 2101, and UDP port 3527, packets that request operations involving the MQIS (for example, queue create, queue open (for send)) with a non-direct format name are permitted. Port 135 is the RPC discovery port, used to discover the ports for the different queue manager interfaces. Port 2101 carries the MQIS traffic. Allowing traffic to TCP port 3527 is necessary for full and efficient operation between queue managers. Queue managers attempt to ping each other on this port before opening a session. Note that a DC doesn't have a queue manager. This functionality is performed by the server on the DC's behalf.
One benefit is that messages can be sent to queues that are looked up and opened with non-direct format names, and as a result are routed through the MSMQ enterprise to their destination queue.
Example 3: Full Send-Receive AccessAllowing traffic to ports 2103 and 2105 permits the outside IDCs to read from queues on the server and from computers on its connected network. This also allows send-receive for DCs. No send or receive from a DC is possible unless these ports are open.
Additional PortsAssuming that multicast network packets can reach the firewall, allowing traffic to User Datagram Protocol (UDP) port 1801 permits independent clients to discover and/or confirm their site controller on start and also to detect a halted site controller and take steps to discover a new one.
NOTE: Ports 2xxx are not necessarily fixed. For additional information about this issue, refer to the Knowledge Base article cited earlier.
ID d'article : 183293 - Dernière mise à jour : 26 oct. 2007 - Révision : 1