Configuring firewalls for Message Queuing
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Configuring firewalls for Message Queuing
The following sections describe configurations for messaging through firewalls.
HTTP messaging through firewalls
The use of HTTP as a transport enables MSMQ to leverage existing firewall support, without the need for Message Queuing-specific firewall configurations, and it is recommended that HTTP be used for messaging through firewalls. For more information on HTTP messaging, see HTTP/HTTPS messages.
Messaging through firewalls using the Message Queuing protocol
To send messages across firewalls using the native Message Queuing protocol, specific configuration settings are required to allow Message Queuing computers located on either side of the firewall to communicate with each other. Note that for best security practice, it is recommended that HTTP messaging be used as a solution for messaging through firewalls. These specific configuration settings include allowing Message Queuing computers located on an external network to be able to connect to Message Queuing computers on your internal network over the Internet. This is achieved by opening the following service ports on your firewall.
TCP |
1801 |
RPC |
135, 2101, 2103, 2105 |
UDP |
3527, 1801 |
Important
- If Message Queuing computers located on an external network require access to Active Directory, it is strongly recommended that you set up a virtual private network (VPN) connection with the Point-to-Point Tunneling Protocol (PPTP). Otherwise, your network security could be compromised. For more information on VPN connections and PPTP, see the Point-to-Point Tunneling Protocol (PPTP) in the Windows Help file.
Notes
With direct format names, only the TCP port needs to be opened. This provides for two-way sending, but only local reading. If you need to read from remote queues, or if you need to query Active Directory for information regarding public queues or other Message Queuing objects, you must also open the RPC ports.
RPC ports 2103 and 2105 can be incremented by 11 if the initial choice of an RPC port is in use when the Message Queuing service starts. Message Queuing queries RPC port 135 to discover the 2xxx-series ports.
Before establishing a connection with another Message Queuing computer, Message Queuing sends a ping message on UDP port 3527 to verify that the other computer responds, and only then does it attempt to establish a connection. If you do not want to open this port on the firewall, you can disable this feature by setting registry key value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\msmq\parameters\UsePing to zero. This might incur some performance cost as ping verification is disabled. After setting the registry, restart the Message Queuing service for the changes to take effect.
Caution
- Incorrectly editing the registry may severely damage your system. It is recommended that you back up any valuable data on the computer before making changes to the registry.
The following firewall configurations allow you three different operating modes for remote Message Queuing computers located on external networks.
Sending messages only
For remote clients to be able to send messages, you must allow these clients access to TCP port 1801 on your firewall.
In this configuration, remote clients cannot access Active Directory nor will messages be routed by Message Queuing servers through your internal network. This means that remote clients must be able to directly connect to the destination computer on your internal network over this port. Remote clients can then send messages using a direct format name for the destination queue.
This does not apply to dependent clients.
Sending messages with Active Directory access
In addition to opening TCP port 1801, allowing access to RPC ports 135 and 2101 permits remote clients access to Active Directory. RPC port 135 is used for handshaking between a remote client and a Message Queuing server. Message Queuing servers also use RPC port 2101 for communicating with each other.
Assuming that multicast network packets are allowed to pass through your firewall, allowing access to UDP port 1801 also permits remote clients to send a broadcast message to automatically determine their site.
This does not apply to dependent clients.
Sending and receiving messages with Active Directory access
In addition to opening TCP port 1801 and RPC ports 135 and 2101, allowing access to RPC ports 2103 and 2105 also permits remote clients to access queues and retrieve messages on Message Queuing computers located on your internal network.
Access to RPC ports 2103 and 2105 also allows remote dependent clients to send and receive messages using their supporting server on your network.