How To Configure a Firewall for MSMQ Access (183293)
The information in this article applies to:
- Microsoft Message Queue Server (MSMQ) 1.0
- Microsoft Message Queuing 2.0
This article was previously published under Q183293 SUMMARY This article describes how to configure a firewall to allow
Internet access to Microsoft Message Queue Server (MSMQ). This article
discusses the effects of different port restrictions.
For security,
use the HTTP/HTTPS messaging that is available in MSMQ 3.0 as a solution for
messaging with MSMQ through firewalls, instead of statically opening the ports
that are detailed in this article.MORE INFORMATION For additional information about ports used by MSMQ, please
see the following article in the Microsoft Knowledge Base: 178517 INFO: TCP, UDP, and RPC Ports Used by MSMQ
Terminology used in the following examples:
DC = dependent client
IDC = independent client
Server = any of the MSMQ server installations
MQIS = Message Queue information store
RPC = remote procedure call
Example 1: Minimal Send-Only Access for IDC and Server At a minimum, you must allow incoming traffic to destination TCP
port 1801. This is the port over which IDCs and Servers send messages. IDCs and
servers also send MSMQ internal packets for establishing sessions and so forth.
DCs do not use this port. If traffic is restricted to this port,
outside clients can only send messages, and can only do so by using a direct
format name. The MQIS is not available on this port, therefore calls that
consult the MQIS will fail. This includes Lookups, Queue open with a non-direct
format name, and so forth. Note that MSMQ routing is not used in this case. The
client must be able to contact the remote queue manager directly over this
port. Example 2: Full Send Access for IDC, MQIS Operations If you also allow incoming traffic to TCP ports 135, 2101, and
UDP port 3527, packets that request operations involving the MQIS (for example,
queue create, queue open (for send)) with a non-direct format name are
permitted. Port 135 is the RPC discovery port, used to discover the ports for
the different queue manager interfaces. Port 2101 carries the MQIS traffic.
Allowing traffic to TCP port 3527 is necessary for full and efficient operation
between queue managers. Queue managers attempt to ping each other on this port
before opening a session. Note that a DC doesn't have a queue manager. This
functionality is performed by the server on the DC's behalf. One
benefit is that messages can be sent to queues that are looked up and opened
with non-direct format names, and as a result are routed through the MSMQ
enterprise to their destination queue. Example 3: Full Send-Receive Access Allowing traffic to ports 2103 and 2105 permits the outside IDCs
to read from queues on the server and from computers on its connected network.
This also allows send-receive for DCs. No send or receive from a DC is possible
unless these ports are open. Additional Ports Assuming that multicast network packets can reach the firewall,
allowing traffic to User Datagram Protocol (UDP) port 1801 permits independent
clients to discover and/or confirm their site controller on start and also to
detect a halted site controller and take steps to discover a new one.
NOTE: Ports 2xxx are not necessarily fixed. For additional
information about this issue, refer to the Knowledge Base article cited
earlier.
| Modification Type: | Minor | Last Reviewed: | 6/29/2004 |
|---|
| Keywords: | kbhowto KB183293 |
|---|
|