Creating Inbound and Outbound Rules on the Windows Firewall in Windows Server 2008

In certain cases, when a third-party application is not integrated with Server Manager, or when required to open specific individual ports, it may become necessary to create firewall rules for individual services to run properly. Both inbound rules, addressing traffic to the server, and outbound rules, addressing how the server can communicate out, can be created. Rules can be created based on the following features:

1) Program: A rule can be created that allows a specific program executable access. For instance, you can specify that the c:\Program Files\Custom Program\myprogram.exe file has full outbound access when running. The Windows Firewall program will then permit any type of connections made by that program full access. This can be helpful in scenarios when a specific application server uses multiple varied ports, but the overall security that the firewall provides is still desired.

2) Port: Entering a traditional UDP (User Datagram Protocol) or TCP (Transmission Control Protocol) port into the Add Rules Wizard is supported. This covers traditional scenarios such as “We need to open Port 8888 on the server.”

3) Predefined: Windows Server 2008 also has built-in, predefined rules, such as those that allow AD DS, DFS, BITS, HTTP, and many more. The benefit of using a predefined rule is that Microsoft has done all the legwork in advance, and it becomes much easier to allow a specific service.

4) Custom: The creation of custom rule types not covered in the other categories is also supported.

For instance, the following procedure details the creation of an outbound rule to allow a custom application to use TCP Port 8787 for outbound communication:

1. Open the Windows Firewall MMC (Click on Start and then Control Panel and then Administrative Tools and then select Windows Firewall with Advanced Security).
2. Click on the Outbound Rules node in the node pane.
3. In the Actions pane, click the New Rule link.
4. On the Rule Type page of the New Outbound Rule Wizard, select Port to create a rule based on the port, and click Next to continue.
5. On the Protocol and Ports page, select TCP and enter 8787 in the Specific Local Ports field. Click Next to continue.
6. On the Action page, select Allow to enable the connection.

NOTE: The Action page of the New Outbound Rule Wizard also allows for a rule to be configured that only allows the connection if it is secured using IPSec technologies.

7. On the Profile page, select all three check boxes. This allows an administrator to specify that a rule only applies when connected to specific networks. Click Next to continue.
8. Enter a descriptive name for the rule, and click Finish.

Review the rule settings in the Outbound Rules node. This allows for a quick-glance view of the rule settings. You can also include a rule in a rule group, which allows for multiple rules to be tied together for easy on/off application.

Using the integrated Windows Firewall is no longer just a good idea; it is a vital part of the security of the product. The addition of the ability to define rules based on factors such as scope, profile, IPSec status, and the like further positions the Server OS as one with high levels of integrated security.