Many of you are using Windows XP as your server's operating system, which is a good choice since it is rather stable and easy to use.  Recently, Microsoft released Service Pack 2 for Windows XP which includes a firewall for security purposes.  This guide will show you how to configure the Windows XP firewall to run server programs.

You should only run one firewall on your server to avoid software conflicts and configuration confusion.  If you already have an existing software firewall installed such as ZoneAlarm, then it is best if you go ahead and uninstall it.  The Windows firewall is pretty good and can replace ZoneAlarm.  Or conversely, if you choose to keep ZoneAlarm, you can simply not use the Windows firewall.  It's your choice.

The goal of this guide is to open up ports so that your programs can talk to the Internet.  In the Windows firewall, you can do this by either opening up specific ports or you can grant programs access.  There are reasons to use either method.  We'll cover both in this guide

Let's get started.

Start --> Settings --> Network Connections

 

Right-click on your network adapter and select "Properties".  Your network adapter may have various names, but usually they're named "Local Area Connection" or the like.

 

You'll see this:

 

Click on the "Advanced" tab.

 

Click on "Settings".

 

This is the main page of the Windows Firewall setup.  Make sure that the "On" box is checked. 

Also make sure that the "Don't allow exceptions" is NOT checked.  If you DO check this box, you cannot setup this computer as a server.

Click on the "Exceptions" tab.

 

"Exceptions" are what Windows Firewall calls ports and programs that are allowed to communicate with the Internet.  This is similar to the "port forwarding" page of a DSL/Cable router.

In this window, you have a list of programs that are allowed to access the Internet.  Some are already setup for you.  However, if you are not using certain programs on the list, you should disable them by unchecking the box for that program.  For example, if you do not use "Remote Assistance", then you should uncheck the box for "Remote Assistance".  The less holes or exceptions in your firewall, the better.

There are two main ways to setup exceptions in Windows firewall.

Add Port:  The first way is by adding a port.  By adding a port, that port is open to Internet traffic, regardless of which program is accessing the port.  This is similar to opening a port on your DSL/Cable router.

Add Program:  The other method is by adding a program.  This method allows a particular program to access the Internet regardless of which port or how many ports it needs.  Because Windows Firewall does not allow you to open up port ranges, this is extremely useful when your server programs needs to have several ports open.

If you look under the entry for Remote Desktop, you'll notice that you cannot change the port number for Remote Desktop in Windows Firewall.

 

To add a port, first click on "Add Port" (makes sense eh?)

Here you can name the exception anything you want.  I would make the name extremely descriptive so when you come back in the future, you'll know what the exception is all about.  In this case, since I'm going to change the port number of Remote Desktop from 2289 to 4567, I'll call this exception "Remote Desktop 4567".

Then enter the port number you want to open.  This must be the same port number you specified for Remote Desktop.

Then select TCP or UDP.  Since Remote Desktop uses TCP, I'll pick TCP.

 

Now click on the "Change scope..." button.

 

Here you can control who can access this port.  You can decide between "Any computer", "My network subnet", or you can specify a custom list.

Since I want to be able to access this computer through Remote Desktop from any computer on the Internet, I'll keep the setting of "Any Computer".

Click "OK" until all the dialog windows close and you're done.

So in the "Program and Services" list, you'll have the new "Remote Desktop 4567" entry.  Make sure to uncheck the old "Remote Desktop" entry since that port of 3389 remains open if you keep it checked.

 

So as you can see, opening up a single port is pretty simple and just like setting up port forwarding on a router.

Now for adding programs to the exceptions list. 

One problem with Windows Firewall is that it does not allow for opening up port ranges like DSL/Cable routers allow.  This can be problematic if you have a program that needs, say, 11 ports open.  I guess you could open up all eleven ports by the method I showed above, but there is a better way.

In this example, I'll show how to setup and exception for Serv-U FTP server.  For reference, here is a guide on how to setup Serv-U FTP Server.  Step-by-Step: Serv-U FTP Server - Install and Setup

Serv-U requires many ports to be open.  Since Windows Firewall doesn't allow port ranges, we can simply make the program itself an exception.  This means that the program that is given and exception is allowed to use whatever port number it needs.  You don't need to specify the port numbers, just the program.

Here's how to do that.

At the Windows Firewall exceptions Tab, click on "Add Program".

 

This is a long list of programs that Windows is aware of.  However, our desired program is not on this list.  In this case, we have to manually find it.

Click on the "Browse" button and navigate to the program file of the program you want to except.  In this case, it's Serv-U Daemon.

 

Click "Open".

 

Now click "Change scope..."

 

Here you can control who can access this port.  You can decide between "Any computer", "My network subnet", or you can specify a custom list.

Since I want to be able to access this computer from any computer on the Internet, I'll keep the setting of "Any Computer".

Click "OK".  Now you have excepted ServUDaemon in Windows Firewall.  The ServUDaemon will now have full access to the Internet, regardless of what port it needs.

 

Now you know how to setup exceptions in Windows Firewall.

Let's click on the Advanced" tab.

 

Here are some more customizations you can setup for Windows Firewall.  These settings are specific to each network, but don't be afraid to explore them and test them out.

The changes you make to Windows Firewall will take effect without having to restart your computer.  Yes, I know it's funny not having to reboot, but you can still reboot if it makes you feel better.

One final thing to note: For all the exceptions that you make in the Windows XP Firewall, you have to make the same ones in your DSL/Cable router.  Otherwise, requests to your server won't make it all through to your server, since they will be blocked by the router.  If you open ports 80, 25, and 4567 on your Windows Firewall, then you also have to open the same ports 80, 25, 2567 on your DSL/Cable router.

Good luck!

Brian
 

Step-by-Step Menu

Take Me Home!