Firewall Settings for Windows Home Server

by Nigel Wilks on March 12, 2010 · 6 comments

in Guides

We receive numerous posts in the Forums relating to Remote Access and Firewall Settings for Windows Home Server, often due to the UPnP features in Routers not being of a consistent standard. We’ve been encouraging users to post details of their experiences with different Routers. So if you haven’t updated this post and your Router is not listed, please do so!

If you are unfortunate enough to have a Router that UPnP support is questionable, then the best thing you can do is disable UPnP on the Router and configure it manually. This article won’t be able to cover each different Router configurations but I will show the ports required, and also the often forgotten area of the Windows Firewall when you are adding or changing ports.

The default ports required for Remote Access functionality are: -

Service or Protocol Port
Remote Web Workplace TCP 4125

Some optional ones (FireFly and FirePlay users) and anyone wanting to Remote Desktop onto the server are:-

Service or Protocol Port
RDP TCP 3389
FireFly/FirePlay TCP 9999

If you are lucky enough to have a router that fully supports UPnP then we have an Add-In available called WHS Port Forward which will assist you in configuring additional ports for other applications.

Alex wrote the WHS Port Forward Add-In to make configuring your Router for other applications and ports a breeze. In Alex’s words:-

WHS Port Forward is an Add-In for the Microsoft Windows Home Server
operating system. It allows the user to utilize the UPnP feature of Windows
Home Server to open forwarded ports from your router to your Home Server. This
is useful if you have installed a 3rd party application that requires incoming
access from the Internet. This Add-In removes the need to assign a static IP
address to your server or manually forward ports on your router. Simply
configure the port you would like forwarded, and let Windows Home Server handle
it for you.

Another area to consider when adding/changing ports is the Windows Firewall on the server.

For example, if you don’t want to use the built in Remote Web Workplace feature of Windows Home Server and would rather connect via Remote Desktop simply adding TCP port 3389 to your router is not sufficient to access your server remotely via Remote Desktop. Although TCP Port 3389 is already configured in Windows Firewall, it is by default set to local subnet only (i.e. inside your LAN) so you need to change this to either a Custom List or Any Computer (including those on the internet).

The Windows Firewall applet can be found in the Control Panel on the server, for convenience I’ve captured some screen-shots of the relevant screens once you have launched Windows Firewall. Please click on an image below to expand if required.

Click Exceptions to add/remove/change an entry

Remote Desktop in the Windows Firewall


Now you have the exceptions listed, you need to scroll down the list until you find Remote Desktop and click on Edit.


Editing a Windows Firewall Entry

Changing the scope of a Windows Firewall entry


There are obvious security implications when you make Windows Firewall changes on your Windows Home Server and you need to weigh up the pros and cons of opening up ports to your home network. But, doing so opens up many other possibilities to your server. Whether or not you install Orb to stream Music and Video over the internet or just have the convenience of accessing your Windows Home Server in other ways, the firewall settings in Windows Home Server and your router will need to work together in harmony!

Article by

I'm a Technical Architect based in the UK predominantly working on Windows Server and Active Directory based solutions. I'm also a Microsoft Windows Home Server MVP and moderator/author at I've released the FirePlay for Windows Home Server, WHS PHP Installer, MySql Installer for WHS and Wordpress Installer for WHS Add-Ins as well as co-author of the SanEncore and WHS Health Add-Ins with Alex Kuretz.


Wonko March 16, 2010 at 4:38 am

Hi Nigel
One part of that is a bit… mhmmm… dodgy: Why do you define the scope as “any computer”? I’ve set this to a custom list (only 2 computers are allowed to have a RDP session) to defend my network/server. After somebody has been in my WLAN network a couple of time ago I – perhaps – am nervous and overcautious. This is my way to restrict access, hopefully with success…
Best regards and THX for that article.

Nigel March 16, 2010 at 5:10 am

You missed a bit :-)

“you need to change this to either a Custom List or Any Computer (including those on the internet).”

Wonko March 16, 2010 at 5:15 am

Hmmmpppfffff…. sorry! ;-)

Chris March 16, 2010 at 5:18 am

Any chance of posting a router summary? based on the responses in the forum post?

Nigel March 16, 2010 at 11:37 am

Good idea Chris!

I have them all pulled together in a list, just trying to work out the best way of presenting them.

Comments are closed, visit the forums to continue the discussion.

{ 1 trackback }

Previous post:

Next post: