Enable Notifications to Open Firewall Ports in Windows Server 2012 R2

In this Ask the Admin, I’ll show you how to quickly create Windows Firewall rules when network traffic is blocked.

Windows Firewall is an endpoint protection technology that by default blocks most inbound traffic to Windows, preventing malicious processes from probing the system to find an easy way in. It’s critical that Windows Firewall should remain enabled, but it can be tempting to disable it for troubleshooting purposes.

While it may seem reasonable to temporarily turn off Windows Firewall, this often leads to a permanent need to work with the firewall disabled, sometimes because we simply forget to re-enable it or that it was never determined which ports needed to be opened for a particular service or application to work. And in most cases, it/s not necessary to turn off Windows Firewall to determine if an issue is indeed being caused by blocked network traffic.

Enable Windows Firewall Notifications in Windows Server

Unlike client versions of Windows, firewall notifications aren’t enabled in Windows Server by default. If you encounter an issue where you suspect that Windows Firewall is blocking network traffic, I recommend that you enable notifications rather than turning off the firewall. Not only is this a safer option than disabling the firewall, but Windows will offer to automatically create a rule to allow the blocked traffic through the firewall.

Enable Windows Firewall notifications (Image Credit: Russell Smith)
Enable Windows Firewall notifications (Image Credit: Russell Smith)

To check the Windows Firewall configuration in Windows Server 2012 R2, log in as a local administrator, open a PowerShell prompt and run the command below:

​
You can replace domain with * in the –Name parameter if you want to see the configuration for all firewall profiles. To enable notifications, run the Set-NetFirewallProfile cmdlet as shown here. I've specified the domain profile, because Windows Firewall detects that the server is connected to an Active Directory domain:
​src="https://petri-media.s3.amazonaws.com/2015/03/Figure25.jpg" alt="Windows Firewall notification (Image Credit: Russell Smith)" width="538" height="334" /> Windows Firewall notification (Image Credit: Russell Smith)[/caption]

Now run your network application, you'll be notified with the option to unblock inbound access to the application if Windows Firewall is blocking traffic.


Determine Ports using netstat.exe

Allowing Windows to automatically create firewall rules is preferable to disabling Windows Firewall. If you look at the rules, you'll see they are somewhat generic, specifying the application without specifics, such as inbound or outbound IP addresses and ports. If you want to be more specific about the rules, you can use netstat.exe to determine the exact ports, protocols and IP addresses being used by the application. While the Get-NetTCPConnection PowerShell cmdlet is similar to netstat.exe, it's not currently able to retrieve information about processes, so it's better to use netstat.exe until Get-NetTCPConnection catches up.
Use netstat.exe to determine the ports and protocols that need to be allowed through Windows Firewall (Image Credit: Russell Smith)
Use netstat.exe to determine the ports and protocols that need to be allowed through Windows Firewall (Image Credit: Russell Smith)
Log in as a local administrator on the sending server, open a command prompt and run netstat –b. In the resulting output, you/ll see a list of connections, along with port, IP address and executable information. If the network traffic is bidirectional, repeat this procedure on the receiving server.

Create Firewall Rules

The output of netstat.exe shows that the remote server (contososrv3) needs to allow inbound connections on TCP port 7001 from 10.0.0.6 (contososrv4). On contososrv3, log in as a local administrator, open a PowerShell prompt, and run the New-NetFirewallRule cmdlet as shown here to create an inbound rule, replacing Windows PowerShell Console with a relevant name for your firewall rule, and all other details as appropriate:
​
If you already have a more generic rule set up, you can delete it using Remove-NetFirewallRule, replacing Windows PowerShell Console with the existing rule name: