Enable Notifications to Open Firewall Ports in Windows Server 2012 R2

In this Ask the Admin, I’ll show you how to quickly create Windows Firewall rules when network traffic is blocked.

Windows Firewall is an endpoint protection technology that by default blocks most inbound traffic to Windows, preventing malicious processes from probing the system to find an easy way in. It’s critical that Windows Firewall should remain enabled, but it can be tempting to disable it for troubleshooting purposes.

While it may seem reasonable to temporarily turn off Windows Firewall, this often leads to a permanent need to work with the firewall disabled, sometimes because we simply forget to re-enable it or that it was never determined which ports needed to be opened for a particular service or application to work. And in most cases, it/s not necessary to turn off Windows Firewall to determine if an issue is indeed being caused by blocked network traffic.

Enable Windows Firewall Notifications in Windows Server

Unlike client versions of Windows, firewall notifications aren’t enabled in Windows Server by default. If you encounter an issue where you suspect that Windows Firewall is blocking network traffic, I recommend that you enable notifications rather than turning off the firewall. Not only is this a safer option than disabling the firewall, but Windows will offer to automatically create a rule to allow the blocked traffic through the firewall.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

Enable Windows Firewall notifications (Image Credit: Russell Smith)
Enable Windows Firewall notifications (Image Credit: Russell Smith)

To check the Windows Firewall configuration in Windows Server 2012 R2, log in as a local administrator, open a PowerShell prompt and run the command below:

You can replace domain with * in the –Name parameter if you want to see the configuration for all firewall profiles. To enable notifications, run the Set-NetFirewallProfile cmdlet as shown here. I've specified the domain profile, because Windows Firewall detects that the server is connected to an Active Directory domain:
​src="" alt="Windows Firewall notification (Image Credit: Russell Smith)" width="538" height="334" /> Windows Firewall notification (Image Credit: Russell Smith)[/caption]

Now run your network application, you'll be notified with the option to unblock inbound access to the application if Windows Firewall is blocking traffic.

Determine Ports using netstat.exe

Allowing Windows to automatically create firewall rules is preferable to disabling Windows Firewall. If you look at the rules, you'll see they are somewhat generic, specifying the application without specifics, such as inbound or outbound IP addresses and ports. If you want to be more specific about the rules, you can use netstat.exe to determine the exact ports, protocols and IP addresses being used by the application. While the Get-NetTCPConnection PowerShell cmdlet is similar to netstat.exe, it's not currently able to retrieve information about processes, so it's better to use netstat.exe until Get-NetTCPConnection catches up.
Use netstat.exe to determine the ports and protocols that need to be allowed through Windows Firewall (Image Credit: Russell Smith)
Use netstat.exe to determine the ports and protocols that need to be allowed through Windows Firewall (Image Credit: Russell Smith)
Log in as a local administrator on the sending server, open a command prompt and run netstat –b. In the resulting output, you/ll see a list of connections, along with port, IP address and executable information. If the network traffic is bidirectional, repeat this procedure on the receiving server.

Create Firewall Rules

The output of netstat.exe shows that the remote server (contososrv3) needs to allow inbound connections on TCP port 7001 from (contososrv4). On contososrv3, log in as a local administrator, open a PowerShell prompt, and run the New-NetFirewallRule cmdlet as shown here to create an inbound rule, replacing Windows PowerShell Console with a relevant name for your firewall rule, and all other details as appropriate:
If you already have a more generic rule set up, you can delete it using Remove-NetFirewallRule, replacing Windows PowerShell Console with the existing rule name:

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
Don't leave your business open to attack! Come learn how to protect your AD in this FREE masterclass!REGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: