Learn What IT Pros Need to Know About Windows 11 - August 24th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 24th at 1 PM ET!

Enable Notifications to Open Firewall Ports in Windows Server 2012 R2

In this Ask the Admin, I’ll show you how to quickly create Windows Firewall rules when network traffic is blocked.

Windows Firewall is an endpoint protection technology that by default blocks most inbound traffic to Windows, preventing malicious processes from probing the system to find an easy way in. It’s critical that Windows Firewall should remain enabled, but it can be tempting to disable it for troubleshooting purposes.

While it may seem reasonable to temporarily turn off Windows Firewall, this often leads to a permanent need to work with the firewall disabled, sometimes because we simply forget to re-enable it or that it was never determined which ports needed to be opened for a particular service or application to work. And in most cases, it/s not necessary to turn off Windows Firewall to determine if an issue is indeed being caused by blocked network traffic.

Enable Windows Firewall Notifications in Windows Server

Unlike client versions of Windows, firewall notifications aren’t enabled in Windows Server by default. If you encounter an issue where you suspect that Windows Firewall is blocking network traffic, I recommend that you enable notifications rather than turning off the firewall. Not only is this a safer option than disabling the firewall, but Windows will offer to automatically create a rule to allow the blocked traffic through the firewall.

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

Enable Windows Firewall notifications (Image Credit: Russell Smith)
Enable Windows Firewall notifications (Image Credit: Russell Smith)

To check the Windows Firewall configuration in Windows Server 2012 R2, log in as a local administrator, open a PowerShell prompt and run the command below:

You can replace domain with * in the –Name parameter if you want to see the configuration for all firewall profiles. To enable notifications, run the Set-NetFirewallProfile cmdlet as shown here. I've specified the domain profile, because Windows Firewall detects that the server is connected to an Active Directory domain:
​src="https://petri.com/wp-content/uploads/2015/03/Figure25.jpg" alt="Windows Firewall notification (Image Credit: Russell Smith)" width="538" height="334" /> Windows Firewall notification (Image Credit: Russell Smith)[/caption]

Now run your network application, you'll be notified with the option to unblock inbound access to the application if Windows Firewall is blocking traffic.

Determine Ports using netstat.exe

Allowing Windows to automatically create firewall rules is preferable to disabling Windows Firewall. If you look at the rules, you'll see they are somewhat generic, specifying the application without specifics, such as inbound or outbound IP addresses and ports. If you want to be more specific about the rules, you can use netstat.exe to determine the exact ports, protocols and IP addresses being used by the application. While the Get-NetTCPConnection PowerShell cmdlet is similar to netstat.exe, it's not currently able to retrieve information about processes, so it's better to use netstat.exe until Get-NetTCPConnection catches up.
Use netstat.exe to determine the ports and protocols that need to be allowed through Windows Firewall (Image Credit: Russell Smith)
Use netstat.exe to determine the ports and protocols that need to be allowed through Windows Firewall (Image Credit: Russell Smith)
Log in as a local administrator on the sending server, open a command prompt and run netstat –b. In the resulting output, you/ll see a list of connections, along with port, IP address and executable information. If the network traffic is bidirectional, repeat this procedure on the receiving server.

Create Firewall Rules

The output of netstat.exe shows that the remote server (contososrv3) needs to allow inbound connections on TCP port 7001 from (contososrv4). On contososrv3, log in as a local administrator, open a PowerShell prompt, and run the New-NetFirewallRule cmdlet as shown here to create an inbound rule, replacing Windows PowerShell Console with a relevant name for your firewall rule, and all other details as appropriate:
If you already have a more generic rule set up, you can delete it using Remove-NetFirewallRule, replacing Windows PowerShell Console with the existing rule name:

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.


Sponsored By