Add Programs and Ports to Windows XP SP2 Firewall Exceptions List
 
computer support
Search How to's
Computer Training
  

Windows XP Service Pack 2 (SP2) includes a built-in Firewall. A Firewall will filter or block information coming into your computer or office network. The default configuration of the Windows Firewall control panel in Windows XP SP2 can prevent commonly used applications from functioning. To re-enable this functionality, you can add the Program or the Ports that a Program uses to the Firewall's Exceptions list.

After adding a program to the Exceptions list, the port will open only when the program is being used and then close when the program is shut down. By blocking these open ports at times other than when you are actively using them, your computer will maintain a higher degree of safety from malicious attack. The more programs that get added to the Exceptions list the weaker your level of security. To help decrease your security risk, Microsoft offers these guidelines:

  • Only allow an exception when you really need it.
  • Never allow an exception for a program that you don't recognize.
  • Remove an exception when you no longer need it.

Common programs in use within the College that may require use of these ports include Cisco VPN Client, FileMaker Pro, Macromedia Dreamweaver, NetMeeting and Palm HotSynch Manager. Many Internet-enabled games and Instant Messaging programs like AOL Instant Messenger and Yahoo Instant Messenger will also be affected.

Please be aware, the commonly used applications listed in this How To (Cisco VPN, FileMaker Pro, Retrospect) need their Ports opened. They do not need added to the Exceptions List as a Program as well.

How To Add a Program to the Exceptions List
How To Add a Specific Programs
How To Open a Port in the Exceptions List
How To Open Ports with a BAT file
Open LPR Print Ports (IBIS Printing): TCP Port 515
Open QuickTime Streaming Media Ports: TCP Port 554, UDP Port 554

Default Firewall Settings

  1. Click Start, and then click Control Panel.
  2. Double-click Windows Firewall (or click Security Center and then Windows Firewall).
  3. On the General tab of the Windows Firewall control panel, select On (recommended).
  4. In the Windows Firewall control panel, click the Exceptions tab.

    NOTE: There are four default programs listed on the Exceptions tab.

    File and Print Sharing: Controls file and printer sharing. Allows the network browser service to start so you see computers in My Network Places. Also controls if the computer can be pinged by other computers on the network.
    Remote Assistance: Controls the sending of Remote Assistance requests via the Help and Support center or Windows Messenger.
    Remote Desktop: Controls the use of the Remote Desktop feature. Remote Desktop allows you to access (log in as yourself) your Windows XP computer from another computer.
    UPnP Framework: Controls whether Universal Plug and Play (UPnP) devices that require network access can establish that network connection when needed.

  5. Check (enable) the File and Print Sharing choice.
  6. Check (enable) the Remote Assistance choice.
  7. Unless you use this feature, Uncheck (disable) the Remote Desktop choice. (Extension Office staff can't use this feature.)
  8. Uncheck (disable) the UPnP Framework choice.
  9. Click OK to close the Windows Firewall control panel.
  10. Restart the computer to enable these choices.

How To Add a Program to the Exceptions List

NOTE: By default Windows Firewall will ask you if you want to add a program to the exception list the first time you use the program. You will see a message with three choices: Keep Blocking, Unblock, or Ask Me Later.

Keep Blocking: Adds the application to the Exceptions list but in a Disabled state so that the ports are not opened. By adding the application to the Exceptions list, Windows Firewall does not prompt you every time the it is run.
Unblock: Adds the application to the Exceptions list in an Enabled state so that the ports are opened.
Ask Me Later:
Blocks unsolicited incoming traffic and does not add it to the Exceptions list. You will be prompted again the next time the application is run.

These are the general steps to add a program to the Windows XP SP2 Firewall Exceptions list. You should only do this for known, "safe" applications.

  1. Click Start, and then click Control Panel.
  2. Double-click Windows Firewall (or click Security Center and then Windows Firewall).
  3. In the Windows Firewall control panel, click the Exceptions tab.
  4. Click Add Program.
    NOTE: You will see a list of installed programs.
  5. Select the program and click OK to add the program (see below if the program is not listed).
  6. Click OK to close the Windows Firewall control panel.
  7. Restart the computer to enable these choices.

    NOTE: If you didn't see the name of a program you were attempting to add above, click the Browse button. Then click My Computer. Double Click on Local Disk (C:). Programs are usually stored in the Program Files folder on your computer, so Double Click on Program Files. You will now need to locate and open the application's folder. Then select the EXE file will open the application.

How To Add Specific Programs

NOTE: This lists several programs that you may want to add to the Exceptions list.

  1. Click Start, and then click Control Panel.
  2. Double-click Windows Firewall (or click Security Center and then Windows Firewall).
  3. In the Windows Firewall control panel, click the Exceptions tab.
  4. Click Add Program.
  5. Select the program and click OK to add the program.

    NOTE: If you didn't see the name of a program you were attempting to add above, click the Browse button. Then click My Computer. Double Click on Local Disk (C:). Double Click on Program Files. You will now need to locate and open the application's folder. Then select the EXE file will open the application.

    Examples:
    To add NetMeeting, in the Program Files folder, open the NetMeeting Folder. Select conf.exe and click Open. Click OK.

    To add Dreamweaver, in the Program Files folder, open the Macromedia Folder. Open the Dreamweaver folder. Select Dreamweaver.exe and click Open. Click OK.

    To add Palm HotSync, in the Program Files folder, open the Palm Folder. Select HotSync.exe and click Open. Click OK.

    To add MSN Messenger, in the Program Files folder, open the MSN Messenger Folder. Select msnmsgr.exe and click Open. Click OK.

  6. Click OK to close the Windows Firewall control panel.
  7. Restart the computer to enable these choices.

How To Open a Port in the Exceptions List

NOTE: These are the general steps for opening a port in the Windows XP SP2 Firewall.

  1. Click Start, and then click Control Panel.
  2. Double-click Windows Firewall (or click Security Center and then Windows Firewall).
  3. In the Windows Firewall control panel, click the Exceptions tab.
  4. Click Add Port.
    NOTE: The standard name should include the APPLICATION NAME, the PORT TYPE (either TCP or UDP) followed by the port number being added (62515). This will help you easily identify the application and the port in the Exceptions list once it is created.
  5. In the Name field, enter the Application followed by an underscore then the Port Type in uppercase followed by an underscore and then the port number. Ex: VPN_UDP_62515.
  6. In the Port number field, enter the number being added. This should match the number entered in the Name field. Ex: 62515.
  7. Click the appropriate radio button for TCP or UDP.
  8. Click OK to add the port.
  9. Click OK to close the Windows Firewall control panel.
  10. Restart the computer to enable these choices.

NOTE: ICT has created several "BAT" files that automate the creation of the

How To Open Ports with a BAT file

NOTE: ICT has created several "BAT" or Batch files that automate the creation of the FileMaker Pro, IBIS printing, Retrospect, and VPN ports. You will download a self extracting archive file that will expand to a folder containing six BAT files.

  1. Click the BAT_file.exe link and choose to Save the file to the computer. Ex: Save to the Desktop.
  2. Once the file downloads, double-click on the downloaded BAT_files.exe file.
  3. Click OK.
  4. Open the Bat_files folder. You will see these files:

    Open_2_VPN_FMP_NoPrompt.bat
    The file will open the ports for VPN and FileMaker Pro without stopping.

    Open_All5_SP2ports_NoPrompt.bat
    The file will open the ports for FileMaker Pro, IBIS, QTSS, Retrospect and VPN without stopping.

    Open_All5_SP2ports_Prompt.bat
    The file will pause and prompt you to open the ports for each of the five applications.

    Open_FMP_SP2_ports.bat
    This file will pause and prompt you to open the FileMaker Pro ports.

    Open_IBIS_SP2_port.bat
    This file will pause and prompt you to open the LPR Print Ports for IBIS Printing port.

    Open_QTSS_SP2_ports.bat
    This file will pause and prompt you to open the QuickTime Streaming Server ports.

    Open_Retrospect_SP2_ports.bat
    This file will pause and prompt you to open the Retrospect ports.

    Open_VPN_SP2_ports.bat
    This file will pause and prompt you to open the VPN ports.

    NOTE: The "no prompt" file will simply open a command windows and run. When finished, the command window will close. The remaining BAT files will pause. You will have a choice or pressing 1 or 2. The "1" choice will execute the command. The "2" choice will cancel the command.

  5. Double-click on the needed BAT file(s) to allow them to run. If needed, press 1 or 2.
  6. To verify the process, click Start, and then click Control Panel.
  7. Double-click Windows Firewall (or click Security Center and then Windows Firewall).
  8. In the Windows Firewall control panel, click the Exceptions tab.
  9. Look for the following names. FileMaker Pro requires 2 ports. IBIS printing requires 1 port. QuickTIme Streaming Server requires 2 ports. Retrospect requires 2 ports. VPN requires 3 ports.

    FileMaker_Pro_TCP_5003
    FileMaker_Pro_UDP_5003
    IBIS_TCP_515
    QT_Streaming_TCP_554
    QT_Streaming_UDP_554
    Retrospect_TCP_497
    Retrospect_UDP_497
    VPN_TCP_10000
    VPN_UDP_62515
    VPN_UDP_4500

    NOTE: If you have ports being controlled by Group Policy, they will appear in the list as a gray line. This is normal. Group Policy ports supersede ports added by the BAT file.

  10. Click OK to close the Windows Firewall control panel.
  11. Restart the computer to enable these choices.

Open Cisco VPN Ports: TCP Port 10000, UDP 62515, UDP 4500

NOTE: This Virtual Private Network (VPN) software is used by Penn State faculty, staff and students when connecting to a Penn State network from any other ISP (internet service provider). Typically used from home, by laptop users on the road, and by County Extension office staff from their office. These steps 'open' three ports for the VPN client to pass through.

  1. Click Start, and then click Control Panel.
  2. Double-click Windows Firewall (or click Security Center and then Windows Firewall).
  3. In the Windows Firewall control panel, click the Exceptions tab.
  4. Click Add Port.
  5. In the Name field, type VPN_TCP_10000
  6. In the Port number field, type 10000.
  7. The TCP radio button should already be selected.
  8. Click OK to add the port. It should appear in the list of Programs and Services. It should be checked.
  9. Click Add Port.
  10. In the Name field, type VPN_UDP_62515
  11. In the Port number field, type 62515.
  12. Click the UDP radio button.
  13. Click OK to add the port. It should appear in the list of Programs and Services. It should be checked.
  14. Click Add Port.
  15. In the Name field, type VPN_UDP_4500
  16. In the Port number field, type 4500.
  17. The UDP radio button should already be selected.
  18. Click OK to add the port. It should appear in the list of Programs and Services. It should be checked.
  19. If you need to add more ports, please go to Step 4 of the next section.
    If you are finished adding ports, click OK to close the Windows Firewall control panel.
  20. Restart the computer to enable these choices.

Open FileMaker Pro Sharing Ports: TCP Port 5003, UDP Port 5003

NOTE: If you share FileMaker Pro (any version) database files, you will need to open these ports. If you don't access shared FileMaker Pro file, you may skip.

  1. Click Start, and then click Control Panel.
  2. Double-click Windows Firewall (or click Security Center and then Windows Firewall).
  3. In the Windows Firewall control panel, click the Exceptions tab.
  4. Click Add Port.
  5. In the Name field, type FileMaker_Pro_TCP_5003
  6. In the Port number field, type 5003.
  7. The TCP radio button should already be selected.
  8. Click OK to add the port. It should appear in the list of Programs and Services. It should be checked.
  9. Click Add Port.
  10. In the Name field, type FileMaker_Pro_UDP_5003
  11. In the Port number field, type 5003.
  12. Click the UDP radio button.
  13. Click OK to add the port. It should appear in the list of Programs and Services. It should be checked.
    NOTE: You would need to repeat this section's steps on all machines using the FileMaker Pro files (Host and Guests).
  14. If you need to add more ports, please go to Step 4 of the next section.
    If you are finished adding ports, click OK to close the Windows Firewall control panel.
  15. Restart the computer to enable these choices.

Open Retrospect Ports: TCP Port 497, UDP Port 497

NOTE: This process is managed centrally for computer's at University Park. If you are at University Park and your computer is backed up with Retrospect, you may already see listings for Retrospect. They will appear grayed out and have a 'Yes' in the Group Policy column. If so, you may skip these steps.

  1. Click Start, and then click Control Panel.
  2. Double-click Windows Firewall (or click Security Center and then Windows Firewall).
  3. In the Windows Firewall control panel, click the Exceptions tab.
  4. Click Add Port.
  5. In the Name field, type Retrospect_TCP_497
  6. In the Port number field, type 497.
  7. The TCP radio button should already be selected.
  8. Click OK to add the port. It should appear in the list of Programs and Services. It should be checked.
  9. Click Add Port.
  10. In the Name field, type Retrospect_UDP_497
  11. In the Port number field, type 497.
  12. Click the UDP radio button.
  13. Click OK to add the port. It should appear in the list of Programs and Services. It should be checked.
  14. If you need to add more ports, please go to Step 4 of the next section.
    If you are finished adding ports, click OK to close the Windows Firewall control panel.
  15. Restart the computer to enable these choices.

    NOTE: If your computer is unable to be be reached by the Retrospect Server after opening these ports, the Server Administrator should reinstall the Retrospect client software on your machine.

Open LPR Print Ports (IBIS Printing): TCP Port 515

NOTE: When you try to print to an LPR printer, the print job fails without any further error message. The printer doesn't react at all, no lights flash. University Park staff may experience this with AIS Mainframe Printing (IBIS). County Extension staff may experience this if printing to an older Apple LaserWriter printer.

  1. Click Start, and then click Control Panel.
  2. Double-click Windows Firewall (or click Security Center and then Windows Firewall).
  3. In the Windows Firewall control panel, click the Exceptions tab.
  4. Click Add Port.
  5. In the Name field, type IBIS_TCP_515
  6. In the Port number field, type 515.
  7. The TCP radio button should already be selected.
    NOTE: Steps 8 - 9 are for AIS Mainframe Printing ONLY.
  8. Click the Change scope… button.
  9. Select the Custom list option and type 128.118.109.3/255.255.255.0
  10. Click OK to add the port. It should appear in the list of Programs and Services. It should be checked.
  11. If you need to add more ports, please go to Step 4 of the next section.
    If you are finished adding ports, click OK to close the Windows Firewall control panel.
  12. Restart the computer to enable these choices.

Open QuickTime Streaming Server Ports: TCP Port 554, UDP Port 554

NOTE: This process is managed centrally for computer's at University Park. If you are at University Park and your computer is backed up with Retrospect, you may already see listings for Retrospect. They will appear grayed out and have a 'Yes' in the Group Policy column. If so, you may skip these steps.

  1. Click Start, and then click Control Panel.
  2. Double-click Windows Firewall (or click Security Center and then Windows Firewall).
  3. In the Windows Firewall control panel, click the Exceptions tab.
  4. Click Add Port.
  5. In the Name field, type QT_Streaming_TCP_554
  6. In the Port number field, type 554.
  7. The TCP radio button should already be selected.
  8. Click OK to add the port. It should appear in the list of Programs and Services. It should be checked.
  9. Click Add Port.
  10. In the Name field, type QT_Streaming_UDP_554
  11. In the Port number field, type 554.
  12. Click the UDP radio button.
  13. Click OK to add the port. It should appear in the list of Programs and Services. It should be checked.
  14. If you are finished adding ports, click OK to close the Windows Firewall control panel.
  15. Restart the computer to enable these choices.
ICT Homepage | ICT Site Index
Penn State University | College of Agricultural Sciences | Search | Contact Us
©College of Agricultural Sciences
This publication is available in alternative media on request.
Penn State is an Affirmative Action, Equal Opportunity University.
Please e-mail us with your questions, comments or suggestions at AgCompSupport@psu.edu
 
How To Add Programs and Ports to Windows XP SP2 Firewall Exceptions List
10/26/2004 [vcv]
updated 12/22/2004 [vcv]
updated 5/3/2005 [vcv]
 

Penn State Home The College of Agricultural Sciences ICT Home