I think you need to be a bit more precise... The Windows 2008 R2 Server initiates the connection? (this I suspect it not the case) Normally, when we say 'x talks to y', it is 'x' that initiates the connection.
So, if the Win7 client is initiating the connection to the Windows Server 2008 R2 server then you'd need: a) TCP Port 80 (if using HTTP for BITS) or TCP port 443 (if using HTTPS for BITS). This would be source: Win7 clients to dest: Win2008 R2 Server b) TCP port 1433 (if using SQL Server default instance). Same source/dest as above. If using a named instance, and not using a fixed port, then you'd need UDP 1434 (SQL Server browser service) and something on your FW to dynamically open the port that SQL Server is using. Probably best to use a fixed TCP port for your named instance Cheers Ken From: James Rankin [mailto:[email protected]] Sent: Wednesday, 9 May 2012 11:05 PM To: NT System Admin Issues Subject: Re: Firewall-y stuff Bit of both. We need a Windows 2008 R2 Server to talk to Windows 7 clients that are on the other side of a firewall, using SQL and BITS traffic On 9 May 2012 15:54, Ziots, Edward <[email protected]<mailto:[email protected]>> wrote: Are we talking a regular firewall or the Windows firewall on a server? Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization [email protected]<mailto:[email protected]> From: Christopher Bodnar [mailto:[email protected]<mailto:[email protected]>] Sent: Wednesday, May 09, 2012 10:53 AM To: NT System Admin Issues Subject: Re: Firewall-y stuff Yes, just the one port. It's easier to think of BITS as a sub-component of IIS. So if your IIS communication is working over 80 or 443, you should be good to go. http://technet.microsoft.com/en-us/library/cc732428.aspx Christopher Bodnar Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459<tel:610-807-6459> 3900 Burgess Place, Bethlehem, PA 18017 [email protected] [cid:[email protected]] The Guardian Life Insurance Company of America www.guardianlife.com<http://www.guardianlife.com/> From: James Rankin <[email protected]<mailto:[email protected]>> To: "NT System Admin Issues" <[email protected]<mailto:[email protected]>> Date: 05-09-12 10:37 AM Subject: Firewall-y stuff ________________________________ I'm in no way a networking kind of guy, so please excuse this slightly noob-ish question...if you need to open up a firewall for http/s and BITS traffic, since they both work on port 80 (or 443), do you just need to open the one port? I can't seem to find a definitive answer via the Google-God Cheers, JR -- http://appsensebigot.blogspot.co.uk<http://appsensebigot.blogspot.co.uk/> IMPORTANT INFORMATION/DISCLAIMER I certainly don't have time to monitor the content of e-mail sent and received via this account for the purposes of ensuring compliance with anyone's policies and procedures. I am pretty sure that somewhere in UK legislation there is some politically-correct drivel that stipulates I must never send or store e-mails or attachments that are obscene, indecent, sexist, racist, defamatory, abusive, in breach of copyright, encrypted, amusing, overly long, slightly opinionated, anonymous, likely to harm animals or hurt the feelings of an as-yet-unspecified or as-yet-nonexistent minority (such as extraterrestrial eggplants). Emails of this nature sent in or out of this account may be intercepted and stopped by the system, but it's a long shot. This being the UK, even if I was prosecuted for breach of said email guidelines, I'd probably walk with a suspended sentence anyway, but if I'd forgotten to pay my car insurance, I'd most certainly be hung, drawn and quartered. I am not responsible for any changes made to the message after it has been sent, in more or less the same way that cyclozine manufacturers aren't responsible for drug addicts mixing it with methadone and overdosing, so I'm glad I cleared the confusion up there nice and early. Where opinions are expressed, they are not necessarily mine. However, I don't make a habit of expressing other people's opinions for them, so you shouldn't take that statement as an indication that I am in the business of providing an opinion-expressing service. In the event that I did, this discourse would provide no guarantee that I would do it anyway, but I don't, so I won't. This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended addressee, or the person responsible for delivering it to them, aside from the fact that you've clearly got some level of unauthorised access to their account or are at least engaged in some sort of fraud, I'm obliged to tell you that may not copy, forward disclose or otherwise use it or any part of it in any way. To do so may be unlawful, and as you're already breaking the law, I am sure that bombshell makes you quake in your boots and turn yourself over to law enforcement immediately. If you receive this e-mail by mistake, please advise the sender immediately. That would be me, and as I am clearly prone to sending emails to completely the wrong person, I should instantly be stripped of my status as a technical consultant and sent to do something more becoming of my stupidity, such as appearing on Big Brother, the X Factor or "insert country name here"'s Got Talent. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin -- http://appsensebigot.blogspot.co.uk IMPORTANT INFORMATION/DISCLAIMER I certainly don't have time to monitor the content of e-mail sent and received via this account for the purposes of ensuring compliance with anyone's policies and procedures. I am pretty sure that somewhere in UK legislation there is some politically-correct drivel that stipulates I must never send or store e-mails or attachments that are obscene, indecent, sexist, racist, defamatory, abusive, in breach of copyright, encrypted, amusing, overly long, slightly opinionated, anonymous, likely to harm animals or hurt the feelings of an as-yet-unspecified or as-yet-nonexistent minority (such as extraterrestrial eggplants). Emails of this nature sent in or out of this account may be intercepted and stopped by the system, but it's a long shot. This being the UK, even if I was prosecuted for breach of said email guidelines, I'd probably walk with a suspended sentence anyway, but if I'd forgotten to pay my car insurance, I'd most certainly be hung, drawn and quartered. I am not responsible for any changes made to the message after it has been sent, in more or less the same way that cyclozine manufacturers aren't responsible for drug addicts mixing it with methadone and overdosing, so I'm glad I cleared the confusion up there nice and early. Where opinions are expressed, they are not necessarily mine. However, I don't make a habit of expressing other people's opinions for them, so you shouldn't take that statement as an indication that I am in the business of providing an opinion-expressing service. In the event that I did, this discourse would provide no guarantee that I would do it anyway, but I don't, so I won't. This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended addressee, or the person responsible for delivering it to them, aside from the fact that you've clearly got some level of unauthorised access to their account or are at least engaged in some sort of fraud, I'm obliged to tell you that may not copy, forward disclose or otherwise use it or any part of it in any way. To do so may be unlawful, and as you're already breaking the law, I am sure that bombshell makes you quake in your boots and turn yourself over to law enforcement immediately. If you receive this e-mail by mistake, please advise the sender immediately. That would be me, and as I am clearly prone to sending emails to completely the wrong person, I should instantly be stripped of my status as a technical consultant and sent to do something more becoming of my stupidity, such as appearing on Big Brother, the X Factor or "insert country name here"'s Got Talent. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<inline: image001.jpg>>
