Ports Used and Network Topology in Windows Azure Pack: Web Sites
Applies To: Windows Azure Pack
Note
This article only applies to Web Sites deployments using Update Release 5 or earlier.
A complete Web Sites deployment consists of the following five direct web roles. The abbreviations in parentheses are used elsewhere in this document.
Controller (CN)
Management (MN)
Front End (FE)
Publisher (PB)
Worker (WW)
There can be multiple instances of each role type. The connections described and ports listened upon also apply when roles of the same type are added. Thus, the number of connections increases with the addition of each web role.
There are supporting systems that may or may not be on separate hosts depending on how the system is deployed. For the purpose of this documentation, it is assumed that they are deployed on separate hosts. They are:
Database (DB)
File Server (FS)
Common ports across all web roles
During deployment, some port settings are made on the roles to enable automated deployment. Some port settings are also set by the base operating system. These are reflected in the list of the ports opened below.
Note
The lists in this section apply only to the five web roles mentioned, and not necessarily to the Database or File Server roles.
Listening ports held in common across each web role
| Port | Application/Use | Notes |
|---|---|---|
| 80 | System/Internet HTTP port | |
| 135 | System/DCOM Service Control Manager | This port should never be exposed to the internet. Port 135 is required to reboot a role if it cannot be repaired. The technology used is WMI remoting. |
| 139 | System/Windows File and Printer Sharing | This port should never be exposed to the internet. |
| 445 | System/SMB for IP | Used for file sharing support with the file server. This port should be open only on select roles. |
| 5985 | System/Windows Remote Management | Windows Remote Management is a SOAP endpoint used to manage the system remotely. |
| 47001 | System/Windows Remote Management Service | This service supports Windows Remote Management. |
| 49152+ | Dynamic port range. See the list of dynamic range applications that follows. |
Dynamic range applications
Wininit.exe – Windows Start-up Application – Wininit.ini lists all of the changes to be made to Windows when you restart the computer after installing a program. The .exe is the program that starts the .ini file. It can be run only when the computer restarts, so changes to it can be made only when Windows is not running.
Lsass.exe – Local Security Authority Subsystem Service – enforces security such as user verification when signing in, password update change processing, access tokens and more. If the process is killed, the OS must reboot.
Spoolsv.exe – The Spooler Subsystem is responsible for managing printing and fax jobs. This process allows printing to occur in the background without tying up your applications. Not a critical process.
Svchost.exe – This is a generic host process name for services that run from dynamic-link libraries, (.dll files). The .dll files in use for Windows Azure Pack: Web Sites include those providing DHCP client, TCP/IP NetBios, Hyper-V Time Synchronization, and Windows Connection Manager support.
Controller
The controller is responsible for administering all of the web roles. It connects to each of the web roles, to the database, and to itself.
Listening ports on the Controller role
| Used | Port | Application/Use | Notes |
|---|---|---|---|
| * | 80 | System/Internet HTTP port | Used for the offline feed. |
| * | 135 | System/DCOM Service Control Manager | This port should never be exposed to the internet. See note in the Common Ports section. |
| 139 | System/Windows File and Printer Sharing | This port should never be exposed to the internet. | |
| * | 445 | System/SMB for IP | Used for file sharing support with the file server. This port should only be opened on selected roles. |
| 5895 | System/Windows Remote Management | ||
| 8172 | System/Web Deploy | ||
| * | 8675 | WebFarmService | Used for .NET remoting. |
| 30101 | System/Unknown | ||
| 47001 | System/Windows Remote Management Service | This service supports Windows Remote Management. | |
| 49152+ | Dynamic port range. See the list of dynamic range applications earlier in this document. |
Outbound connections from the Controller role
The Destination column lists, in the format DestinationServerRoleAbbreviation: PortNumber, the port that is being connected to on the destination server specified. For example, FS: 445 in the following table indicates that the Controller connects to port 445 on the File Server role.
| Destination | Application/Use | Notes |
|---|---|---|
| FS: 445 | System/SMB file share | There are 4 connections in use on the SMB port. |
| PB: 445 | System/SMB file share | There are 4 connections in use on the SMB port. |
| MN: 445 | System/SMB file share | There are 4 connections in use on the SMB port. |
| DB: 1433 | WebFarmService | The application uses 5 connections to the same DB port. |
| DB: 1433 | ResourceMeteringService | The application uses 2 connections to the same DB port. |
| PB: 8173 | WebFarmService | |
| MN: 8173 | WebFarmService | |
| WW: 8173 | WebFarmService | |
| FE: 8173 | WebFarmService | |
| Localhost: 8675 | WebFarmService |
Management
The Management role is responsible for the REST interface that is exposed so that the Portal can manage the Web Sites stamp. The Management role communicates with the Database, Controller and File Server roles.
Listening ports on the Management role
| Used | Port | Application/Use | Notes |
|---|---|---|---|
| * | 80 | System/Internet HTTP port | |
| * | 135 | System/DCOM Service Control Manager | This port should never be exposed to the internet. See note in the Common Ports section. |
| 139 | System/Windows File and Printer Sharing | This port should never be exposed to the internet. | |
| 443 | System/HTTPS listen port | Used as the HTTPS listening port for the MN REST interface. The management Portal uses this port. | |
| * | 445 | System/SMB for IP | Used for file sharing support with the file server. |
| 3389 | Svchost/Remote Desktop Services | ||
| 5895 | System/Windows Remote Management | ||
| 8172 | System/Web Deploy | ||
| * | 8173 | System | The Controller connects through this port. |
| 47001 | System/Windows Remote Management Service | This service supports Windows Remote Management. | |
| 49152+ | Dynamic port range. See the list of dynamic range applications earlier in this document. |
Outbound connections from the Management role
| Destination | Application/Use | Notes |
|---|---|---|
| FS: 445 | System/SMB file share | |
| DB: 1433 | w3wp.exe | The w3wp.exe process handles requests sent to application pools. 3 connections are open. |
| DB: 1433 | UsageService | 2 connections are open. |
| DB: 1433 | ResourceMeteringService | The application uses 2 connections to the same DB port. |
| FS: 5985 | WebFarmAgentService | 6 connections are open. |
Front End
The Front End role is the web accessible endpoint for web sites. Its primary purpose is to route the request to the appropriate worker holding the web site.
Listening ports on the Front End role
| Used | Port | Application/Use | Notes |
|---|---|---|---|
| * | 80 | System/DCOM Service Control Manager | |
| * | 135 | System/DCOM Service Control Manager | This port should never be exposed to the internet. |
| 139 | System/Windows File and Printer Sharing | This port should never be exposed to the internet. | |
| * | 443 | System/HTTPS listener | HTTPS listening port for web sites. |
| * | 445 | System/SMB for IP | Used for file sharing support with the file server. |
| 3389 | Svchost/Remote Desktop Services | ||
| 5895 | System/Windows Remote Management | ||
| * | 8173 | System | The Controller connects through this port. |
| 47001 | System/Windows Remote Management Service | This service supports Windows Remote Management. | |
| 49152+ | Dynamic port range. See the list of dynamic range applications earlier in this document. |
Outbound connections from the Front End role
| Destination | Application/Use | Notes |
|---|---|---|
| DB: 1433 | w3wp.exe | The w3wp.exe process handles requests sent to an application pool. |
| DB: 1433 | ResourceMeteringService | The application uses 2 connections to the same DB port. |
Publisher
The publisher handles customer publication of web sites by protocols like FTP.
Listening ports on the Publisher role
| Used | Port | Application/Use | Notes |
|---|---|---|---|
| 21 | Svchost/FTP | ||
| 80 | System/Internet HTTP port | ||
| * | 135 | System/DCOM Service Control Manager | This port should never be exposed to the internet. See note in the Common Ports section. |
| 139 | System/Windows File and Printer Sharing | This port should never be exposed to the internet. | |
| 443 | System/HTTPS | ||
| * | 445 | System/SMB for IP | Used for file sharing support with the file server. |
| 990 | Svchost/FTP | ||
| 1231 | w3wp.exe | The w3wp.exe process handles requests sent to an application pool. | |
| 3389 | Svchost/Remote Desktop Services | ||
| 5895 | System/Windows Remote Management | ||
| 8172 | System/Web Deploy | ||
| * | 8173 | System | The Controller connects through this port. |
| 8176 | DWASSVC | Dynamic WAS Service | |
| 47001 | System/Windows Remote Management Service | This service supports Windows Remote Management. | |
| 49152+ | Dynamic port range. See the list of dynamic range applications earlier in this document. |
Outbound connections from the Publisher role
| Destination | Application/Use | Notes |
|---|---|---|
| DB: 1433 | WebFarmAgentService | |
| DB: 1433 | ResourceMeteringService | The application uses 2 connections to the same DB port. |
Worker
The Worker (Web Worker) role is responsible for running the web sites themselves. A Web Worker can be deployed as a multitenant system that is capable of supporting multiple customers simultaneously, or it can be reserved for one tenant. The Web Worker connects to the Database and the FileServer.
Listening ports on the Worker role
| Used | Port | Application/Use | Notes |
|---|---|---|---|
| * | 80 | System/Internet HTTP port | |
| * | 135 | System/DCOM Service Control Manager | This port should never be exposed to the internet. See note in the Common Ports section. |
| 139 | System/Windows File and Printer Sharing | This port should never be exposed to the internet. | |
| * | 445 | System/SMB for IP | Used for file sharing support with the file server. |
| 3389 | Svchost/Remote Desktop Services | ||
| 5985 | System/Windows Remote Management | ||
| * | 8173 | System | The Controller connects through this port. |
| 8676 | DWASSVC | Dynamic WAS Service | |
| 47001 | System/Windows Remote Management Service | This service supports Windows Remote Management. | |
| 49152+ | Dynamic port range. See the list of dynamic range applications earlier in this document. |
Outbound connections from the Worker role
| Destination | Application/Use | Notes |
|---|---|---|
| FS: 445 | System/SMB for IP | |
| DB: 1433 | DWASSVC | Dynamic WAS Service |
| DB: 1433 | ResourceMeteringService | The application uses 2 connections to the same DB port. |
File Server
Listening ports on the File Server role
| Used | Port | Application/Use | Notes |
|---|---|---|---|
| 135 | System/DCOM Service Control Manager | This port should never be exposed to the internet. See note in the Common Ports section. | |
| 139 | System/Windows File and Printer Sharing | This port should never be exposed to the internet. | |
| 445 | System/SMB for IP | Handles incoming data from the CN, WW, and MN roles. | |
| 3389 | Svchost/Remote Desktop Services | ||
| 5895 | System/Windows Remote Management | Handles incoming data from the MN role. | |
| 8173 | System | The Controller connects through this port. | |
| 47001 | System/Windows Remote Management Service | This service supports Windows Remote Management. | |
| 49152+ | Dynamic port range. See the list of dynamic range applications earlier in this document. |
Outbound connections from the File Server role
None.
Database
The following list of ports used is based on the installation of a standalone database server using SQLEXPRESS that had no outbound connections. A MySQL database instance will have connections if the web sites being serviced require MySQL. The sample database server had no MySQL connections.
Listening ports on the Database role
| Used | Port | Application/Use | Notes |
|---|---|---|---|
| 1 | sqlservr.exe/SQL Server database | ||
| 135 | System/DCOM Service Control Manager | This port should never be exposed to the internet. See note in the Common Ports section. | |
| 139 | System/Windows File and Printer Sharing | This port should never be exposed to the internet. | |
| 445 | System/SMB for IP | Handles incoming data from the CN, WW, and MN roles. | |
| * | 1433 | sqlservr.exe/Primary listening port for the SQL Server database | The CN, WW, MN, PB, and FE roles connect to this port. |
| * | 3306 | mysqld.exe/Listening port for the MySQL database | |
| 3389 | Svchost/Remote Desktop Services | ||
| 47001 | System/Windows Remote Management Service | This service supports Windows Remote Management. | |
| 49152+ | Dynamic port range. See the list of dynamic range applications earlier in this document. |
Outbound connections from the Database role
None.
Connections within a Web Sites cloud
The following diagram shows the persistent connections within the Windows Azure Pack: Web Sites cloud. The diagram does not reflect transient connections to some of the listen ports noted earlier.
.jpeg "Connections within a Web Sites cloud")