Data Expedition, Inc. ®

Move Data Faster

Support

Support
Tech Notes
Configuration
Configuring Firewalls
Vista Firewall
License Binding
Anon. Win32 servedat
Windows 7 Firewall
Amazon Web Services

Amazon Web Services

Search Tech Notes:

Page Index:
Default Ports
Common Functions
Windows XP
Windows Vista
Windows 7
AWS EC2
Dynamic Firewalls
SSL/SSH VPNs
Tech Note History
May112011Corporate firewalls
Feb022011Utilities TCP Port
More VPN details
Deprecated Links
Nov222010AWS EC2
Mar302010Windows 7
Mar172010Multihome
Mar162010Default Ports
Common Functions
May142007SSH Tunneling
Apr252007Vista Firewall
Feb122007Updated

Configuring Firewalls

As with all networking software, MTP/IP applications must be able to pass through any firewalls or Network Address Translation (NAT) devices you may have.  In most cases, this means entering exception rules for any and all server-side firewall functions on the ports indicated below.

Configuring firewalls on the client-side is usually not necessary, but may improve performance on very fast networks.  Some corporate firewalls may block unapproved applications from accessing servers outside the corporate network.  If a client is unable to reach outside servers ("No Response"), contact your IT administrator with the information below.

Default Ports

All MTP/IP servers let you choose which UDP port is used.  Following is a list of the default ports for each.  See your product manual or online documentation for application specific setup details.

Application UDP Ports TCP Ports Manual
ExpeDat 8080 None "Connectivity"
SyncDat 8080 None "Connectivity"
Utilities 8082 8082 "Firewalls"

Even if a firewall has been disabled, it is still recommended that you enter an exception rule for the indicated ports in case the firewall is later activated.  This is mandatory for the built-in firewall on Windows systems, as the Windows firewall cannot be completely disabled.

Common Functions

Firewalls may perform a variety of functions which may impact network connectivity and performance.  Most such functions are not designed to work with high-performance data transfers.  Some firewalls allow you to configure a general exception for a specified port.  Others require that you give exceptions or disable each function individually.  Consult your device documentation or firewall vendor for details.

Function Purpose Action
NAT
"Port Forwarding" 		Network Address Translation If the server has a private address, ensure that your gateway or firewall is configured to pass traffic from its public IP address to the private server address.
Multihome Multiple IP Addresses per Node Ensure that clients, routers, and NATs use the correct address.  If the server itself has multiple addresses, use the Interface or -n option to bind to the correct one.
Bandwidth Management Limits network performance Disable or make an exception for the UDP port above.
Quality of Service Limits network performance Disable or make an exception for the UDP port above.
Priority or Throttling Limits network performance Disable or make an exception for the UDP port above.
Denial of Service Blocks high volume data transfers Disable or make an exception for the UDP port above.
Stateful Packet Inspection Blocks patterns of network traffic Disable or make an exception for the UDP port above.
Content Inspection Blocks packets based on content Disable or make an exception for the UDP port above.
ICMP Blocking Blocks network diagnostic messages Disable blocking (allow ICMP) for the UDP port above or known clients.
Random Early Drop/Detection (RED) Enforces fair bandwidth allocation Disable if you wish MTP/IP traffic to have priority.  Enable if you wish MTP/IP to share bandwidth.
IP Fragmentation Permits or denies large datagrams If you are experiencing timeouts in the middle of data transfers (they start, but then stop partway through), try reversing this setting.

The most common symptom of a firewall blocking MTP/IP is a failure to communicate between the client and the server.  This is usually accompanied by an error such as "Failed: Local Network: No Response".  If this happens, check that the server is running, that the port numbers used by the client and the server match, and that all firewalls and NAT devices have explicit rules permitting MTP/IP traffic as described above.

In some cases, communication may be lost after a transaction has been running successfully for some time.  This can occur if a firewall is automatically making connectivity decisions based on functions like the ones described above.  Double check that all functions have exceptions for the UDP port indicated above.

Whenever setting any firewall configuration, pay close attention to whether TCP or UDP ports are being set.  MTP/IP only uses UDP.

Windows XP Firewall

The first time you run an MTP/IP application under Windows XP SP2 or later, it may ask you whether to "Unblock" the application.  Clicking "Unblock" should be sufficient to allow normal operation.  If there are problems, open the "Windows Firewall" control panel.  In the "Exceptions" pane, click on "Add Port" to authorize each port required by the application's documentation.

Windows Vista Firewall

By default, the Vista firewall may allow an MTP client to access the network, but at greatly reduced performance.  To ensure maximum performance, you must open the UDP port for the MTP application.  First, open the "Windows Firewall" control panel.  In the "Exceptions" pane, click on "Add Port" to authorize each port required by the application's documentation.  See Configuring Vista Firewall for step-by-step instructions.

Windows 7 Firewall

When you run MTP software under Windows 7, the system may ask whether the program should be allowed access to the network.  Selecting "Allow access" will permit minimal connectivity.  For full performance and connectivity, especially for a server, you must also configure explicit firewall rules.  See Configuring Windows 7 Firewall for step-by-step instructions.

Amazon Web Services EC2

In addition to any firewall configuration on the guest operating system, you must also open a firewall port in the Security Group for the host instance.  See Tech Note 0025 for step-by-step instructions.

Dynamic Firewalls

Some firewalls can be configured to block traffic based on certain patterns of use.  Because MTP/IP makes full use of your network resources, a dynamic firewall may mistake this for an attack.  If MTP/IP performance degrades or is suddenly cut off, check for such settings.  You may need to add the application's port numbers to a second list, or disable such automatic detection features.

SSL VPNs & SSH Tunneling

Devices which tunnel network traffic over TCP/IP, including "SSL VPNs" and Secure SHell tunnels, severely impair performance and are not compatible with MTP/IP.  Consider using an IPsec VPN instead.

If your VPN's tunneling mechanism is configurable, such as for OpenVPN, be sure to use UDP.  See Tech Note 0009 for more about VPN issues.

info@DataExpedition.com +1 617-500-0002
Copyright © 2000-2012 Data Expedition, Inc.  All Rights Reserved.