Firewall rules and protocol usage
SharePoint uses the HTTP protocol and proprietary Microsoft extensions to it for most client-server communication.
| Protocol | Purpose | Ports |
|---|---|---|
| HTTP | Web browser request and response | 80 TCP |
| HTTPS (HTTP over SSL or TLS) | Web browser request and response over SSL or TLS | 443 TCP |
| Front Page Server Extensions (FPSE) | Microsoft client application interaction (e.g. SharePoint Designer) | 80 TCP |
| WebDAV including MS extensions | Microsoft client application interaction (e.g. Shared Folders) | 80 TCP |
| SMTP | Email inbound, email outbound (optional) | 25 (SMTP) |
In addition to SharePoint traffic, a typical SharePoint architecture will include Active Directory authentication traffic to and from the user client and also to and from the SharePoint servers. The protocols here are:
| Protocol | Purpose | Ports |
|---|---|---|
| MSRPC | Authentication and AD traffic | 135, dynamically assigned port 1024-65535 TCP |
| LDAP | Authentication and directory traffic | ? |
| SMB | SMB protocol | 445 TCP/UDP |
| NBT | NBT protocol | ? |
| TDS | SQL Server | 1433 TCP, 1434 UDP |
| General | SQL Server | 135-139 TCP/UDP, 445 |
| SMTP | 25 | |
| NetBIOS | Windows networking | 135 TCP/UDP, 137 UDP, 138 UDP, 139 TCP |
SharePoint Designer
SharePoint designer is a powerful tool - perhaps too powerful - and many administrators seek to block its use as a single accidental change in SharePoint designer can render an entire SharePoint environment unusable. It has the ability to make very deep changes to SharePoint, and doing this kind of thing directly on any production environment is always risky.
SharePoint designer communicates over HTTP, sending messagies in both the Front Page Server Extensions protocol and using the SharePoint web services interface.
SharePoint designer http requests can be identified by its user-agent string. Note, however, that this may also be used by other Microsoft applications such as the Infopath forms client. (Reports vary).
User-Agent: Mozilla/4.0 (compatible; MS FrontPage 12.0)
While connecting to a SharePoint site, SharePoint designer makes HTTP requests for the following resources:
/_vti_inf.html /_vti_bin/shtml.dll/_vti_rpc /_vti_bin/_vti_aut/author.dll /_vti_bin/usergroup.asmx
Sample architectures
Communications between SharePoint servers (web front end to database, for example) are more complicated. Generally, the best place to put a firewall is along a trust boundary.
The most obvious trust boundary in a standard SharePoint architecture is the line between end-user clients and the SharePoint servers.
For external-facing SharePoint deployments, Microsoft recommends putting a firewall in between the SharePoint web front end server(s) and the other SharePoint servers (application server role and SQL database). What this achieves is a reduced surface area for external attackers.
Guidance
- Consider placing firewalls at trust boundaries.
- Design the firewall in such a way that end users cannot authenticate against the database server directly.
- Consider using IPSec to secure traffic between SharePoint servers.