How to configure Windows Firewall to allow all ports in use by IIS Express
My understanding of this technet article, per the page that brought me there*, is that I can configure the Windows Firewall to allow all inbound traffic on any port being used by a specified executable.
I realize the defacto answer is likely to be "Don't do this", so please understand; I'm running Visual Studio and IIS Express inside a virtual machine, and want to be able to connect from the host OS for testing purposes, and thus not really concerned with the security implications of opening all ports being used by IIS Express.
I created an inbound rule with Program set to %ProgramFiles% (x86)\IIS Express\iisexpress.exe
, which is the executable running according to the task manager. All other rule specs are left empty (any local address, any remote address, and local port, any remote port, "any" allowed users, "any" allowed computers). Yet, the connection only works if I have a rule for the specific port being served up by IIS Express.
Since it would make my life easier (and largely on principle since technet says it should work), I'd rather not have to add a firewall rule for each app I create.
* Task "Create a rule that allows a program to listen for and accept inbound network traffic on any ports it requires."
Solution 1:
There are a couple problems you're running into here. One is that iisexpress.exe
isn't actually the process responsible for listening to HTTP traffic. That functionality is implemented in http.sys
as a kernel-mode part of the Windows networking stack. (This was done for performance reasons. For more information, see Introduction to IIS Architectures.) Therefore, creating a rule for iisexpress.exe
won't do anything.
Secondly, http.sys
by default doesn't allow programs running as non-admins listen to other computers. According to Serving External Traffic with WebMatrix, you need to run this command in an administrative command prompt to allow all users to listen to other machines via http.sys
:
netsh http add urlacl url=http://MACHNAME:PORT/ user=everyone
Replace MACHNAME
with the hostname that will be used to contact the site and PORT
with the traffic's port. I have read that using *
instead of a specific hostname lets it listen on all names/interfaces, but I have not personally tested that, and some documentation uses +
instead. Either way, once you've set the ACL, you can then create an inbound firewall rule for the port.
Further reading: Configuring HTTP and HTTPS.
Side comment: There's an actual environment variable that points to the 32-bit version of Program Files: %PROGRAMFILES(X86)%
. (The path wasn't your problem, though.)