Windows Defender Firewall is the built-in host firewall on every Windows Server installation. It filters inbound and outbound traffic by port, protocol, program, and source IP. By default, it blocks most inbound connections – which means any time you deploy a new service, you need to open the right ports before clients can reach it.
This guide covers every method for opening firewall ports on Windows Server 2022/2025 – the GUI, PowerShell, and netsh. It also covers port ranges, IP restrictions, program-based rules, verification, rule management, and export/import for backup or migration. The same steps apply to Windows Server 2019 and newer. For full details on the firewall architecture, see the Windows Defender Firewall documentation.
Prerequisites
- Windows Server 2019, 2022, or 2025
- Administrator access to the server
- Windows Defender Firewall service running (enabled by default)
- PowerShell 5.1 or later (included with all supported Windows Server versions)
Confirm the firewall service is running before making changes. Open PowerShell as Administrator and run:
Get-Service -Name MpsSvcThe service status should show Running:
Status Name DisplayName
------ ---- -----------
Running MpsSvc Windows Defender FirewallStep 1: Open a Port Using the GUI
The graphical method uses Windows Defender Firewall with Advanced Security. This is the most straightforward approach for opening individual ports when you prefer a visual interface.
Open the firewall console by pressing Win + R, typing wf.msc, and pressing Enter. You can also reach it through Server Manager by clicking Tools and selecting Windows Defender Firewall with Advanced Security.
Follow these steps to create an inbound port rule:
- In the left pane, click Inbound Rules
- In the right pane under Actions, click New Rule
- Select Port and click Next
- Choose TCP or UDP depending on your service
- Select Specific local ports and enter the port number (for example,
8080) - Click Next and select Allow the connection
- Choose which profiles the rule applies to – Domain, Private, and Public. For servers, keep all three checked unless you have specific network isolation requirements
- Give the rule a descriptive name like Allow TCP 8080 – MyApp and click Finish
The rule takes effect immediately. No restart or service reload is needed.
Step 2: Open a Port Using PowerShell
PowerShell is the preferred method for scripted or remote firewall management. The New-NetFirewallRule cmdlet from the NetSecurity module gives you full control over every rule parameter.
Open an elevated PowerShell session and run this command to allow inbound TCP traffic on port 8080:
New-NetFirewallRule -DisplayName "Allow TCP 8080" -Direction Inbound -Protocol TCP -LocalPort 8080 -Action AllowPowerShell confirms the rule was created and displays its properties:
Name : {generated-guid}
DisplayName : Allow TCP 8080
Description :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store.To open a UDP port instead, change the protocol parameter:
New-NetFirewallRule -DisplayName "Allow UDP 514 - Syslog" -Direction Inbound -Protocol UDP -LocalPort 514 -Action AllowYou can also specify which firewall profile the rule applies to using the -Profile parameter. Valid values are Domain, Private, Public, or Any (the default):
New-NetFirewallRule -DisplayName "Allow TCP 3306 - MySQL" -Direction Inbound -Protocol TCP -LocalPort 3306 -Action Allow -Profile Domain,PrivateStep 3: Open a Port Using netsh
The netsh advfirewall command works on all Windows Server versions and is useful in environments where PowerShell modules are unavailable or when working from a standard Command Prompt. It is also the method referenced in many legacy scripts and documentation.
Run Command Prompt or PowerShell as Administrator and execute:
netsh advfirewall firewall add rule name="Allow TCP 8080" dir=in action=allow protocol=TCP localport=8080A successful command returns:
Ok.For a UDP port, change the protocol:
netsh advfirewall firewall add rule name="Allow UDP 161 - SNMP" dir=in action=allow protocol=UDP localport=161Step 4: Open a Port Range
Some services use a range of ports. RPC dynamic ports, for example, typically use 49152-65535. Both PowerShell and netsh support ranges natively.
With PowerShell, specify the range using a dash separator:
New-NetFirewallRule -DisplayName "Allow TCP 5000-5010 - App Ports" -Direction Inbound -Protocol TCP -LocalPort 5000-5010 -Action AllowWith netsh, the syntax is similar:
netsh advfirewall firewall add rule name="Allow TCP 5000-5010" dir=in action=allow protocol=TCP localport=5000-5010You can also open multiple individual ports in a single rule by separating them with commas:
New-NetFirewallRule -DisplayName "Allow Web Ports" -Direction Inbound -Protocol TCP -LocalPort 80,443,8080 -Action AllowStep 5: Restrict a Port to Specific IP Addresses
Opening a port to the entire internet is rarely a good idea for management services like RDP or databases. Restricting access to known IP addresses or subnets significantly reduces your attack surface.
In PowerShell, use the -RemoteAddress parameter to limit which source IPs can connect:
New-NetFirewallRule -DisplayName "Allow RDP - Office Only" -Direction Inbound -Protocol TCP -LocalPort 3389 -Action Allow -RemoteAddress 10.0.1.0/24,192.168.1.50This rule allows RDP traffic only from the 10.0.1.0/24 subnet and the single host 192.168.1.50. All other source IPs are blocked.
The equivalent netsh command uses the remoteip parameter:
netsh advfirewall firewall add rule name="Allow RDP - Office Only" dir=in action=allow protocol=TCP localport=3389 remoteip=10.0.1.0/24,192.168.1.50To update an existing rule and add IP restrictions after the fact, use the address filter pipeline:
Get-NetFirewallRule -DisplayName "Allow TCP 3306 - MySQL" | Get-NetFirewallAddressFilter | Set-NetFirewallAddressFilter -RemoteAddress 10.0.1.0/24Step 6: Open a Port for a Specific Program
Instead of opening a port number, you can create a rule that allows traffic for a specific executable. This is useful when you do not know which ports a program uses, or when the program dynamically assigns ports at runtime.
In PowerShell, use the -Program parameter with the full path to the executable:
New-NetFirewallRule -DisplayName "Allow SQL Server" -Direction Inbound -Program "C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\Binn\sqlservr.exe" -Action AllowWith netsh, use the program parameter:
netsh advfirewall firewall add rule name="Allow SQL Server" dir=in action=allow program="C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\Binn\sqlservr.exe"Program-based rules are broader than port rules because they allow all traffic to or from that executable regardless of port. Use them only when port-based rules are impractical.
Step 7: Verify Open Ports in Windows Server Firewall
After creating firewall rules, verify they are active and that traffic actually reaches the service. There are several ways to confirm this.
List Firewall Rules with PowerShell
View all inbound allow rules that are currently enabled:
Get-NetFirewallRule -Direction Inbound -Action Allow -Enabled True | Format-Table DisplayName, Profile, EnabledTo find a specific rule by name and view its port details:
Get-NetFirewallRule -DisplayName "Allow TCP 8080" | Get-NetFirewallPortFilterThis shows the port and protocol bound to the rule:
Protocol : TCP
LocalPort : 8080
RemotePort : Any
IcmpType : Any
DynamicTarget : AnyTest Connectivity with Test-NetConnection
From a remote machine, test whether a port is reachable. This cmdlet checks both network path and TCP handshake:
Test-NetConnection -ComputerName 10.0.1.100 -Port 8080A successful connection shows TcpTestSucceeded : True:
ComputerName : 10.0.1.100
RemoteAddress : 10.0.1.100
RemotePort : 8080
InterfaceAlias : Ethernet
SourceAddress : 10.0.1.50
TcpTestSucceeded : TrueIf TcpTestSucceeded is False, either the firewall rule is not active, the service is not listening on that port, or a network device between the two hosts is blocking the traffic.
Check Listening Ports with netstat
Verify that a service is actually listening on the port you opened. Run this on the server itself:
netstat -an | findstr :8080If the service is listening, you see a line with LISTENING state:
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENINGNo output means nothing is listening on that port – the firewall rule is correct, but the application still needs to be started or configured to bind to that port.
Step 8: Remove Firewall Rules
Clean up rules when a service is decommissioned. Leaving unused allow rules in the firewall creates unnecessary exposure. If you are setting up IIS Web Server on Windows Server, for instance, you should remove rules for any previous web service that was replaced.
Remove a rule by its display name in PowerShell:
Remove-NetFirewallRule -DisplayName "Allow TCP 8080"With netsh:
netsh advfirewall firewall delete rule name="Allow TCP 8080"The netsh command confirms the deletion:
Deleted 1 rule(s).
Ok.To disable a rule temporarily without deleting it (useful for troubleshooting):
Set-NetFirewallRule -DisplayName "Allow TCP 8080" -Enabled FalseRe-enable it later with:
Set-NetFirewallRule -DisplayName "Allow TCP 8080" -Enabled TrueStep 9: Export and Import Firewall Rules
Backing up firewall rules before making changes is a good practice. You can also export rules from one server and import them on another to keep configurations consistent across your environment.
Export All Firewall Rules
The netsh export creates a complete snapshot of the firewall policy including all rules, connection security rules, and global settings:
netsh advfirewall export C:\firewall-backup.wfwA successful export returns:
Ok.Import Firewall Rules
Import replaces the entire firewall configuration with the contents of the backup file. This is a destructive operation – it overwrites all current rules:
netsh advfirewall import C:\firewall-backup.wfwExport Specific Rules with PowerShell
If you only need to export custom rules (not the full policy), PowerShell can save them to CSV for review or migration. This is helpful when you need to replicate firewall rules across multiple servers running services like NFS on Windows Server:
Get-NetFirewallRule -Direction Inbound -Action Allow | Select-Object DisplayName, Enabled, Profile, Direction | Export-Csv -Path C:\firewall-rules.csv -NoTypeInformationReview the exported CSV to confirm it contains the rules you expect before importing elsewhere.
Common Windows Service Ports Reference
This table lists ports you will commonly need to open on Windows Server. Use it as a quick reference when setting up firewall rules for standard services. For time synchronization, see our guide on configuring NTP Server on Windows Server.
| Service | Port / Protocol | Notes |
|---|---|---|
| RDP (Remote Desktop) | 3389/TCP | Restrict to trusted IPs |
| HTTP | 80/TCP | Web server traffic |
| HTTPS | 443/TCP | Encrypted web traffic |
| DNS | 53/TCP, 53/UDP | Name resolution |
| DHCP Server | 67/UDP, 68/UDP | IP address assignment |
| SMB (File Sharing) | 445/TCP | Windows file and printer sharing |
| WinRM (Remote Management) | 5985/TCP, 5986/TCP | HTTP and HTTPS respectively |
| SQL Server | 1433/TCP | Default instance |
| MySQL / MariaDB | 3306/TCP | Database connections |
| PostgreSQL | 5432/TCP | Database connections |
| NTP | 123/UDP | Time synchronization |
| SNMP | 161/UDP, 162/UDP | Monitoring – polling and traps |
| Syslog | 514/UDP | Log forwarding |
| LDAP | 389/TCP, 389/UDP | Directory services |
| LDAPS | 636/TCP | Encrypted LDAP |
| Kerberos | 88/TCP, 88/UDP | Active Directory authentication |
| NFS | 2049/TCP | Network File System |
| iSCSI | 3260/TCP | Storage area network |
| ICMP | ICMP (no port) | Ping – see ICMP echo rule |
Conclusion
You now have the commands and procedures to open, restrict, verify, and manage firewall ports on Windows Server using the GUI, PowerShell, and netsh. For production environments, always restrict ports to specific source IPs where possible, remove rules for decommissioned services, and export your configuration before making bulk changes. Pair firewall rules with network-level security groups or hardware firewalls for defense in depth.
