Windows 7 / Networking

Remote Assistance and Windows Firewall

The Windows Firewall is configured with a group exception for Remote Assistance. This group exception has multiple properties that are grouped together as part of the Remote Assistance exception. The Remote Assistance exception properties will change depending on the network location of the computer (private, public, or domain). For example, the default Remote Assistance exception when the computer is in a public location is stricter than when the computer is in a private location. In a public location (such as an airport), the Remote Assistance exception is disabled by default and does not open ports for UPnP and Simple Service Discovery Protocol (SSDP) traffic. In a private network (a home or work network, for example) the Remote Assistance exception is enabled by default and UPnP and SSDP traffic is permitted. In a domain-based enterprise environment, the Remote Assistance exception is typically managed using Group Policy and is enabled by default in Windows 7; it was disabled by default in Windows Vista.

The default configuration of the Remote Assistance exception in Windows Firewall varies depending on the firewall profile. Specifically, note the following:

  • Private profile The Remote Assistance exception in the Windows Firewall is enabled by default when the computer location is set to Private. It is configured for NAT traversal using Teredo by default so that users in a private networking environment (for example, the home environment) can solicit help from other users who may also be behind NATs. The private profile includes the appropriate exceptions needed to allow communication with UPnP NAT devices. If a UPnP NAT is in this environment, Remote Assistance will attempt to use the UPnP for NAT traversal. This profile also includes exceptions needed for PNRP. Offer RA via DCOM is not configured in this profile.
  • Public profile The Remote Assistance exception is disabled by default and no inbound Remote Assistance traffic is permitted. Windows Firewall is configured this way by default to better protect users in a public networking environment (such as a coffee shop or airport terminal). When the Remote Assistance exception is enabled, NAT traversal using Teredo is enabled. However, traffic to UPnP devices is not enabled, and Offer RA via DCOM is not enabled.
  • Domain profile The Remote Assistance exception when the computer is in a domain environment is geared toward the Offer RA scenario. This exception is enabled by default in Windows 7 and is typically managed via Group Policy.

Table below summarizes the state of the Remote Assistance firewall inbound exception for each type of network location. The Remote Assistance exception has outbound properties as well; however, outbound exceptions are not enabled in Windows Firewall by default.

Default State of Remote Assistance Firewall Inbound Exception for Each Type of Network Location

Network LocationState of Remote Assistance ExceptionDefau lt Properties of the Remote Assistance Exception
Private (Home or Work)Enabled by default
  • Msra.exe application exception
  • UPnP enabled for communications with UPnP NATs
  • PNRP enabled
  • Edge traversal enabled to support Teredo
PublicDisabled by default; must be enabled by user with Admin credentials
  • Msra.exe application exception
  • Edge traversal enabled to support Teredo
DomainEnabled by default in Windows 7; disabled by default in Windows Vista
  • Msra.exe application exception
  • RAServer.exe (the RA COM server) application exception
  • PNRP enabled
  • DCOM port 135
  • UPnP enabled for communications with UPnP NATs
[Previous] [Contents] [Next]

In this tutorial:

  1. Supporting Users with Remote Assistance
  2. Understanding Remote Assistance
  3. Remote Assistance vs. Remote Desktop
  4. Improvements to Remote Assistance in Windows 7
  5. How Remote Assistance Works in Windows
  6. Remote Assistance Operational States
  7. User vs. Helper Functionality
  8. Remote Assistance and NAT Traversal
  9. Remote Assistance and IP Ports Used
  10. Remote Assistance and Windows Firewall
  11. Remote Assistance and the Secure Desktop
  12. Remote Assistance Logging
  13. Purpose of Remote Assistance Session Logging
  14. Session Log Path and Naming Convention
  15. Using Remote Assistance in the Enterprise
  16. Using Remote Assistance in the Corporate Help Desk Environment
  17. Other Possible Remote Assistance Usage Scenarios
  18. Interoperability with Remote Assistance in Windows Vista
  19. Interoperability with Remote Assistance in Windows XP
  20. Implementing and Managing Remote Assistance
  21. Initiating Remote Assistance Sessions
  22. Initiating Remote Assistance from the GUI
  23. Initiating Remote Assistance from the Command Line
  24. Managing Remote Assistance Using Group Policy
  25. Configuring Remote Assistance in Unmanaged Environments
  26. Additional Registry Settings for Configuring Remote Assistance