Remote Assistance and Windows Firewall
The Windows Firewall is configured with a group exception for Remote Assistance. This group exception has multiple properties that are grouped together as part of the Remote Assistance exception. The Remote Assistance exception properties will change depending on the network location of the computer (private, public, or domain). For example, the default Remote Assistance exception when the computer is in a public location is stricter than when the computer is in a private location. In a public location (such as an airport), the Remote Assistance exception is disabled by default and does not open ports for UPnP and Simple Service Discovery Protocol (SSDP) traffic. In a private network (a home or work network, for example) the Remote Assistance exception is enabled by default and UPnP and SSDP traffic is permitted. In a domain-based enterprise environment, the Remote Assistance exception is typically managed using Group Policy and is enabled by default in Windows 7; it was disabled by default in Windows Vista.
The default configuration of the Remote Assistance exception in Windows Firewall varies depending on the firewall profile. Specifically, note the following:
- Private profile The Remote Assistance exception in the Windows Firewall is enabled by default when the computer location is set to Private. It is configured for NAT traversal using Teredo by default so that users in a private networking environment (for example, the home environment) can solicit help from other users who may also be behind NATs. The private profile includes the appropriate exceptions needed to allow communication with UPnP NAT devices. If a UPnP NAT is in this environment, Remote Assistance will attempt to use the UPnP for NAT traversal. This profile also includes exceptions needed for PNRP. Offer RA via DCOM is not configured in this profile.
- Public profile The Remote Assistance exception is disabled by default and no inbound Remote Assistance traffic is permitted. Windows Firewall is configured this way by default to better protect users in a public networking environment (such as a coffee shop or airport terminal). When the Remote Assistance exception is enabled, NAT traversal using Teredo is enabled. However, traffic to UPnP devices is not enabled, and Offer RA via DCOM is not enabled.
- Domain profile The Remote Assistance exception when the computer is in a domain environment is geared toward the Offer RA scenario. This exception is enabled by default in Windows 7 and is typically managed via Group Policy.
Table below summarizes the state of the Remote Assistance firewall inbound exception for each type of network location. The Remote Assistance exception has outbound properties as well; however, outbound exceptions are not enabled in Windows Firewall by default.
Default State of Remote Assistance Firewall Inbound Exception for Each Type of Network Location
|Network Location||State of Remote Assistance Exception||Defau lt Properties of the Remote Assistance Exception|
|Private (Home or Work)||Enabled by default|
|Public||Disabled by default; must be enabled by user with Admin credentials|
|Domain||Enabled by default in Windows 7; disabled by default in Windows Vista|
In this tutorial:
- Supporting Users with Remote Assistance
- Understanding Remote Assistance
- Remote Assistance vs. Remote Desktop
- Improvements to Remote Assistance in Windows 7
- How Remote Assistance Works in Windows
- Remote Assistance Operational States
- User vs. Helper Functionality
- Remote Assistance and NAT Traversal
- Remote Assistance and IP Ports Used
- Remote Assistance and Windows Firewall
- Remote Assistance and the Secure Desktop
- Remote Assistance Logging
- Purpose of Remote Assistance Session Logging
- Session Log Path and Naming Convention
- Using Remote Assistance in the Enterprise
- Using Remote Assistance in the Corporate Help Desk Environment
- Other Possible Remote Assistance Usage Scenarios
- Interoperability with Remote Assistance in Windows Vista
- Interoperability with Remote Assistance in Windows XP
- Implementing and Managing Remote Assistance
- Initiating Remote Assistance Sessions
- Initiating Remote Assistance from the GUI
- Initiating Remote Assistance from the Command Line
- Managing Remote Assistance Using Group Policy
- Configuring Remote Assistance in Unmanaged Environments
- Additional Registry Settings for Configuring Remote Assistance