FileMaker Server 9 represents a pretty significant redesign of the FileMaker Server product line. One consequence of all the changes is that things may not work properly without reconfiguring your *firewall(s)*. Improper firewall configuration can lead to all kinds of problems, some obvious (I can’t connect to my server) and some not-so-obvious (the Server Admin Console opens, and then hangs). This article attempts to explain in full detail exactly how each participant in the FileMaker ecosystem communicates, so you can jump right past these problems and get to developing awesome databases.
>Note: Before we dive in, if you’re wondering what all this Firewall stuff does, exactly (what *is* a port number, after all?), there’s a quick introduction to firewalls at the end of this article. [Click here](#introduction) to scroll down to it. Then, when you’re done, scroll back up here and carry on with the article.
A picture’s worth a thousand words, so before we get into the details, here’s a birds-eye view of the FileMaker Server landscape:
You can also download a high-quality PDF version of the diagram:
* [In English](http://sixfriedrice.com/wp/wp-content/uploads/2007/07/filemaker_ports_rev_c.pdf)
* [In French](http://sixfriedrice.com/wp/wp-content/uploads/2007/08/ports_filemaker_fr.pdf) (courtesy of Informatique Direct Impact inc.)
* [In Japanese](http://sixfriedrice.com/wp/wp-content/uploads/2008/01/filemaker_ports_jp.pdf) (courtesy of [Splash Inc.](http://www.splash.jp/))
>Note: Thanks to Eric Jacobson at FileMaker, Inc. for reviewing and correcting this diagram.
This picture shows all the parts your FileMaker setup might include, along with the important lines of communication and critical port numbers. On the bright side, you probably don’t have *all* these pieces, and you almost certainly don’t have a firewall between each of the parts you *do* have.
## Figuring out What to Configure
In order for things to work smoothly, you need to open the right ports in your firewall. The task is relatively deterministic:
1. Identify which of the components listed below are present on your network.
2. Figure out which of your components are separated by a firewall.
3. Look to see if any component on your list listens to a component on the other side of a firewall. (You can see who listens to whom below). Note which port numbers the *listening* component uses.
4. Open the port numbers on your list in the firewall.
Chances are good your firewall setup falls into one of two categories:
– **You have a firewall running on each computer.** If this is the case, pay attention to which components are running on different computers. Any time a component on one computer listens to a component on another computer, you need to open up the right port on the first computer.
– **You have one network firewall running between the server computer(s) and the client computer(s).** In this case, you’re only concerned with components on the client side of things that talk to components on the server side. Configure your firewall so that server side components can listen to their clients on the ports listed below.
> Note: When I worked at a real company, I never really had to worry about all this. I had a Drew who took care of all the network configuration. If you have a Drew (or Drucilla) too, just print out this article and give it to him. He’ll skip right to the details below and get things working in no time flat.
## The Gory Details
Without further ado, here are all the relevant parts, complete with firewally port information.
### The FileMaker Database Server
This is the heart of your FileMaker setup. It’s the thing that actually serves your databases. On windows, it’s the FileMaker Server and FileMaker Server Helper services. On Mac OS X, this is the fmserverd and fmshelper daemons.
#### Listens to…
– **5003**: FileMaker Pro clients and the Web Publishing Engine retrieve data
– **5353**: FileMaker Pro clients discover “local hosts”
– **2399**: ODBC and JDBC clients (like Microsoft Excel) fetch data
– **16000**: Your web browser and the Web Publishing Engine fetch server configuration information
– **16001**: The Server Admin Console configures the database server
>Note: The Server Admin Console is loaded form a web page, but *it runs on your computer*, not the server.
This component can be installed on the same machine as the database server, or the same machine as the web server, or on its own machine. It provides FileMaker’s web publishing capabilities, including Instant Web Publishing, and Custom Web Publishing with XML and XSLT. Also note that PHP code talks to the Web Publishing Engine through its XML interface.
#### Listens to…
– **16000 and 16004 through 16018**: The web server (Apache or IIS) sends web requests and receives responses
When you install FileMaker Server, it integrates with your web server (IIS on Windows, and Apache on Mac OS X). The web server continues to handle basic pages, images, etc… But when it receives requests for FileMaker content (like Instant Web Publishing pages) it forwards those requests on to the Web Publishing Engine.
#### Listens to…
– **80**: Normal web requests from a browser, and PHP API connections
– **443**: Secure (HTTPS) web requests from a browser
>Note: Unlike most of the components in a FileMaker setup, your web server can easily be configured to listen on any port or ports. Your particular server may deviate from the ports listed above.
### MySQL, Microsoft SQL Server, and Oracle
If you’re using the new [External SQL Sources](http://sixfriedrice.com/wp/getting-started-with-external-sql-sources/) feature in FileMaker 9, your FileMaker Server needs to talk to the SQL database. You only need to concern yourself with the ports for the SQL database(s) you’re using.
#### Listens to…
– **3306**: MySQL ODBC connections form the FileMaker database server.
– **1433**: Microsoft SQL Server ODBC connections form the FileMaker database server.
>Note: If you use Oracle, you’ll need to consult your DBA or documentation. Oracle’s network ports can vary.
If you use FileMaker Pro’s peer-to-peer database sharing system, then the *host* computer listens to each *guest* computer. A FileMaker Pro host may also serve up Instant Web Publishing and ODBC connections.
#### Listens to…
– **5003**: Guests retrieve data.
– **80**: Instant Web Publishing clients fetch web data.
– **591**: You may be using Instant Web Publishing on this alternate port.
– **2399**: ODBC clients (like Microsoft Excel) connect to FileMaker.
## A Brief Introduction to Firewalls
Before we get ahead of ourselves, it might help to explain what a firewall does, exactly. If your idea of a little light reading comes in a Cisco box, feel free to skip ahead to the next section.
You can have lots of programs on your server that provide network services. For example, in addition to FileMaker, your FileMaker server computer may have any (or all) of these:
– A file server, so you can copy files to and from its hard drive from your desktop.
– A remote control server so you can administer the computer from another machine.
– A web server, so you can publish web pages on the company intranet.
– An SSH server so you can log in to the computer’s command line.
– And dozens more…
Whenever you connect to the server, it needs to know which of these services you’re trying to use. To facilitate this need, the network system has a concept called *ports*. Each service *listens* on a particular port. When you connect to the server, the program you’re connecting with knows which port to use, so it winds up talking to the right service on the other end. Ports are numbered, from zero to 65,535. So a server might listen on port 80, for instance, or port 24601.
How about an example? When you open your web browser and point it at, say, `www.yahoo.com`, it automatically connects to the Yahoo server on port 80. That’s because 80 is the *standard* web port. That same Yahoo server might run all kinds of other services, but only the web service hears people who talk on port 80.
> Note: Just because 80 is the standard port for normal web traffic doesn’t mean it’s the only one you can use. If you’ve ever seen a web address with a colon (:) in it, you’ve seen a web server using a non-standard port number. For example, the url `http://ec2.sixfriedrice.com:3000/` tells your browser to connect to port number 3000 instead of the more typical port 80.
Any program on a computer can listen on any port it wants (with a few irrelevant restrictions). But you don’t want something listening when it shouldn’t be (like a spyware program). In business, the concern is even greater. A simple software install on one computer could allow bad guys to access a computer in the office, and from there, the entire company network could be at risk. For these reasons, computers and networks use a *firewall* to restrict access to most network ports. The firewall sits at the front door to your computer like one of those bouncers at the uber-cool night clubs I’ve heard exist somewhere. When network traffic tries to find its way in to your computer, it is promptly turned away unless it’s on *the list*. Now, no matter how hard you try (or a piece of unruly software tries), you can’t get your computer to listen on a port that isn’t specifically allowed by the firewall.
Trouble arises when you *need* server software (like FileMaker Server) to work. Not only do you have to wade through the 11 clicks it takes to get FileMaker installed. Now you have to tell your firewall system about it to. In particular, you have to allow a handful of important ports so the different parts can talk to one another *through* the firewall.
This is harder than it sounds because a FileMaker setup may have a lot of parts, and you have to know which parts talk to which other parts from where and on what ports to make sense of it all.
If you have your own port configuration tips, please leave us a comment below. And good luck configuring.
[Back to the top](#big-picture)
Hmmm. WPE to DB Server over 5003…
Anyway, the above makes sense, except I have one question: What exactly is the host discovery service that runs over 5353, I always thought that would just run over 5003.
Another great article though.
Cheers Guys!
@Alex – We found the 5353 strange ourselves. Per Eric Jacobson, FileMaker 9 uses Bonjour (ie. multicast DNS) to discover servers on the local network. So 5353 is the registered MDNS port.
Very Nice Work Geoff!
@marcus: thanks 🙂 Good to hear from you… it’s been a long time. I’ll see you at DevCon (funny that we’re a few miles apart and we’ll meet up 2000 miles from home).
port 5353 is used for Bonjour broadcast service…FileMaker implements Bonjour protocol to “advertise” hosts on both OS X and Windows just make sure your port is open for eavesdropping 😉
I just updated the diagram to clearly label the ports that are new to FileMaker Server 9. Thanks to Steve Hearn of CoreSolutions Development Inc. for the suggestion.
Another nice one guys! Excellent explanation and diagram.
-John
Excellent article and amazing graph. I have to provide similar information to one of my client here in Montreal. Do you mind if I translate it in French ? I will make sure to mention all the credits and, if you’d like, I’ll give you back the french copy 😉
Thanks for a fantastic and informative summary of the firewall settings. I am a newbie, and have a sheepish question to ask. I am unable to open the firewall ports required, either by setting a new firewall setting opening ports, or by port mapping my airport. Can you recommend a resource where I can learn how to open the firewall ports? Pardon the basic question, and thanks again!
@bob: Are you on Mac OS X or Windows? Bear in mind that firewall ports have to be opened on the computer you’re talking to so you’ll do the work on your FileMaker Server not on the client machines. Then, it is all a matter of what operating system you’re using, and with windows, what version and possibly what third party firewall software you have. Post back some more details and someone may be able to help.
Thanks, Geoff. I’m using os X, 10.4.10. The actual error may not be the ports, although that’s what the FM tech support folks suspected when I kept getting the error during deployment of FMS: ‘Deployment/Configuration error -150 Starting the WPE(wpe1) component failed: error code = 2504.’ The FM support team thought that this was due to the failure to open the firewall ports 16000-16018, and indeed when I do a port scan on the server machine, it shows that only a handful of those ports are open, not including several of the ones the diagram above shows as necessary. A real puzzle to me, and any help is deeply appreciated!
Seems like an excellent article. Im having untold problems after upgrading 8.5 to 9 advanced server.
I get following from log mails in the system.
FileMaker Server 9.0.1.132 on LON-FEP-ADMIN1 reported the following event:
Wed Sep 12 09:01:39 BST 2007 FMS ERROR wpe1
Some problems were detected in the WPE COMPONENT: COMPONENT IS NOT RESPONDING.
And in windows event log:
Error on server re-boot
Event Type: Information
Event Source: Application Error
Event Category: (100)
Event ID: 1004
Date: 9/12/2007
Time: 9:05:51 AM
User: N/A
Computer: LON-FEP-ADMIN1
Description:
Reporting queued error: faulting application fmswpc.exe, version 9.0.1.74, faulting module ntdll.dll, version 5.2.3790.3959, fault address 0x0004afb2.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 66 6d 73 ure fms
0018: 77 70 63 2e 65 78 65 20 wpc.exe
0020: 39 2e 30 2e 31 2e 37 34 9.0.1.74
0028: 20 69 6e 20 6e 74 64 6c in ntdl
0030: 6c 2e 64 6c 6c 20 35 2e l.dll 5.
0038: 32 2e 33 37 39 30 2e 33 2.3790.3
0040: 39 35 39 20 61 74 20 6f 959 at o
0048: 66 66 73 65 74 20 30 30 ffset 00
0050: 30 34 61 66 62 32 04afb2
Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1001
Date: 9/12/2007
Time: 9:06:10 AM
User: N/A
Computer: LON-FEP-ADMIN1
Description:
Fault bucket 473547393.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket:
0008: 34 37 33 35 34 37 33 39 47354739
0010: 33 0d 0a 3..
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 9/11/2007
Time: 3:41:11 AM
User: N/A
Computer: LON-FEP-ADMIN1
Description:
Faulting application fmserver.exe, version 9.0.1.84, faulting module ntdll.dll, version 5.2.3790.3959, fault address 0x0004afb2.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 66 6d 73 ure fms
0018: 65 72 76 65 72 2e 65 78 erver.ex
0020: 65 20 39 2e 30 2e 31 2e e 9.0.1.
0028: 38 34 20 69 6e 20 6e 74 84 in nt
0030: 64 6c 6c 2e 64 6c 6c 20 dll.dll
0038: 35 2e 32 2e 33 37 39 30 5.2.3790
0040: 2e 33 39 35 39 20 61 74 .3959 at
0048: 20 6f 66 66 73 65 74 20 offset
0050: 30 30 30 34 61 66 62 32 0004afb2
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 9/10/2007
Time: 6:03:45 AM
User: N/A
Computer: LON-FEP-ADMIN1
Description:
Faulting application fmserver.exe, version 9.0.1.84, faulting module ntdll.dll, version 5.2.3790.3959, fault address 0x0004afb2.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 66 6d 73 ure fms
0018: 65 72 76 65 72 2e 65 78 erver.ex
0020: 65 20 39 2e 30 2e 31 2e e 9.0.1.
0028: 38 34 20 69 6e 20 6e 74 84 in nt
0030: 64 6c 6c 2e 64 6c 6c 20 dll.dll
0038: 35 2e 32 2e 33 37 39 30 5.2.3790
0040: 2e 33 39 35 39 20 61 74 .3959 at
0048: 20 6f 66 66 73 65 74 20 offset
0050: 30 30 30 34 61 66 62 32 0004afb2
Event Type: Information
Event Source: MSSQLSERVER
Event Category: (2)
Event ID: 17177
Date: 9/11/2007
Time: 12:01:01 AM
User: N/A
Computer: LON-FEP-ADMIN1
Description:
This instance of SQL Server has been using a process id of 1504 since 9/10/2007 3:45:29 PM (local) 9/10/2007 2:45:29 PM (UTC).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 19 43 00 00 0a 00 00 00 .C……
0008: 0f 00 00 00 4c 00 4f 00 ….L.O.
0010: 4e 00 2d 00 46 00 45 00 N.-.F.E.
0018: 50 00 2d 00 41 00 44 00 P.-.A.D.
0020: 4d 00 49 00 4e 00 31 00 M.I.N.1.
0028: 00 00 00 00 00 00 ……
Have tried turning windows firewall off on machine and will now try disabling web services but I need them long term – any ideas?
Hi all,
I cant get advanced server version 9 to work after upgrading from version 8.5.
Ive turned off firewall now and stilll no joy.
I get the following error via e-mail
FileMaker Server 9.0.1.132 on LON-FEP-ADMIN1 reported the following event:
Wed Sep 12 09:01:39 BST 2007 FMS ERROR wpe1
Some problems were detected in the WPE COMPONENT: COMPONENT IS NOT RESPONDING.
I get this error in startup system log
Event Type: Information
Event Source: Application Error
Event Category: (100)
Event ID: 1004
Date: 9/12/2007
Time: 9:05:51 AM
User: N/A
Computer: LON-FEP-ADMIN1
Description:
Reporting queued error: faulting application fmswpc.exe, version 9.0.1.74, faulting module ntdll.dll, version 5.2.3790.3959, fault address 0x0004afb2.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
And these errors in event log
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 9/11/2007
Time: 3:41:11 AM
User: N/A
Computer: LON-FEP-ADMIN1
Description:
Faulting application fmserver.exe, version 9.0.1.84, faulting module ntdll.dll, version 5.2.3790.3959, fault address 0x0004afb2.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 66 6d 73 ure fms
0018: 65 72 76 65 72 2e 65 78 erver.ex
0020: 65 20 39 2e 30 2e 31 2e e 9.0.1.
0028: 38 34 20 69 6e 20 6e 74 84 in nt
0030: 64 6c 6c 2e 64 6c 6c 20 dll.dll
0038: 35 2e 32 2e 33 37 39 30 5.2.3790
0040: 2e 33 39 35 39 20 61 74 .3959 at
0048: 20 6f 66 66 73 65 74 20 offset
0050: 30 30 30 34 61 66 62 32 0004afb2
Strange thing is my server runs OK for a period of time then overnight it gives up the ghost!
Any ideas would be welcome!
Excellent article and particulary the diagram which does say 1000+ words 🙂
As a minor side question as you mentioned the database server itself and the FMS components:
Does anyone ‘know’ exactly what the FMS Helper service does as this seems to be hogging quite a lot of processor cycles on our servers
Cheers
Harry
I just posted a Japanese version of the diagram, graciously provided by Shin Ninagawa of Splash Inc. Thanks Shin!
Great diagram, but I’m wondering why it’s leaving out ports 50003 and 50006 which are used FileMaker Server 9 Admin. As I understand it, FMS listens on 50003 for Remote Admin requests and that the actual Remote Admin service is handled over 50006 (which may or may not be correct).
I have a client who is running FMS9 on a Windows Server with IIS. They have run into a problem where their SmarterStats web statistics application is also using 50003 for communication with itself. Since there appears to be no way to change this port in either FMS or SmarterStat, we have to go to either disable the web stats or move to the expense of a dedicated box for FMS, which would be overkill given what FMS is being used for.
Will:
We didn’t mention these ports because they don’t have any firewall implications. They are used by components of FileMaker server to communicate with one another, but not between components that typically run on separate computers.
I believe the “remote admin” requests in question are between the admin server (which is on port 16000) and the core server components.
I can see, in your case, how this info might be useful though. 🙂
Geoff
ehm – i think there is a small typo:
On the Server Side, between “Web publishing Engine” and “Web Server” shouldn’t it be:
Web Data 16000, 16004-16007 (not 1607), and 16008 (not 1608) -16018…
btw: Nice Work – makes a lot clearer to me now!
No where do you specify whether the protocol is TCP or UDP. I’m trying now to configure our firewall for this, so this is important. I’m assuming everything is TCP, except port 5353 (mutlicast DNS, or host discovery). According to the multicast DNS draft (http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt), it seems that it’s UDP. I’m adding both protocols, but this should be mentioned.
good thing i found this post. helped me out a lot with the explanations. i have a current problem pertaining to firewalls. we have an xserve running 10.5 server and fms 9. our server firewall has all the appropriate ports enabled. my problem came about because the school campus where we are located recently implemented a new security policy (border firewall). i think they closed many of the ports that filemaker uses and outside connection ceased. from the outside through VPN, i can get to the the iwp. through VPN, using a filemaker pro client, i cannot see the server.
we also have tons of people logging into the server through iwp that are not tech savvy enough to download and install the vpn client. we are asking the campus security folks to open 5003 to see if this clears it up. i thought that having 80 open would resolve this? i don’t know too much about firewalls but boy am i learning fast. any advice on what i should ask/request of the campus security folks?
Great diagram! This is probably pretty obvious to most, but I wanted to point out some typos with regard to some of the ports (let me know if I’m mistaken): under the “Web Publishing Engine” entity you’ve listed ports “16004-1607” and “1608-16018”. I believe those should be “16004-16007” and “16008-16018”. Thanks!
Hi Geoff
I’ve heard there were some minors changes brought to the network ports with the release of FileMaker Server 11. Let me know if you update the diagram so I can update the French version as well.
Thanks
Philippe
Hi,
Is there a solution for discovering the FM Server on an other subnet/vlan?
Something like the “ip helper address” for forwarding dhcp requests to an dhcp server on an other subnet/vlan.
Due to changes in the network i have my FM Server on an other subnet/vlan and now the clients can’t start there FM programs because they can’t find the server. When pointing to the server it works because i opened tcp/5003 but it’s so much code that i rather come up with a network or server side solution than changing it everywhere.
Thanks,
Andreas.
I am still having problems with filemaker client seeing server on local host but can see server if server IP address is added under favourite hosts. I have added ports 5003 and 5353 on client firewall.
On server (FMS 11 running ) the firewall is set to allow bonjour and ports 5353 are also open. Connection between client and server machine does not go through a router. The thing is it was working fine. The server was switched off and moved to a different location in the office and when switched back on the local host discovery on the client no longer showed available files.
Is there anything else I can check to cure this strange error?
Shouldn’t the ports under web data read 16004 – 16007 instead of 16004 – 1607 Notice the missing 0.
On our windows server 2003 with FMS 11, we had two crashes of Bonjour service (2.0.0). When it occurs, everybody loses their connections with the server. Very strange. Event log reports “428: ERROR: read_msg errno 10054 (An existing connection was forcibly closed by the remote host.)” Still looking for an explanation.
Helpful information. Lucky me I discovered your site by chance, and I’m stunned why this twist of fate did not took place in advance! I bookmarked it.
I have a database hosted with FileMaker Server 10 using iwp. The vast majority of outside users can connect to the database via the web fine but a small number cannot load the login page. I’m using port 80 and the url shows port 16080. Could this be a security issue on their router/firewall and if so what should I ask them to change? Any help would be much appreciated.