Cadzow Knowledgebase

Normal view

Choosing a TCP Port for a Network Service

All network services, such as file and printer sharing, databases, email, web servers and so on use predefined “ports” — basically a slot through which traffic flows. Services which accept connections from other systems are said to be “listening” on that port, and the port is usually fixed. For example, web servers typically listen on port 80.

Sometimes it is necessary to change the port a service listens on to avoid a conflict with another service or to implement a layer of obscurity (for example, when exposing Terminal Services/Remote Desktop to the internet). Port numbers can be chosen more or less arbitrarily but it's best to use a port not allocated for a specific purpose. Standard port numbers are documented at http://www.iana.org/assignments/port-numbers. It's also good to choose a port that isn't being used by a worm or trojan, as opening such a port will only invite probes.

Furthermore, the port the service is to listen on should not conflict with the ports that client processes use to initiate outbound connections on the same system. When a client (say, a web browser) initiates a connection to a server (such as a website), the client opens an “ephemeral” (temporary) port using a more-or-less randomly chosen port number, and connects to the fixed port of the server. So the web browser client might use port 4678 to connect to a web server that is listening on port 80. If the user opened another web browser session, it might use port 4897 to connect. And so on. (Microsoft Sysinternals has a tool called TCPView which shows all the listening and established client and server ports on a system.)

The range of ports a process may be assigned for an outbound connection is defined by several variables and vary according to operating system. The main variable is MaxUserPort (located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters), which has different meanings and default values:

    Operating SystemMaxUserPort
    Means
    Range if MaxUserPort
    is not defined
    Range if MaxUserPort
    is defined
    Minimum
    Value
    Maximum
    Value
    Windows NT/2000/XP/2003Ending Port1025 to 50001025 to [MaxUserPort]500065535
    Windows 2000/XP/2003 with KB951748/KB951746Ending Port49152 to 655351025 to [MaxUserPort]500065535
    Windows Vista/2008Number of Ports49152 to 6553549152 to [49152 + MaxUserPort − 1]25516384

† This is assuming the starting value of 49152 has not been altered. This may be done with the command, netsh int ipv[4|6] set dynamicport [tcp|udp] start=x num=y. Starting Port + MaxUserPort − 1 must be ≤ 65535.

Thus, Windows 2000 and later with all service packs plus the KB951748/KB951746 update (where appropriate — for example, this patch will not install on Windows 2003 systems without the DNS Server role), and no changes to the default settings, will yield a default port range of 49152 to 65535, meaning that any choice of a listening port between 1025 and 49151 will not create conflicts (ports 1024 and lower should be avoided).

However, certain applications explicitly set MaxUserPort in the registry (eg. Small Business Server 2000/2003 — 60000, ISA Server — 65535, Exchange Server 2003 — 60000, SBS with Exchange — 65535) and thus the range that will be in effect on Windows 2000/XP/2003 is 1025 to 60000/65535. If set to 65535 there will be no range of listening ports which will not potentially conflict. One remedy for this is to configure MaxUserPort to 60000 to make some space for listening services between 60001 and 65535, or to remove the MaxUserPort setting completely and trigger the default available range of 1025 to 49151 (assuming KB951746 is installed).

There is an advantage to using the default range of 49152 to 65535 as there are many Microsoft and non-Microsoft services and applications which listen on ports below about 30000, and keeping the ephemeral ports at the high end of the available range will prevent service startup issues without the need to examine the system in detail for port usage. On the other hand, this range only provides 16,384 possible ephemeral ports, whereas the larger ranges provide more than 64,000, and there may be situations where a system will fail if the pool of ephemeral ports is exhausted due to a large number of outbound connections occurring in a short period of time.

In any case, regardless of the ephemeral port ranges, ultimately it can be much easier and safer to simply select a port and reserve it so that it won't be used as a outbound port, even if it falls in the ephemeral port range.

So having examined the settings on your system and determined the ephemeral port range, you can select a listening port which doesn't conflict. In summary:

  • Don't use a port number below 1025;

  • Don't use a port number that is known to be used by another application or worm;

  • Try to use a port number that is outside the system's ephemeral port range; and

  • In any case, reserve the port.




Copyright © 1996-2023 Cadzow TECH Pty. Ltd. All rights reserved.
Information and prices contained in this website may change without notice. Terms of use.

Question/comment about this page? Please email webguru@cadzow.com.au