BizTalk Message Queuing Adapter Security Recommendations

The BizTalk Message Queuing adapter is the native Microsoft Message Queuing (also known as MSMQ) adapter in Microsoft BizTalk Server. For more information about the BizTalk Message Queuing adapter, see BizTalk Message Queuing Adapter.

Deployment Recommendations for the BizTalk Message Queuing Adapter

  • It is not recommended to run both standard Windows Message Queuing and BizTalk Message Queuing on the same computer.
  • Even when the BizTalk Message Queuing send and receive locations are running on different servers (different host instances), they must be associated with the same host.
  • BizTalk Server does not configure the BizTalk Message Queuing adapter by default. For more information about and configuring BizTalk Message Queuing, see BizTalk Message Queuing Adapter (MSMQT) Configuration.
  • BizTalk Message Queuing level authentication failures do not appear in the event log.

BizTalk Message Queuing Adapter Security Recommendations

  • Just like other BizTalk Server components, it is recommended you do not put the BizTalk Message Queuing adapter in the perimeter network or Intranet. Unlike standard Windows Message Queuing, which supports HTTP-based protocol and native protocol, BizTalk Message Queuing only supports native protocol. It is therefore possible to use standard Windows Message Queuing to receive messages in the perimeter network or Intranet by using the HTTP-based protocol and then route them to a BizTalk Message Queuing receive location in the processing domain through the native protocol.
  • BizTalk does not support the use of the BizTalk Message Queuing adapter across Network Address Translation (NAT) firewalls. When you use BizTalk Message Queuing, the firewall acts as a router for the BizTalk Message Queuing traffic. For more information about configuring BizTalk Message Queuing across a firewall, see the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=24778.
  • You can configure BizTalk Message Queuing to require certificate-based authentication. This occurs at the adapter level, and is different from the party resolution component of a BizTalk pipeline. If configured, the public certificate comes with the inbound message. This is the only client authentication mode available for BizTalk Message Queuing. To use this client authentication mode, you must install BizTalk Message Queuing with Active Directory® Integration Mode. When you use this feature, remember to select the Require Authentication check box on the property page for the BizTalk Message Queuing receive location.

    Important  You cannot use BizTalk Message Queuing with Active Directory Integration Mode across Active Directory forests.

  • When you use the BizTalk Message Queuing adapter, the server running the send and receive locations for this adapter must be behind a firewall that block TCP port 1801 and UDP port 3527.

See Also

Ports for the Receive and Send Servers

Minimum Security User Rights

Security Recommendations for BizTalk Server Components

To download updated BizTalk Server 2004 Help from www.microsoft.com, go to http://go.microsoft.com/fwlink/?linkid=20616.

Copyright © 2004 Microsoft Corporation.
All rights reserved.
Show: