Hi Michael, this is probably a mistake.
Is port 50003 open?
50003 = FMS Admin Port
This port must be available on the Master machine in the configuration
Unless 50004 was opened by mistake, You should find out how/why it was opened. And I for now as the first measure I would close it at once. It is not in use by FileMaker.
Just curious: Was it a mistake, somebody opening 50004 when wanting to open 50003?
Or did you find another explanation?
And ... I guess that my answer was the correct answer to your question.
Thanks for replies - I think I can safely assume 50004 can be closed with impunity - will do it over a weekend just in case.
I succeeded in closing 50003 by turning off the remote admin exe, and helper, in the local firewall. We don't need that open as all admin console is done on the host machine.
It was the IT guys who found 50004 was open and associated with fmserver.exe, but I have never seen it mentioned in any documentation.
We are also considering closing:
Though I'm not sure we need these or not - the IT guys didn't even know, but I think they were too busy to ask their dedicated Win server experts.
So it'll be trial and error with them.
OK, here's what happened:
The server (Win 2008 R2) firewall is set up to enable/disable executables, rather than ports (although ports can be opend, but not individually closed).
When I was attempting to close 50003, I unchecked fmsadmin.exe and fmshelper.exe in the firewall, as we don't need Remote Admin. That closed 50003. What I didn't realise was that fmserver.exe apparently was not happy about the closure of 50003, so it opened 50004.
When the IT guys wanted to close 50004 (not knowing much about fmserver.exe) they unchecked fmserver.exe. Naturally we heard about this immediately from the users.
I went in and rechecked/reopened fmserver.exe.
The effect from closing and opening fmserver.exe was that 50004 closed and 50003 was opened. fmsadmin and fmshelper are still closed in the firewall.
I can only assume that fmserver wants 50003 open, and when it was closed due to closing fmsadmin, it simply opened the next available port.
So at this point, we are unable to close 50003 without 50004 replacing it. I think we'll leave it open.
There are two firewall types to look at. It sounds like the one you are dealing with is on the server and the admin tool needs the port available on the server. The other is an external device that would connect at the router and sit between the internet router and the LAN. If you have this type of Firewalll then you can close port 50003 here and prevent anyone outside of the company from getting to the admin console.
My guess is that running fmsadmin.exe on the server uses the port. Even if it's going throught the local loop back address.
Most WiFi routers have the second type of firewall built in. My old Linksys did as well as my current Apple TimeCapsule. Your IT lan/wan admin should disable these ports at the router/firewall. This will prevent access from outside the company.