I'm just trying out FMS17 on a virgin Windows Server Essentials 2016 install, which I do not plan to use for any other task except hosting FMS17.

I'm looking to switch off or block all ports and services which aren't needed for Filemaker Server.  The ones I'm planning to open for FMS are 80, 443, 5003, 16000.  The other ones which seem to be open separately from FMS are :

PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server
 

I'll be placing IP restrictions on 3389 (for my RDP), regarding switching off the rest, it occurred to me that parts of the OS may need to use some of these services to do what they need to do (e.g. allow administrator to login to windows?)  

Will be using a firewall external to windows itself, rather than the Microsoft firewall.

 

For inbound traffic, you might not need that entire list open, only the ones for FMS. If you have a worker machine for webdirect, you will also need 16002 as well.