Many clients do not want their accounting workstations to access the internet.  Furthermore, the Spire installer should set up any Windows Firewall rules required for proper operation.  However, if there is a firewall blocking general Internet access for the Spire server, that firewall needs to be configured so the Spire server can download updates and licensing information properly.  Note that Spire desktop/client workstations do not require access to the Internet (they just need to access the Spire server).

Step-by-step guide

Configuring Windows Firewall for Spire server on Internet-limited networks

Note that these steps may vary depending on the server's Windows version.

  1. Start the Windows "Control Panel" app.

  2. If the "View by" is set to "Category", click the "System and Security" link.

  3. Click the "Windows Defender Firewall" link.

  4. Click on "Advanced Settings" on the left.

  5. Select "Outbound Rules" and then click the menu item "Action → New Rule".

  6. Select the "Custom" option and click "Next":

  7. Select "This program path" and click "Browse" to browse to folder "C:\Program Files\Spire\Server", then select and open "spired.exe" (note for Spire 3.3 and lower, the folder is by default "C:\Program Files (x86)\Spire\Server\spiretray.exe"):                                                                                                                                                   
  8. Click the "Services → Customize" button, select "Apply to this service", find "Spire API Server" and select it, then click OK:

    Click "Next" to advance the setup.

  9. Set the "Protocol type" to "TCP" and the "Remote port" to "Specific Ports" and 443, then click "Next":

  10. Windows Firewall allows you to specify specific IP addresses so just click "Next" when you get to the IP-address setup.  The settings can simply be defaulted to "Any IP address" for both local and remote sections.

  11. Select "Allow the connection" and click "Next".

  12. It's recommended to select the "Domain" and "Private" network types, so only allow "Public" if you absolutely have to (given the network requires it):

  13. Click "Next" and give your rule a name, then click "Finish":