OK, I did some further poking about and found this post:
That contains port information (UDP 9003, TCP 9100-9200).
Initially, I tried modifying the firewall rules associated with the roonserver.exe to add those specific ports. This didn’t help.
What turned out to be the solution was to create two new rules (one for the UPD port and one for the TCP port range) that were not tied to the roonserver executable. I.e. they were purely port rules (but I made them apply only for the local network).
Now my Roon remotes can see the Roonserver running on my WHS 2011 system, and I’m a happy camper once more.