Search This Blog

Monday, July 27, 2009

Part 109: Firewall Setting for SCCM client

In order to deploy SCCM Client, you need to open Windows Firewall ports. Rather than configure the port in each of the workstation, i will use Group Policy to configure the windows firewall.

Below is the recommended port to open as suggested by Microsoft:-

a)Client Push Installation:-
-File and Printer Sharing
-Windows Management Instrumentation (WMI) -TCP & UDP 1024 -5000

b)Client request:-
-Port 80 - for http communication
-Port 443 -for https communication

c)NAP:-
-UDP 67 and UDP 68 for DHCP
-TCP 80/443 for IPSEC

d)Remote Control:-
-TCP 2701
-TCP 2702
-TCP 135

e)Remote Assistance and Remote Desktop
-exception program helpsvc.exe and TCP 135
-Remote Assistance and Remote Desktop (TCP 3389)

f)Windows Event Viewer, Windows Performance Monitor and Windows Diagnostics
-Exception File and Printer sharing.

Based on above ports, here is my configuration that i've performed in the Group Policy.

a) Go to Group Policy management snap in.
b) Expand Computer Configuration > Administrative Templates >Network >Network Connections >Windows Firewall >Domain profile

c) Configure Windows Firewall:Allow inbound file and printer sharing exception

-Set Enabled
-IP: 192.168.10.47 ( SCCM Server IP Address)









d) Configure Windows Firewall: Define inbound port exceptions

-Enabled
-Click Show
-Add below configuration









Format for define inbound port exception:-
Port:Transport(TCP/UDP):Scope:Status(enabled/disabled):Name

135:TCP:192.168.10.47:enabled:TCP135
80:TCP:192.168.10.47:enabled:Port80
443:TCP:192.168.10.47:enabled:Port443
67:UDP:192.168.10.47:enabled:NAPDHCP
68:UDP:192.168.10.47:enabled:NAPDHCP
2701:TCP:192.168.10.47:enabled:RemoteControl
2702:TCP:192.168.10.47:enabled:RemoteControl








Invalid configuration:-
1024-5000:TCP:192.168.10.47:enabled:WMI
1024-5000:UDP:192.168.10.47:enabled:WMI
*.TCP:192.168.10.47:enabled:All

WMI is using Random port from 1024 - 5000.

Note:
You cannot define to open a range of Windows Firewall ports. Each port need to define individually.

If you still insist to open a range of ports, you can write a script to run the following command:-
for /L %i in (1024,1,5000) do netsh firewall add portopening TCP %i "Port-range %i"

The script will execute and create a rule from 1024 until 5000.
For WMI port, let ignore first .

e) Configure Windows Firewall: Allow inbound remote administration exception

-Set Enabled
-Ip: 192.168.10.47









f) Configure Windows Firewall: Allow inbound Remote Desktop exceptions

-Set Enabled
-IP:192.168.10.47









g) Configure Windows Firewall: Define inbound program exceptions

-Set Enabled
-Click Show and add the below settings










Format for define inbound program exceptions:-
Path:Scope:Status:name
%systemroot%\system32\sessmgr.exe:*:enabled:sessmgr.exe

%systemroot%\PCHEALTH\HELPCTR\Binaries\helpsvc.exe:*:enabled:helpsvc.exe







The above configuration is tested on the workstation running on Windows Vista and Windows XP.

As I've mentioned previously, you need to install BITS version 2.5 into Windows XP and Windows Server 2003.

Stay tune for Part 110: Verifying sccm client installation.

No comments:

Post a Comment