Article
09/09/2016

Using Windows Firewall with Orchestrator

Updated: May 13, 2016

Applies To: System Center 2012 SP1 - Orchestrator, System Center 2012 - Orchestrator, System Center 2012 R2 Orchestrator

Windows Firewall with Advanced Security is enabled by default on all Windows 2008 R2 computers, and blocks all incoming traffic unless it is a response to a request by the host or it is specifically allowed by a firewall rule to allow the traffic. You can explicitly allow traffic by specifying a port number, application name, service name, or other criteria by configuring Windows Firewall with Advanced Security settings.

When you configure a Runbook Designer or a runbook server outside of a firewall, certain rules must be enabled on the management server computer to allow the Runbook Designer and the runbook server to communicate with the management. Additionally, for some activities such as the Monitoring Activities, if the target computer is outside the firewall, you must enable certain firewall rules to allow WMI communication.

Configuration of Orchestrator computers

When a Runbook Designer or a runbook server is installed behind a firewall, specific firewall rules are required between the management server and the remote computers.

Enable the following rules as they apply to your configuration.

To enable access to your SQL server

On the remote computer where a Runbook Designer or a runbook server is installed, open a port to connect to your SQL server. The default SQL port is TCP:1433.

To enable access between the Runbook Designer and the management server

On the computer running the Management Server Service, add a firewall rule to allow Runbook Designer or runbook server to access ManagementService.exe.

Location of Orchestrator Management Service

Operating system Firewall rule

64-bit %ProgramFiles(x86)%\Microsoft System Center 2012\Orchestrator\Management Server\ManagementService.exe

Operating system	Firewall rule
64-bit	%ProgramFiles(x86)%\Microsoft System Center 2012\Orchestrator\Management Server\ManagementService.exe

To grant privilege to the Runbook Server Service account

On the remote runbook server computer, confirm that the Runbook Server Service account has the Logon as service privilege.

To allow remote deployments with the Deployment Manager

On the remote computer where you deployed the runbook server or the Runbook Designer, add a rule to allow the Deployment Manager to access the Orchestrator Remoting Service.

Location of Orchestrator Remoting Service

Operating system File location

64-bit %SystemRoot%\SysWOW64\OrchestratorRemotingService.exe

32-bit %SystemRoot%\System32\OrchestratorRemotingService.exe

Operating system	File location
64-bit	%SystemRoot%\SysWOW64\OrchestratorRemotingService.exe
32-bit	%SystemRoot%\System32\OrchestratorRemotingService.exe

For more information about adding firewall rules see Add or Edit a Firewall Rule.

Firewall rules for activities

Any activities that use WMI communication, such as any of the Monitoring Activities, require certain Windows Firewall rules to function correctly.

For Windows Server 2008 R2, enable the following rules to allow any activity that uses WMI to function correctly:

Windows Management Instrumentation (Async-In)
Windows Management Instrumentation (DCOM-In)
Windows Management Instrumentation (WMI-In)