Firewall Exceptions for System Center Essentials 2010

Applies To: System Center Essentials 2010

If a firewall is enabled in the deployment environment of System Center Essentials 2010, exceptions must be created so that the Essentials management server can successfully install agents on managed computers and so that managed computers can communicate with Essentials.

Note

If you have configured Essentials 2010 to use domain-based Group Policy and have firewall exceptions configured through domain-based Group Policy, you do not have to create any firewall exceptions. In addition, firewall exceptions for computers running Windows Firewall are configured automatically by Essentials 2010.

If your computers use firewall software from another manufacturer, see the documentation of that manufacturer for information about how to create exceptions. However, the port names described in the following procedures remain the same.

If the static IP address of the Essentials management server has changed, or if it is dynamically assigned, you must update firewall policies on managed computers whenever the IP address changes. However, if you are using domain-based Group Policy, Essentials 2010 prompts you to run the Product Configuration Wizard, located in the Configuration summary of the Administration Overview pane. You access it by clicking the link beside Policy Mode. When you update Group Policy with the new IP address of the Essentials management server, an updated firewall exception returns with the new IP address to be applied to managed computers.

For detailed information about the firewall exceptions required for Virtualization Management, see VMM Ports and Protocols in the System Center Virtual Machine Manager 2008 Technical Library (https://go.microsoft.com/fwlink/?LinkId=163937). For information about the firewall exceptions required for connecting to the Essentials management server from a remote Essentials Reporting server, see Supported Firewall Scenarios in the System Center Operations Manager 2007 Technical Library (https://go.microsoft.com/fwlink/?LinkId=163936).

Changing Windows Firewall Exceptions

The Windows Firewall exceptions in the first procedure in this topic are created on the Essentials management server when Essentials 2010 is installed. Use these procedures if you use other software to manage firewall exceptions.

To create Windows Firewall exceptions on the Essentials management server

  1. In Control Panel, click Windows Firewall.

  2. Click the Exceptions tab.

  3. Click Add Port, and then create the following TCP port exceptions:

    • Name=Port80; Port Number=80

    • Name=Port445; Port Number=445

    • Name=Port5723; Port Number=5723

    • Name=Port5724; Port Number=5724

    • Name=Port8530; Port Number=8530

    • Name=Port8531; Port Number=8531

    • Name=Port51906; Port Number=51906

Important

If you use Internet Security and Acceleration (ISA) Server or firewall software from another manufacturer, ensure that port 8531 is open.

To create Windows Firewall exceptions on managed computers when using local Group Policy settings

  1. On each computer that you want Essentials 2010 to manage, in Control Panel, click Windows Firewall.

  2. Click the Exceptions tab.

  3. Ensure that the File and Printer Sharing check box is selected.

  4. Click Add Port, and create the following TCP port exceptions:

    • Name=Port135; Port Number=135

    • Name=Port139; Port Number=139

    • Name=Port445; Port Number=445

    • Name=Port6270; Port Number=6270

  5. Create the following UDP port exceptions:

    • Name=Port137; Port Number=137

    • Name=Port138; Port Number=138

  6. For each of these exceptions, do the following:

    • Click Change scope.

    • Select Custom list.

    • Limit the scope to the Essentials management server’s IP address.

To enable remote WMI calls to function on a managed computer running Windows XP

  1. On the taskbar, click Start, and then click Run.

  2. In the Run dialog box, type gpedit.msc, and then click OK.

  3. In the Local Group Policy Editor, under Console Root, expand Computer Configuration, expand Administrative Templates, and then expand Network. Expand Network Connections, expand Windows Firewall, and then click Domain Profile.

  4. In the Domain Profile pane, right-click Windows Firewall: Allow remote administration exception, and then click Properties.

  5. Click Enabled, and then click OK.

To enable remote WMI calls to function on a managed computer running Windows Vista

  1. In Control Panel, click Windows Firewall.

  2. Click the Exceptions tab.

  3. Select the Windows Management Instrumentation (WMI) check box.

To update firewall exceptions for a new Essentials management server IP address

  1. If the IP address of the Essentials management server is dynamically assigned, and you are using local Group Policy settings to configure managed computers, manually update the firewall exception on each client by using the new IP address.

  2. If you are using domain-based Group Policy settings to configure your managed computers, run the Product Configuration Wizard, located in the Configuration summary of the Administration Overview pane. You access it by clicking the link beside Policy Mode. When you update Group Policy with the new IP address of the Essentials management server, an updated firewall exception returns with the new IP address to be applied to managed computers.

Configuring ISA Server Firewall Exceptions

Use the following procedures to configure the firewall settings for Internet Security and Acceleration (ISA) Server if there are managed computers on the other side of the firewall.

To create a new access rule for the System Center Management service

  1. On the taskbar, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. Expand the Firewall Policy node under the desired computer in the navigation pane, and then, in the Tasks pane, click Create Array Access Rule.

    1. Enter the access rule Essentials Management Service, and then click Next.

    2. On the Rule Action page, select Allow and then click Next.

    3. In the This rules applies to box, select Selected protocols, and then click Add.

    4. In the Add Protocols dialog box, click New, and then click Protocol.

    5. In the New Protocol Definition Wizard, enter TCP 5723.

    6. On the Primary Connection Information page, click New.

    7. On the New/Edit Protocol Information page, enter 5723 in both the From and To boxes, and then click OK.

    8. On the Primary Connection Information page, click Next.

    9. On the Secondary Connections page, click Next.

    10. On the Completing the New Protocol Definition Wizard page, click Finish.

  3. In the Add Protocols dialog box, expand the User-Defined folder, select TCP 5723, and then click Add.

    1. To close the Add Protocols dialog box, click Close.

    2. On the Protocols page of the New Access Rule wizard, click Next.

    3. In the Access Rule Sources dialog box, click Add.

    4. In the Add Protocols dialog box, expand the Networks folder, select Internal, and then click Add.

    5. Select Local Host click Add, and then click Close.

    6. On the Access Rule Sources page of the New Access Rule wizard, click Next.

    7. In the Add Network Entities dialog box, expand the Networks folder, select Internal, and then click Add.

    8. Select Local Host, click Add, and then click Close.

    9. On the Access Rule Destinations page of the New Access Rule wizard, click Next.

    10. In the User Sets dialog box, click Next.

    11. On the Completing the New Access Rule Wizard page, click Finish.

To create a new access rule for the System Center Data Access service

  1. On the taskbar, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. Under the selected computer, in the navigation pane, expand Firewall Policy and then, in the Tasks pane, click Create Array Access Rule.

    1. Enter the access rule Essentials Data Access Service, and then click Next.

    2. On the Rule Action page, click Allow, and then click Next.

    3. On the Protocols page, under This rules applies to, select Selected protocols, and then click Add.

    4. In the Add Protocols dialog box, click New, and then click Protocol.

    5. In the New Protocol Definition Wizard, enter TCP 5724.

    6. On the Primary Connection Information page, click New.

    7. On the New/Edit Protocol Information page, enter 5724 in both the From and To boxes, and then click OK.

    8. On the Primary Connection Information page, click Next.

    9. On the Secondary Connections page, click Next.

    10. On the Completing the New Protocol Definition Wizard page, click Finish.

  3. In the Add Protocols dialog box, expand the User-Defined folder, select TCP 5724, and then click Add.

    1. To close the Add Protocols dialog box, click Close.

    2. On the Protocols page of the New Access Rule wizard, click Next.

    3. In the Access Rule Sources dialog box, click Add.

    4. In the Add Protocols dialog box, expand the Networks folder, select Internal, and then click Add.

    5. Select Local Host, click Add, and then click Close.

    6. On the Access Rule Sources page of the New Access Rule wizard, click Next.

    7. On the Access Rule Destinations page of the New Access Rule wizard, click Add.

    8. In the Add Network Entities dialog box, expand the Networks folder, select Internal, and then click Add.

    9. Under the Networks folder, click Internal, and then click Add.

    10. Select Local Host, click Add, and then click Close.

    11. On the Access Rule Destinations page of the New Access Rule wizard, click Next.

    12. In the User Sets dialog box, click Next.

  4. On the Completing the New Access Rule Wizard page, click Finish.

To publish the WSUS Web server

  1. On the taskbar, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. In the navigation pane, expand the Firewall Policy node, and then, in the Tasks pane, click Publish a Web Server.

    1. Enter the access rule Essentials WSUS Web Server, and then click Next.

    2. On the Select Rule Action page, select Allow, and then click Next.

  3. In the Define Web site to Publish dialog box, enter the Essentials management server name in the Computer name or IP address box.

  4. Enter /* in the Path box, and then click Next.

  5. In the Public Name Details dialog box, enter the Essentials management server name in the Public name box, and then click Next.

  6. In the Select Web Listener dialog box, click New.

    1. In the Welcome to the New Web Listener Wizard page, enter Essentials Web Listener, and then click Next.

    2. In the IP Addresses page, select the check boxes Internal and Local Host, and then click Next.

  7. On the Port Specification page of the New Web Listener Wizard, do the following:

    1. Select the Enable HTTP check box.

    2. Enter 8530 in HTTP port.

    3. Select the Enable SSL check box.

    4. Enter 8531 in SSL port.

    5. Click Select, select the certificate that matches the host name of the Essentials management server, and then click OK.

    6. Click Next.

  8. On the Completing the New Web Listener Wizard page, click Finish.

  9. In the Select Web Listener dialog box:

    1. Under Web Listener, select Essentials Web Listener, and then click Next.

    2. On the User Sets page, click Next.

  10. On the Completing the New Web Publishing Rule Wizard page, click Finish.

  11. In the ISA Server console, right-click the Essentials WSUS Web Server rule, and then click Properties.

    1. Click the To tab.

    2. Select Requests appear to come from the original client.

    3. Click the Bridging tab.

    4. Enter 8530 in Redirect requests to the HTTP port.

    5. Select the Redirect requests to SSL port check box, and enter 8531.

    6. Click OK.

  12. In the ISA Server console, click Apply to save changes and update the configuration.

See Also

Concepts

Local Policy vs. Group Policy in System Center Essentials 2010
Planning to Deploy System Center Essentials 2010