How to Change Windows Firewall Exceptions

If a firewall is enabled in the deployment environment of Essentials 2007, exceptions must be created so that the Essentials 2007 management server can successfully install agents on managed computers and so that managed computers can communicate with Essentials 2007.

If your computers use firewall software from some other manufacturer, you should refer to its documentation on how to create exceptions. However, the port names described in the following procedures remain the same.

If the static IP address of the Essentials 2007 management server has changed or if it is dynamically assigned, you must update firewall policies on managed computers whenever the IP address changes.

To change Windows Firewall exceptions on the Management Server

1. Open Control Panel, and then open Windows Firewall.

2. Click the Exceptions tab.

3. Click Add Port, and then create the following TCP port exceptions:

   • Name=Port80; Port Number=80

   • Name=Port8530; Port Number=8530

   • Name=Port8531; Port Number=8531

   • Name=Port5723; Port Number=5723

   • Name=Port5724; Port Number=5724

   • Name=Port445; Port Number=445

   • Name=Port51906; Port Number=51906

To change Windows Firewall exceptions on a managed computer

1. Open Control Panel, and then open Windows Firewall.

2. Click the Exceptions tab.

3. Make sure that the File and Printer Sharing check box is selected.

4. Click Add Port, and create the following TCP port exceptions:

   • Name=Port6270; Port Number=6270

   • Name=Port135; Port Number=135

   • Name=Port139; Port Number=139

   • Name=Port445; Port Number=445

5. Create the following UDP port exceptions:

   • Name=Port137; Port Number=137

   • Name=Port138; Port Number=138

6. For each of these exceptions, do the following:

   • Click Change scope.

   • Select Custom list.

   • Limit the scope to the Essentials 2007 management server’s IP address.

To update firewall exceptions for a new management server IP address

1. If the IP address of the Essentials 2007 management server is dynamically assigned and you are using local policy to configure managed computers, manually update the firewall exception on each client with the new IP address.

2. If you are using domain policy to configure your managed computers, run the Group Policy Object Editor (gpedit.msc) for the domain and go to Computer Configuration/Administrative Templates/Network/Network Connections/Domain Profile.

3. In Group Policy Object Editor, enable the following policy settings, and configure them as described:

   1. For "Windows Firewall: Allow remote administration exception", set Allow unsolicited incoming messages from to the new IP address of the management server.

   2. For "Windows Firewall: Allow file and printer sharing exception", set Allow unsolicited incoming messages from to the new IP address of the management server.

To allow remote WMI calls to function on a managed computer running Windows XP

1. On the Windows desktop, click Start, and then click Run.

2. In the Run dialog box, type gpedit.msc and then click OK.

3. In Local Group Policy Editor, under Console Root, expand Computer Configuration, expand Administrative Templates, expand Network, expand Network Connections, expand Windows Firewall, and then click Domain Profile.

4. In the Domain Profile pane, right-click Windows Firewall: Allow remote administration exception, and then click Properties.

5. Click Enabled, and then click OK.

To allow remote WMI calls to function on a managed computer running Windows Vista

1. Open Control Panel, and then open Windows Firewall.

2. Click the Exceptions tab.

3. Select the Windows Management Instrumentation (WMI) check box.

See Also

Concepts

Local Policy vs. Group Policy

Other Resources

System Center Essentials Deployment Planning and Installation