Managing Windows Firewall Protection

  • Article

Applies To: Forefront Endpoint Protection

This task applies to the following features:

  • Forefront Endpoint Protection

  • The FEP Security Management Pack

Note

Windows XP and Windows Server 2003 only support two network locations: Domain networks and Private networks. Any settings you configure for the Public networks location are ignored on computers running Windows XP or Windows Server 2003.

Additionally, for both the Domain networks and the Private networks locations, setting the Incoming connections list to Allow is ignored on computers running Windows XP.

To turn on or off Windows Firewall protection by using FEP

  1. In the Configuration Manager Console, in the tree, expand Computer Management, expand Forefront Endpoint Protection, and then click Policies.

  2. Right-click the policy you want to modify, and then click Properties.

  3. In the Properties dialog box, click the Windows Firewall tab.

  4. On the Windows Firewall tab, click the Manage Windows Firewall check box.

  5. For each of the network locations, in the Firewall State list, select the desired setting of either On (recommended) or Off, and then click OK.

After you configure the FEP policy, if the FEP policy is already assigned to a collection, it is refreshed within the Configuration Manager policy polling interval. You can configure the Configuration Manager policy polling interval in the Computer Client Agent configuration in the Configuration Manager console. For more information about the Computer Client Agent, see How to Configure the Configuration Manager Computer Client Agent (https://go.microsoft.com/fwlink/?LinkId=204087).

Additionally, only one advertisement can run at a time on the client computer. Therefore, if an advertisement is running on the client computer, the FEP policy advertisement is processed after that advertisement completes.

Important

When you apply a FEP policy to a collection that has more than one policy assigned, policy precedence determines which policy takes effect on the clients in the collection. For more information about policy precedence, see Setting Policy Precedence.

To turn on or off Windows Firewall protection by using the FEP Security Management Pack

  1. In the Operations Manager console, navigate to the Monitoring view, and then expand the Monitoring tree.

  2. In the Monitoring tree, under Forefront Endpoint Protection, click Endpoints with FEP.

  3. In the Endpoints with FEP pane, click the name of the endpoint on which you want to start a scan.

    Note

    In order to search for an endpoint by name, enter the name (FQDN) of the endpoint in the Look for text box, and then click Find Now.

  4. In the Actions pane, expand Protected Endpoint Tasks, and then click either Turn Windows Firewall On or Turn Windows Firewall Off.

  5. In the Run Task dialog box, verify that the target is the endpoint on which you want to run the task and that the check box next to the target name is selected, and then click Run.

    Note

    If Group Policy is used to manage the Windows Firewall settings, the FEP Security Management Pack task fails to commit the changes to the Windows Firewall configuration. However, the task still reports as successful, because there is no method to determine whether Group Policy is used to manage the Windows Firewall settings.