Using Windows Firewall with Orchestrator
Updated: November 20, 2014
Applies To: System Center 2012 - Orchestrator, System Center 2012 R2 Orchestrator, System Center 2012 SP1 - Orchestrator
Windows Firewall with Advanced Security is enabled by default on all Windows 2008 R2 computers, and blocks all incoming traffic unless it is a response to a request by the host or it is specifically allowed by a firewall rule to allow the traffic. You can explicitly allow traffic by specifying a port number, application name, service name, or other criteria by configuring Windows Firewall with Advanced Security settings.
When you configure a Runbook Designer or a runbook server outside of a firewall, certain rules must be enabled on the management server computer to allow the Runbook Designer and the runbook server to communicate with the management. Additionally, for some activities such as the Monitoring Activities, if the target computer is outside the firewall, you must enable certain firewall rules to allow WMI communication.
Configuration of Orchestrator computers
When a Runbook Designer or a runbook server is installed behind a firewall, specific firewall rules are required between the management server and the remote computers.
Enable the following rules as they apply to your configuration.
To enable access to your SQL server
On the remote computer where a Runbook Designer or a runbook server is installed, open a port to connect to your SQL server. The default SQL port is TCP:1433.
To enable access between the Runbook Designer and the management server
On the computer running the Management Server Service, add a firewall rule to allow Runbook Designer or runbook server to access ManagementService.exe.
Location of Orchestrator Management Service
Operating system Firewall rule
%ProgramFiles(x86)%\Microsoft System Center 2012\Orchestrator\Management Server\ManagementService.exe
To grant privilege to the Runbook Server Service account
On the remote runbook server computer, confirm that the Runbook Server Service account has the Logon as service privilege.
To allow remote deployments with the Deployment Manager
On the remote computer where you deployed the runbook server or the Runbook Designer, add a rule to allow the Deployment Manager to access the Orchestrator Remoting Service.
Location of Orchestrator Remoting Service
Operating system File location
For more information about adding firewall rules see Add or Edit a Firewall Rule.
Firewall rules for activities
Any activities that use WMI communication, such as any of the Monitoring Activities, require certain Windows Firewall rules to function correctly.
For Windows Server 2008 R2, enable the following rules to allow any activity that uses WMI to function correctly:
Windows Management Instrumentation (Async-In)
Windows Management Instrumentation (DCOM-In)
Windows Management Instrumentation (WMI-In)
For additional resources, see Information and Support for System Center 2012.
Tip: Use this query to find online documentation in the TechNet Library for System Center 2012. For instructions and examples, see Search the System Center 2012 Documentation Library.