Firewall Exceptions for System Center Essentials 2010
Applies To: System Center Essentials 2010
If a firewall is enabled in the deployment environment of System Center Essentials 2010, exceptions must be created so that the Essentials management server can successfully install agents on managed computers and so that managed computers can communicate with Essentials.
Note
If you have configured Essentials 2010 to use domain-based Group Policy and have firewall exceptions configured through domain-based Group Policy, you do not have to create any firewall exceptions. In addition, firewall exceptions for computers running Windows Firewall are configured automatically by Essentials 2010.
If your computers use firewall software from another manufacturer, see the documentation of that manufacturer for information about how to create exceptions. However, the port names described in the following procedures remain the same.
If the static IP address of the Essentials management server has changed, or if it is dynamically assigned, you must update firewall policies on managed computers whenever the IP address changes. However, if you are using domain-based Group Policy, Essentials 2010 prompts you to run the Product Configuration Wizard, located in the Configuration summary of the Administration Overview pane. You access it by clicking the link beside Policy Mode. When you update Group Policy with the new IP address of the Essentials management server, an updated firewall exception returns with the new IP address to be applied to managed computers.
For detailed information about the firewall exceptions required for Virtualization Management, see VMM Ports and Protocols in the System Center Virtual Machine Manager 2008 Technical Library (https://go.microsoft.com/fwlink/?LinkId=163937). For information about the firewall exceptions required for connecting to the Essentials management server from a remote Essentials Reporting server, see Supported Firewall Scenarios in the System Center Operations Manager 2007 Technical Library (https://go.microsoft.com/fwlink/?LinkId=163936).
Changing Windows Firewall Exceptions
The Windows Firewall exceptions in the first procedure in this topic are created on the Essentials management server when Essentials 2010 is installed. Use these procedures if you use other software to manage firewall exceptions.
To create Windows Firewall exceptions on the Essentials management server
In Control Panel, click Windows Firewall.
Click the Exceptions tab.
Click Add Port, and then create the following TCP port exceptions:
Name=Port80; Port Number=80
Name=Port445; Port Number=445
Name=Port5723; Port Number=5723
Name=Port5724; Port Number=5724
Name=Port8530; Port Number=8530
Name=Port8531; Port Number=8531
Name=Port51906; Port Number=51906
Important
If you use Internet Security and Acceleration (ISA) Server or firewall software from another manufacturer, ensure that port 8531 is open.
To create Windows Firewall exceptions on managed computers when using local Group Policy settings
On each computer that you want Essentials 2010 to manage, in Control Panel, click Windows Firewall.
Click the Exceptions tab.
Ensure that the File and Printer Sharing check box is selected.
Click Add Port, and create the following TCP port exceptions:
Name=Port135; Port Number=135
Name=Port139; Port Number=139
Name=Port445; Port Number=445
Name=Port6270; Port Number=6270
Create the following UDP port exceptions:
Name=Port137; Port Number=137
Name=Port138; Port Number=138
For each of these exceptions, do the following:
Click Change scope.
Select Custom list.
Limit the scope to the Essentials management server’s IP address.
To enable remote WMI calls to function on a managed computer running Windows XP
On the taskbar, click Start, and then click Run.
In the Run dialog box, type gpedit.msc, and then click OK.
In the Local Group Policy Editor, under Console Root, expand Computer Configuration, expand Administrative Templates, and then expand Network. Expand Network Connections, expand Windows Firewall, and then click Domain Profile.
In the Domain Profile pane, right-click Windows Firewall: Allow remote administration exception, and then click Properties.
Click Enabled, and then click OK.
To enable remote WMI calls to function on a managed computer running Windows Vista
In Control Panel, click Windows Firewall.
Click the Exceptions tab.
Select the Windows Management Instrumentation (WMI) check box.
To update firewall exceptions for a new Essentials management server IP address
If the IP address of the Essentials management server is dynamically assigned, and you are using local Group Policy settings to configure managed computers, manually update the firewall exception on each client by using the new IP address.
If you are using domain-based Group Policy settings to configure your managed computers, run the Product Configuration Wizard, located in the Configuration summary of the Administration Overview pane. You access it by clicking the link beside Policy Mode. When you update Group Policy with the new IP address of the Essentials management server, an updated firewall exception returns with the new IP address to be applied to managed computers.
Configuring ISA Server Firewall Exceptions
Use the following procedures to configure the firewall settings for Internet Security and Acceleration (ISA) Server if there are managed computers on the other side of the firewall.
To create a new access rule for the System Center Management service
On the taskbar, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
Expand the Firewall Policy node under the desired computer in the navigation pane, and then, in the Tasks pane, click Create Array Access Rule.
Enter the access rule Essentials Management Service, and then click Next.
On the Rule Action page, select Allow and then click Next.
In the This rules applies to box, select Selected protocols, and then click Add.
In the Add Protocols dialog box, click New, and then click Protocol.
In the New Protocol Definition Wizard, enter TCP 5723.
On the Primary Connection Information page, click New.
On the New/Edit Protocol Information page, enter 5723 in both the From and To boxes, and then click OK.
On the Primary Connection Information page, click Next.
On the Secondary Connections page, click Next.
On the Completing the New Protocol Definition Wizard page, click Finish.
In the Add Protocols dialog box, expand the User-Defined folder, select TCP 5723, and then click Add.
To close the Add Protocols dialog box, click Close.
On the Protocols page of the New Access Rule wizard, click Next.
In the Access Rule Sources dialog box, click Add.
In the Add Protocols dialog box, expand the Networks folder, select Internal, and then click Add.
Select Local Host click Add, and then click Close.
On the Access Rule Sources page of the New Access Rule wizard, click Next.
In the Add Network Entities dialog box, expand the Networks folder, select Internal, and then click Add.
Select Local Host, click Add, and then click Close.
On the Access Rule Destinations page of the New Access Rule wizard, click Next.
In the User Sets dialog box, click Next.
On the Completing the New Access Rule Wizard page, click Finish.
To create a new access rule for the System Center Data Access service
On the taskbar, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
Under the selected computer, in the navigation pane, expand Firewall Policy and then, in the Tasks pane, click Create Array Access Rule.
Enter the access rule Essentials Data Access Service, and then click Next.
On the Rule Action page, click Allow, and then click Next.
On the Protocols page, under This rules applies to, select Selected protocols, and then click Add.
In the Add Protocols dialog box, click New, and then click Protocol.
In the New Protocol Definition Wizard, enter TCP 5724.
On the Primary Connection Information page, click New.
On the New/Edit Protocol Information page, enter 5724 in both the From and To boxes, and then click OK.
On the Primary Connection Information page, click Next.
On the Secondary Connections page, click Next.
On the Completing the New Protocol Definition Wizard page, click Finish.
In the Add Protocols dialog box, expand the User-Defined folder, select TCP 5724, and then click Add.
To close the Add Protocols dialog box, click Close.
On the Protocols page of the New Access Rule wizard, click Next.
In the Access Rule Sources dialog box, click Add.
In the Add Protocols dialog box, expand the Networks folder, select Internal, and then click Add.
Select Local Host, click Add, and then click Close.
On the Access Rule Sources page of the New Access Rule wizard, click Next.
On the Access Rule Destinations page of the New Access Rule wizard, click Add.
In the Add Network Entities dialog box, expand the Networks folder, select Internal, and then click Add.
Under the Networks folder, click Internal, and then click Add.
Select Local Host, click Add, and then click Close.
On the Access Rule Destinations page of the New Access Rule wizard, click Next.
In the User Sets dialog box, click Next.
On the Completing the New Access Rule Wizard page, click Finish.
To publish the WSUS Web server
On the taskbar, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
In the navigation pane, expand the Firewall Policy node, and then, in the Tasks pane, click Publish a Web Server.
Enter the access rule Essentials WSUS Web Server, and then click Next.
On the Select Rule Action page, select Allow, and then click Next.
In the Define Web site to Publish dialog box, enter the Essentials management server name in the Computer name or IP address box.
Enter /* in the Path box, and then click Next.
In the Public Name Details dialog box, enter the Essentials management server name in the Public name box, and then click Next.
In the Select Web Listener dialog box, click New.
In the Welcome to the New Web Listener Wizard page, enter Essentials Web Listener, and then click Next.
In the IP Addresses page, select the check boxes Internal and Local Host, and then click Next.
On the Port Specification page of the New Web Listener Wizard, do the following:
Select the Enable HTTP check box.
Enter 8530 in HTTP port.
Select the Enable SSL check box.
Enter 8531 in SSL port.
Click Select, select the certificate that matches the host name of the Essentials management server, and then click OK.
Click Next.
On the Completing the New Web Listener Wizard page, click Finish.
In the Select Web Listener dialog box:
Under Web Listener, select Essentials Web Listener, and then click Next.
On the User Sets page, click Next.
On the Completing the New Web Publishing Rule Wizard page, click Finish.
In the ISA Server console, right-click the Essentials WSUS Web Server rule, and then click Properties.
Click the To tab.
Select Requests appear to come from the original client.
Click the Bridging tab.
Enter 8530 in Redirect requests to the HTTP port.
Select the Redirect requests to SSL port check box, and enter 8531.
Click OK.
In the ISA Server console, click Apply to save changes and update the configuration.
See Also
Concepts
Local Policy vs. Group Policy in System Center Essentials 2010
Planning to Deploy System Center Essentials 2010