How to Use Windows Firewall with a Server Cluster

Applies To: Windows Server 2003 R2

If you enable Windows Firewall for a server cluster running Windows Server™ 2003 Service Pack 1, you must configure the firewall so that the cluster nodes can communicate as needed. To do this, run the Security Configuration Wizard, which is an optional component in Windows Server 2003 Service Pack 1 that can be installed through Control Panel.

Note

To perform the following procedures, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.

Using the Security Configuration Wizard to Configure Windows Firewall

To use the Security Configuration Wizard to configure Windows Firewall on a server cluster node, you must do the following:

  • Install the Security Configuration Wizard (an optional component).

  • Use the Security Configuration Wizard to create a new security policy for a server cluster node.

  • Turn on Windows Firewall (if you have not already turned it on) and apply the security policy you created to the appropriate server cluster nodes.

After turning on Windows Firewall and applying the security policy, confirm that the recovery action is set correctly for the Cluster service.

Important

In Windows Server 2003, Windows Firewall resets its TCP session mapping table whenever a significant IP addressing change occurs. This means that when failover occurs in a cluster, and the virtual IP address is moved to another node, any existing TCP session mappings are lost. Because of this, for the firewall on the new node, inbound traffic appears to be unsolicited and will be dropped. TCP eventually times out and renegotiates the sessions through the firewall on the new node, but the timeout can cause the affected programs to experience delays of up to two minutes.

To install the Security Configuration Wizard

  1. In Control Panel, open Add or Remove Programs.

  2. Click Add/Remove Windows Components.

  3. Select the Security Configuration Wizard check box, click Next, and then click Finish.

To use the Security Configuration Wizard to create a new security policy for a server cluster node

  1. Make sure you have installed the server cluster nodes and have configured the clustered resources and resource groups.

  2. Make sure you have installed the Security Configuration Wizard as described in the previous procedure.

  3. In Administrative Tools, open Security Configuration Wizard and read the information on the first page of the wizard.

  4. Click Next and then select Create a new security policy.

  5. Click Next and then select a cluster node to use as a baseline for this security policy. Later, you can apply this policy to the selected server or to any other server with a similar configuration.

    You must be logged on as an administrator of the selected server.

  6. Click Next several times until you see the Select Server Roles page.

  7. On the Select Server Roles page, for View, select All roles.

  8. Select Cluster server and any server roles that correspond to the clustered resources on the server cluster nodes. For example, for a cluster with a File Share resource, select Cluster server and File server. Clear any roles that do not correspond to the clustered resources on server cluster nodes.

  9. Click Next, select the client features that are necessary for the node to function, and clear any client features that are not necessary.

    Examples of client features are Domain member, Microsoft networking client, DHCP client, DNS client, and WINS client.

  10. Click Next and, on the Select Administration and Other Options page, select Join a cluster.

  11. Select or clear check boxes for other options as appropriate.

    Examples of options on this page include Remote Windows administration and Time synchronization.

  12. Click Next and select additional services required for the node.

    The services that are available are listed. For example, if antivirus software is installed, the services it provides might be listed.

  13. Click Next and choose an option for the handling of unspecified services.

    To learn more about unspecified services, click the link on this wizard page.

  14. Click Next and review the service changes resulting from the selections you have made. If necessary, go back to previous pages and change your selections.

  15. Click Next.

  16. If needed, specify additional configuration details in the next three sections of the wizard, which cover Network Security, Registry Settings, and Audit Policy. You can probably skip those three sections if the following is true for your configuration:

    • You have already specified all the roles the servers will have, and there are no additional ports (beyond those needed for those server roles) that need to be opened.

    • The clients and servers that connect to your cluster nodes are running Windows Server 2003, Microsoft Windows® 2000, or Windows XP, and are not running operating systems earlier than these.

    • The cluster nodes do not require specialized auditing.

  17. Use the remaining pages of the wizard to save and view the security policy and to specify whether to apply the policy now or later.

To turn on Windows Firewall and apply the security policy to server cluster nodes

As with any configuration change to a cluster, it is best to observe the cluster carefully as you make the following change. Apply the security policy to one node, then observe that node and make adjustments if necessary before applying the security policy to the next node.

  1. If you have not already turned on Windows Firewall, click Start, click Control Panel, and click Windows Firewall. If you are prompted to start the Windows Firewall/Internet Connection Sharing (ICS) service, click Yes. Click On, and then click OK.

  2. In Administrative Tools, open Security Configuration Wizard, and then click Next.

  3. Select Apply an existing security policy.

  4. Specify the security policy that you created for cluster nodes, or click Browse and then select the security policy.

  5. Click Next and select the server to which you want to apply the security policy.

  6. Click Next twice.

    The wizard applies the security policy.

  7. Click Next, and then click Finish.

  8. As appropriate, test the cluster node to ensure that it functions correctly with Windows Firewall enabled and the security policy in effect.

    If the security policy does not work correctly, you can run the wizard again to roll it back, and then turn off Windows Firewall. At that point, you can run the wizard to edit the security policy as needed, and then repeat this procedure to apply the modified security policy.

  9. Repeat steps 1 through 8 for each of the cluster nodes.

Confirming the Recovery Action Setting for the Cluster Service

After turning on Windows Firewall and applying a security policy to server cluster nodes, confirm that the recovery action is set correctly for the Cluster service.

To confirm that the recovery action is set correctly for the Cluster service

  1. On a cluster node, in Control Panel, open Administrative Tools.

  2. Open Services.

  3. Double-click Cluster service.

  4. On the Recovery tab, for First failure, make sure Restart the Service is chosen.

  5. For Second failure and Subsequent failures, make sure Restart the Service is chosen.

Note that the preceding procedure will set the recovery action for the Cluster service, but will not immediately restart the Cluster service. If necessary, after completing the procedure, start the Cluster service, either in the Services snap-in or by opening a command prompt and typing net start clussvc.