windream with Firewall

windream windream with Firewall windream GmbH, Bochum

Copyright 2004 2006 by windream GmbH / winrechte GmbH Wasserstr. 219 44799 Bochum Issue: 07/06 1.0.0.2 All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form (print, photocopy, or any other form) or by any means without the express written permission of windream GmbH / winrechte GmbH. Important Note All information and technical specifications in this book have been collected by the authors with great care. They cannot, however, either guarantee, take legal responsibility for or give any other warranty resulting from the use of this information. We would also like to point out that all software and hardware logos and names are the exclusive property of the trademark, brand name or patent right holders. These are naturally protected by the appropriate laws and trade agreements.

Table of Contents i Table of Contents Configuration Operating windream with a Firewall 1 Configuration adjustment 1 Releasing the TCP-ports on the firewall 2 Adding the windream services to the exceptions list of the firewall 4 Adjusting the DCOM-configuration for restricting the port range6 Adding "ANONYMOUS-LOGON" in DCOM Limits for "Remote Access" 11 Important notes on firewall settings with cluster installations 14

Configuration Operating windream with a Firewall 1 Configuration Operating windream with a Firewall Configuration adjustment This document serves as a guideline for the configuration of a windream server and of a windream desktop computer between which a firewall has been installed. In order to operate windream in the context of a firewall between client and server, either specific windream services and programs must be included in the exception list of the firewall (settings in the firewall configuration) or the DCOM connection settings (port ranges) for DCOM on the client and on the server must be determined and released on the firewall. The default DCOM-port 135 must be added to the exception list in any case on the windream client and on the windream server. Additionally, the windream TCP-port must always be released on the firewall of the server. The detailed procedure of configuration depends on the firewall used. This documentation will explain the required steps as examples according to the Windows firewall. The use of another firewall software should be explained in the respective documentation supplied with the software package. Further information on firewalls and DCOM-settings can also be found in the documentations provided by Microsoft or on the Microsoft homepage at http://www.microsoft.com. Releasing windream services and TCP-port 135 on the firewall In order to release the windream services and programs on the firewall, you will have to include the components in the list of exceptions of the firewall (see also chapter "Including the windream services in the exception list of the firewall"). Additionally, TCP-port 135 must be added to the list (see chapter "Releasing TCP-ports on the firewall"). Extend the exception list of the firewall on the windream client by TCP-port 135 windream Control Center (wmcc.exe) windream indexing service (WmIdxSv.exe).

2 Configuration Operating windream with a Firewall This is the standard configuration which will be made automatically when installing the windream client with the setup program. Extend exception list of the firewall on the windream server by TCP-port 135 windream DMS-Service (wmopdsv.exe) windream TCP-port 534. In any case, these settings are to be made manually on the windream server. Alternatively determine the DCOM-connection settings Alternatively, you can also define the DCOM connection settings instead (port ranges). In order to do so, you will have to determine respective connection ranges on the windream client and the server. Then, the port range must be added to the exception list of the firewall (see chapter "Adjusting DCOM-configuration for restricting the port range" and "Releasing the port on the firewall"). Additionally, TCPport 135 must be added to the exception list (see chapter "Releasing the TCP-port on the firewall"). Releasing the TCP-ports on the firewall The standard port 135 for RPC-communication (DCOM) must be released on the firewall in both directions (client-server and vice versa). This procedure will be described now according to the settings on a windream client. The procedure is the same on a windream server. By default, these settings are made automatically by the windream client setup program. The settings have to made manually on a windream server. Additionally, the windream TCP-port must also be released on the windream server. Adding the TCP-port to the exception list of the firewall 1. Open the properties of the LAN-connection from the properties of the network connections. 2. Switch to the Advanced tab page and open the settings of the Windows Firewall. 3. Switch to the Exceptions tab page.

Configuration Operating windream with a Firewall 3 Figure 1: Adding a firewall port 4. Click Add Port.... Figure 2: Adding a port 5. Enter a name in the Name field (e.g..: Microsoft DCOM 135), and in field Port number, enter 135.

4 Configuration Operating windream with a Firewall 6. Save the settings with OK. With this action, the port will be released. Releasing the windream TCP-port On the windream server, you also add the TCP-port (the default setting of the windream setup is 534 or 1122) to the exception list (see also "Adding the TCP-port to the exception list"). The current port is entered in the windream configuration on tab page Connections. You can view the current settings via the Control Center on the client and on the server as well. Adding the windream services to the exceptions list of the firewall In order to do so, you will have to configure the firewall on the windream client and on the windream server. Configuring the firewall on the client 1. Open the properties of the LAN-connection from the properties of the network connections. 2. Switch to the Advanced tab and open the settings of the Windows Firewall. 3. Switch to the Exceptions tab page and add the programs named wmcc.exe (windream Control Center) and WmIdxSv.exe (windream indexing service) to the list. 4. Click the Program button. In dialog box Add program, you add the programs one by one by clicking the Browse button.

Configuration Operating windream with a Firewall 5 Figure 3: Adjusting the Windows Firewall on the windeam client Adjusting the settings of the programs Now, you adjust the settings of the programs named WmIdxSv.exe and wmcc.exe according to your needs. 5. Select the first program to be edited in the list (e.g. WmIdxSv.exe) and click the Edit button. Figure 4: Editing programs 6. Click the button for changing the scope.

6 Configuration Operating windream with a Firewall 7. In the dialog box for changing the scope, you make the desired settings (enable the option for using the function for your own network only (subnet). Figure 5: Changing the scope Close the Windows Firewall dialog box and save the settings by clicking OK. Configuring the firewall on the server On the windream server, you add the following windream components to the exception list: windream DMS-Service (wmopdsv.exe) This procedure depends on the firewall software used on the windream server. If you use the Windows firewall, you add the programs and services to the exception list as described under "Configuring the firewall on the client". Adjusting the DCOM-configuration for restricting the port range As an alternative to the release of the respective windream services, you can also define the DCOM-connection settings (port ranges). These adjustments, which will be described now, are to be excuted on the windream server and on the windream clients connected. In order to further restrict the port range for the following communication, some changes in the DCOM-settings must be made under Windows.

Configuration Operating windream with a Firewall 7 1. Open the console of the component services (under Windows XP ) or the DCOM-configuration (under Windows NT4.0 / 2000) by clicking the Run command from the start menu and by entering the dcomcnfg command there. Steps 2 and 3 are only required under Windows XP. If you use Windows NT 4.0 or Windows 2000, the dialog box named Properties of DCOM-configuration will be opened and you can proceed with step 4. Under Windows XP, the dialog box of the component services will be opened first. 2. Click Component Services and expand the folders until My Computer is displayed (Example Console root>component services>computers>my Computer). Figure 6: Windows component services 3. Select entry My Computer and open the properties with a right mouse click. The dialog box of My Computer properties will be opened.

8 Configuration Operating windream with a Firewall Figure 7: DCOM configuration default protocols 4. In the dialog box of the DCOM- or desktop configuration, switch to the tab page of the default protocols. 5. Open the properties of the entry of the connection-oriented TCP/IP.

Configuration Operating windream with a Firewall 9 Figure 8: Setting the port range Here, you add the port range you want to use for the communication. 6. Click Add. 7. In the field for the range, you enter the port range you want to add (on the client, e.g. 4000-4010). On a server, enter e.g. range 5000-5100. Note: Please note that sufficient ports must be released. For the communication with windream, one port on the client and one port on the server is required. However, several applications will use these ports which have been set in the DCOM port range settings. There is no direct recommendation for the number of ports required on the server. Sufficient ports must be available for all applications (e.g. 100). If a port range between 5000 and 5100 has been set on the server, e.g. the first 9 ports (the number may vary depending on the server) will be used by other applications, and port 5010 will be assigned to the windream DMS-service. The number of ports used by other applications depends on the locally installed software and on the current configuration and cannot be estimated. Notes on the required release of further ports for other products can be found in the respective manuals of the applications and in the documentations provided by Microsoft.

10 Configuration Operating windream with a Firewall Figure 9: Port range added 8. Confirm the entry with OK and close all windows. 9. Restart your computer to apply the modified DCOMconfiguration. Releasing the port range on the firewall Finally, the defined port ranges in this example 4000-4010 on the client and 5000-5100 on the server must be released on the respective firewall. In the client firewall, all ports which have been set in the client DCOM connections range settings must be opened for INCOMING connections in addition to port 135. If the client firewall also blocks ports in OUTGOING connections, all ports which have been set in the server DCOM settings for connection ranges must also be opened for OUTGOING calls in the client firewall. If a firewall is existing on the server, all ports which have been set in the server DCOM settings for connection ranges must be opened for INCOMING connections in addition to port 135. If the server firewall also blocks ports in OUTGOING connections, all ports which have been set in the client DCOM connection range settings must be opened for OUTGOING calls.

Configuration Operating windream with a Firewall 11 Adding "ANONYMOUS-LOGON" in DCOM Limits for "Remote Access" This client setting is required for being able to support all possible client server combinations and the windream DMS-service account possibilities (local user, domain user, local system). Here, the DCOM-events sent by the DMS-server (generally for the indexing service) are mainly focused. In order to be able to send the events to the client and to make them receivable there, the indexing service must set its own (and only its own) security level to "Remote Access for Anonymous allowed". This requires an entry of ANONYMOUS in the DCOM remote access limits. These limits are designed for allowing client processes to set their DCOM-security up to this limit as the maximum. Further on, this DCOM-limits setting is required, if an adjustment of user accounts shall be started on a windream client. For this process, the windream Control Center needs the above mentioned events from the DMS-service and thus also extends the access permissions for ANONYMOUS. If the adjustment is always and only executed on the windream server, an adjustment of the limits is not required on the windream client. If the DCOM-settings shall not be changed, the indexing service can be switched to "Polling". For the indexing service, a polling-interval is to be determined in the windream configuration, on tab page Filter of the windream client. Note: Please note that all clients which have been set to "Polling" will contact the windream DMS-server every 'n' seconds (depending on the setting) with DCOM via the network, in order to request new indexing jobs. Because of this, the network and DMSutilization will increase. Additionally, the server must be configured in a way that it supports the polling settings of the clients. Depending on the system, some other configurations might become necessary. The function of the user and group adjustment with the windream Management Console cannot be executed on a client with the polling setting. This requires the extension of the DCOM-limits. If problems occur, please contact the windream GmbH hotline. Extending the access permissions for ANONYMOUS 1. Open the console for component services by selecting the Run command in the Start-menu, and enter command dcomcnfg.

12 Configuration Operating windream with a Firewall 2. In dialog box Component services, click Component services and expand the folder structure until My Computer is displayed (example: Console Root>Component Services>Computers>My Computer). Figure 10: Windows component services My Computer 3. Highlight entry My Computer and open the properties with a right mouse click. 4. Switch to the COM-security tab page in dialog box My Computer Properties.

Configuration Operating windream with a Firewall 13 Figure 11: DCOM configuration COM security 5. Open the access permissions by clicking the Edit Limits button.

14 Configuration Operating windream with a Firewall Figure 12: COM security expanding the ANONYMOUS LOGON 6. Highlight entry ANONYMOUS LOGON in the list of user and group names and enable the remote access right. 7. Confirm the entry with OK and close all windows. Important notes on firewall settings with cluster installations Clusters are synchronized and administered via DCOM. If the firewall settings only allow the release of the windream ports, the cluster will be damaged, as its nodes cannot be synchronised any more. Further information on this topic can be found in the documentations provided by Microsoft and under http://technet2.microsoft.com/windowsserver/en/library/25226 2df-acd5-484d-b7b3-80ffe0d9d1b21033.mspx http://support.microsoft.com/kb/826154 http://support.microsoft.com/kb/826154 http://support.microsoft.com/kb/154596/en-us

Configuration Operating windream with a Firewall 15 http://msdn.microsoft.com/library/default.asp?url=/library/enus/dndcom/html/msdn_dcomfirewall.asp.