Windows Server Firewall Configuration



Similar documents
ms-help://ms.technet.2005mar.1033/security/tnoffline/security/smbiz/winxp/fwgrppol...

GlobalSCAPE DMZ Gateway, v1. User Guide

Cisco SSL Encryption Utility

Reference and Troubleshooting: FTP, IIS, and Firewall Information

UNCLASSIFIED. BlackBerry Enterprise Server Isolation in a Microsoft Exchange Environment (ITSG-23)

Installing GFI MailEssentials

How to Configure Windows Firewall on a Single Computer

FTP, IIS, and Firewall Reference and Troubleshooting

Installing GFI MailEssentials

Internet Script Editor (ISE)

Configuring Security Features of Session Recording

How to install Small Business Server 2003 in an existing Active

NovaBACKUP xsp Version 15.0 Upgrade Guide

DC Agent Troubleshooting

NETASQ SSO Agent Installation and deployment

Installing Policy Patrol on a separate machine

Network Configuration Settings

WHITE PAPER Citrix Secure Gateway Startup Guide

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

Configuration Guide. BES12 Cloud

BlackBerry Enterprise Service 10. Version: Configuration Guide

nappliance misa Server 2006 Standard Edition Users Guide For use with misa Appliances 2006 nappliance Networks, Inc.

RSA Security Analytics

Click Studios. Passwordstate. Installation Instructions

ILTA HANDS ON Securing Windows 7

Lab Configuring Access Policies and DMZ Settings

Integrating LANGuardian with Active Directory

Click Studios. Passwordstate. Installation Instructions

Secret Server Installation Windows 8 / 8.1 and Windows Server 2012 / R2

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

Basic Exchange Setup Guide

ENABLING RPC OVER HTTPS CONNECTIONS TO M-FILES SERVER

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Lab Configuring Access Policies and DMZ Settings

SMART Vantage. Installation guide

Installing GFI MailSecurity

Windows Firewall Configuration with Group Policy for SyAM System Client Installation

Networking Best Practices Guide. Version 6.5

Appendix D: Configuring Firewalls and Network Address Translation

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Click Studios. Passwordstate. Password Discovery, Reset and Validation. Requirements

freesshd SFTP Server on Windows

How to troubleshoot MS DTC firewall issues

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Active Directory Group Policy. Administrator Reference

XIA Configuration Server

Setting Up a Unisphere Management Station for the VNX Series P/N Revision A01 January 5, 2010

How To - Implement Single Sign On Authentication with Active Directory

ACTIVE DIRECTORY DEPLOYMENT

Debug Failed to connect to server!

Application Note 8: TrendView Recorders DCOM Settings and Firewall Plus DCOM Settings for Trendview Historian Server

Outpost Network Security

Chapter 2 Editor s Note:

WatchGuard SSL v3.2 Update 1 Release Notes. Introduction. Windows 8 and 64-bit Internet Explorer Support. Supported Devices SSL 100 and 560

RSA SecurID Ready Implementation Guide

Installation Notes for Outpost Network Security (ONS) version 3.2

Troubleshooting Guide

Kaseya Server Instal ation User Guide June 6, 2008

Océ Repro Desk Professional

Basic Exchange Setup Guide

F-Secure Messaging Security Gateway. Deployment Guide

Installation Guide for Pulse on Windows Server 2008R2

WORKING WITH WINDOWS FIREWALL IN WINDOWS 7

Installation / Migration Guide for Windows 2000/2003 Servers

MultiSite Manager. Setup Guide

Remote Connectivity to XV, XP and epro units running Visual Designer

DameWare Server. Administrator Guide

Deploying Windows Streaming Media Servers NLB Cluster and metasan

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

BlackBerry Enterprise Service 10. Version: Installation Guide

Installing and Configuring vcloud Connector

Installing GFI MailSecurity

How to Configure Terminal Services for Pro-Watch in Remote Administration Mode (Windows 2000)

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

MobileStatus Server Installation and Configuration Guide

IEI emerge and Milestone Systems Network Video Recorder. Setup and Integration Guide. Milestone Version 6.5 and emerge Version 3.

Configuring a Pure-IP SIP Trunk in Lync 2013

Alpha High Level Description

Yale Software Library

Customer Tips. Xerox Network Scanning HTTP/HTTPS Configuration using Microsoft IIS. for the user. Purpose. Background

Chapter 12 Supporting Network Address Translation (NAT)

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started

Network Setup Instructions

Installing GFI MailEssentials

MultiSite Manager. Setup Guide

To install the SMTP service:

Configuration Guide BES12. Version 12.1

Scenario: IPsec Remote-Access VPN Configuration

Configuring SSL VPN on the Cisco ISA500 Security Appliance

Guideline for setting up a functional VPN

HP Universal Print Driver Series for Windows Active Directory Administrator Template White Paper

Configuration Guide BES12. Version 12.2

Customer Tips. Basic Configuration and Troubleshooting. for the user. Overview. Basic Configuration. Xerox Multifunction Devices.

ilaw Server Migration Guide

Product Manual. Administration and Configuration Manual

IEI emerge and On-Net Surveillance Systems (OnSSI) Network Video Recorder Setup and Integration Guide

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Transcription:

Windows Server Firewall, page 1 Cisco Firewall Configuration Utility Prerequisites, page 2 Run Cisco Firewall Configuration Utility, page 2 Verify New Windows Firewall Settings, page 3 Windows Server Firewall Communication with Active Directory, page 4 CiscoICMfwConfig_exc.xml File, page 7 Windows Firewall Troubleshooting, page 8 Windows Server Firewall Windows Server 2008 R2 includes Windows Firewall. Windows Firewall is a stateful host firewall that drops all unsolicited incoming traffic. This behavior of Windows Firewall provides some protection from malicious users and programs that use unsolicited incoming traffic to attack computers. More information can be found in the Microsoft Windows Firewall Operations Guide at http:// technet.microsoft.com/en-us/library/cc739696(ws.10).aspx. If you are using IPsec, consult the Microsoft TechNet article, Managing IPSec and Multicast Settings, at http:/ /technet.microsoft.com/en-us/library/cc779589(ws.10).aspx. Windows Firewall is disabled by default on systems that have been upgraded to SP1. Systems that have a new installation of Windows Server 2008 R2 have Windows Firewall enabled by default. When you enable Windows Firewall on your servers, open all ports that the Unified ICM/Unified CCE components require. Cisco provides a utility to automatically allow all traffic from Unified ICM/Unified CCE applications on a Windows Server 2008 R2. Additionally, the utility can open ports for common third-party applications used in the Unified ICM/Unified CCE environment. The script reads the list of ports in the file %SYSTEMDRIVE%\CiscoUtils\FirewallConfig\CiscoICMfwConfig_exc.xml and uses the directive contained therein to modify the firewall settings. 1

Cisco Firewall Configuration Utility Prerequisites The utility allows all traffic from Unified ICM/ Unified CCE applications by adding the relevant applications to the list of excepted programs and services. When the excepted application runs, Windows Firewall monitors the ports on which the program listens and automatically adds those ports to the list of excepted traffic. The script can allow traffic from the third-party applications by adding the application port number to the list of excepted traffic. Edit the CiscoICMfwConfig_exc.xml file to enable these ports. Ports/Services enabled by default: 80/ and 443/ - HTTP/HTTPS (when IIS or TomCat [for Web Setup] is installed) Microsoft Remote Desktop File and Print Sharing Exception (refer to the Microsoft technet article, Enable or disable the File and Printer Sharing exception, at http://technet.microsoft.com/en-us/library/cc728347(ws.10).aspx). Optional ports you can open: 5900/ - VNC 5800/ - Java Viewer 21800/ - Tridia VNC Pro (encrypted remote control) 5631/ and 5632/ - pcanywhere You can edit the XML file to add port based exceptions outside of this list. Cisco Firewall Configuration Utility Prerequisites You must install the following software before using the Firewall configuration utility: 1 Windows Server 2008 R2 SP1 or higher 2 Unified ICM/CCE components If you install any more components after configuring the Windows Firewall, reconfigure the Windows Firewall. This process involves removing the previous configuration and rerunning the Windows Firewall configuration utility. Run Cisco Firewall Configuration Utility You can run the Cisco Firewall Configuration Utility either from the command line or from the Unified Contact Center Security Wizard. If you attempt to run this utility from a remote session, such as VNC, you can be locked out after the firewall starts. If possible, perform any firewall-related work at the computer because network connectivity can be severed for some remote applications. 2

Verify New Windows Firewall Settings Use the Cisco Firewall Configuration Utility on each server running a Unified ICM component. To use the utility, follow these steps: Step 4 Step 5 Stop all application services. From a command prompt, on Windows Server 2008, run cscript %SYSTEMDRIVE%\CiscoUtils\FirewallConfig\CiscoICMfwConfig.vbe, or, on Windows Server 2008 R2, run %SYSTEMDRIVE%\CiscoUtils\FirewallConfig\ConfigFirewall.bat. When you first run the script, the script runs register.bat for Windows Server 2008 or configfirewall.bat for Windows Server 2008 R2. The script then asks you to rerun the application using the same command. Rerun the script if instructed to do so. When using a Windows Server 2008 system, the script might not recognize that you already ran the script before. If this happens, then manually run the register.bat file from the command line. After you run the script, a confirmation dialog box appears. Click OK. The script verifies that the Windows Firewall service is installed, then starts this service if it is not running. The script then updates the firewall with the ports and services specified in the file %SYSTEMDRIVE%\CiscoUtils\FirewallConfig\CiscoICMfwConfig_exc.xml. Reboot the server. Related Topics Example of Windows Firewall Configuration Panels Verify New Windows Firewall Settings You can verify that the Unified ICM components and ports have been added to the Windows Firewall exception list by following these steps: Choose Start > Settings > Control Panel > Windows Firewall or select Administrative Tools > Windows Firewall with Advanced Security when using Windows Server 2008 R2. The Windows Firewall dialog box appears. Click the Exceptions tab, and then click the Inbound and Outbound Rules tab of the Windows Firewall dialog box for Windows Server 2008 R2. Scroll through the list of excepted applications. Several Unified ICM executables now appear on the list as well as any ports or services defined in the configuration file. 3

Windows Server Firewall Communication with Active Directory Windows Server Firewall Communication with Active Directory Open the ports that the domain controllers (DCs) use for communication by LDAP and other protocols to ensure that Active Directory can communicate through your firewall. Consult the Microsoft Knowledge Base article KB179442 for important information about configuring firewall for Domains and Trusts. To establish secure communications between DCs and Unified ICM Services, define the following ports for outbound and inbound exceptions on the firewall: Ports that are already defined Variable ports (high ports) for use with Remote Calls (RPC) Domain Controller Port Configuration Define the following port definitions on all DCs within the demilitarized zone (DMZ) that can replicate to external DCs. Define the ports on all DCs in the domain. Restrict FRS Traffic to Specific Static Port Be sure to consult the Microsoft Knowledge Base (KB) KB319553 for more information about restricting File Replication Service (FRS) traffic to a specific static port. Start Registry Editor (regedit.exe). Locate and then click the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters. Add the following registry values: New: Reg_DWORD Name: RPC /IP Port Assignment Value: 10000 (decimal) Restrict Active Directory Replication Traffic to Specific Port Be sure to consult the Microsoft Knowledge Base article KB224196 for more information about restricting Active Directory replication traffic to a specific port. 4

Configure Remote Call (RPC) Port Allocation Start Registry Editor (regedit.exe). Locate and then click the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters. Add the following registry values: New: Reg_DWORD Name: RPC /IP Port Value: 10001 (decimal) Configure Remote Call (RPC) Port Allocation Be sure to consult the Microsoft Knowledge Base article KB154596 for more information about configuring RPC port allocation. Step 4 Start Registry Editor (regedit.exe). Locate and then click the following key in the registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc Add the Internet key. Add the following registry values: Ports: MULTI_SZ: 10002-10200 PortsInternetAvailable: REG_SZ: Y UseInternetPorts: REG_SZ: Y Windows Firewall Ports Be sure to consult the Microsoft Knowledge Base article KB179442 for a detailed description of the ports that are used to configure a firewall for domains and trusts. Table 1: Windows Server 2008 R2 Firewall Ports Server Port Protocol Protocol Service 135 RPC RPC Connector Helper (machines connect to determine which high port to use) 5

Test Connectivity Server Port Protocol Protocol Service 137 NetBIOS Name 138 NetBIOS NetLogon and Browsing 139 NetBIOS Session 123 NTP 389 LDAP 636 LDAP SSL 3268 LDAP GC 3269 LDAP GC SSL 42 Wins Replication 53 DNS 88 Kerberos 445 SMB over IP (Microsoft-DS) 10000 RPC NTFRS 10001 RPC NTDS 10002 to 10200 RPC - Dynamic High Open Ports ICMP Test Connectivity To test connectivity and show the FRS configuration in Active Directory, use the Ntfrsult tool. From the command line, run the Windows File Replication utility: Ntfrsutl version <server_name>. When communications between the domain controllers are configured properly, the Ntfrsutl output shows the FRS configuration in Active Directory. 6

Validate Connectivity Validate Connectivity To validate connectivity between the domain controllers, use the Portqry tool. To obtain the Portqry tool, see the following Microsoft website: http://www.microsoft.com/en-us/download/ details.aspx?id=17148. Step 4 Download the PortQryV2.exe and run the tool. Select the destination CD or PDC. Select Domains and Trusts. Use the response from PortQry to verify that the ports are open. Be sure to consult the Microsoft Knowledge Base article KB832919 for more information about PortQry features and functionality. CiscoICMfwConfig_exc.xml File The CiscoICMfwConfig_exc.xml file is a standard XML file that contains the list of applications, services, and ports that the Cisco Firewall Script uses to modify the Windows Firewall so that the firewall works properly in the Unified ICM/Unified CCE environment. The file consists of three main parts: Services: The services that are allowed access through the firewall. Ports: The ports for the firewall to open. This setting is conditional depending on the installation of IIS in the case of /80 and /443. Applications: The applications that are not allowed access through the firewall. The script automatically excludes all the applications listed in the CiscoICMfwConfig_exc.xml file. The behavior of the Applications section is opposite to that of the other two sections in the file. The Ports and Services sections allow access, whereas the Application section denies access. You can manually add more services or ports to the CiscoICMfwConfig_exc.xml file and rerun the script to reconfigure Windows Firewall. For example, to allow your Jaguar server connections from port 9000 (CORBA), add a line in the <Ports> section to open port 9000 on the Windows Firewall: <Port Number="9000" Protocol="" Name="CORBA" />. 7

Windows Firewall Troubleshooting This change is only needed if remote Jaguar administration is required. In most cases, this change is not needed. On Windows Server 2008 R2, you could use Windows Firewall with Advanced Security to add or deny the ports or applications. The file lists some commonly used ports as XML comments. You can quickly enable one of these ports by moving the port out of the comments to a place before the </Ports> tag. Windows Firewall Troubleshooting The following notes and tasks can aid you if you have trouble with Windows Firewall. Windows Firewall General Troubleshooting s Some general troubleshooting notes for Windows Firewall: 1 When you run the CiscoICMfwConfig application for the first time, run the application twice to successfully register of FirewallLib.dll. In some cases, especially on a slower system, you need a delay for the registration to complete. 2 If the registration fails, the.net framework might not be installed correctly. Verify that the following path and files exist: %windir%\microsoft.net\framework\v2.0.50727\regasm.exe %windir%\microsoft.net\framework\v1.1.4322\gacutil.exe 3 Change %SYSTEMDRIVE%\CiscoUtils\FirewallConfig\Register.bat as necessary to meet the environment. Windows Firewall Interferes with Router Private Interface Communication Problem The MDS fails to connect from the Side-A router to Side-B router on the private interface IP Addresses (Isolated) only when the Windows Firewall is enabled. Possible Cause Windows Firewall is preventing the application (mdsproc.exe) from sending traffic to the remote host on the private network. Solution Configure static routes on both Side-A and Side-B routers for the private addresses (high and nonhigh). Windows Firewall Shows Dropped Packets Without Unified CCE Failures Problem The Windows Firewall Log shows dropped packets but the Unified ICM and Unified CCE applications do not exhibit any application failures. Possible Cause The Windows Firewall logs traffic for the host when the traffic is not allowed or when no allowed application listens to that port. 8

Undo Firewall Settings Solution Review the pfirewall.log file closely to determine the source and destination IP Addresses and Ports. Use netstat or tcpview to determine what processes listen and connect on what ports. Undo Firewall Settings You can use the firewall configuration utility to undo the last application of the firewall settings. You need the CiscoICMfwConfig_undo.xml file. The undo file is written only if the configuration is completed successfully. If this file does not exist, manual cleanup is necessary using the Windows Firewall Control Panel Applet. To undo the firewall settings: Stop all application services. Open a command window by choosing Start > Run and entering CMD in the dialog window. Click OK. Step 4 Enter the following command cd %SYSTEMDRIVE%\CiscoUtils\FirewallConfig. Step 5 Enter UndoConfigFirewall.bat for Windows Server 2008 R2. Step 6 Reboot the server. 9

Undo Firewall Settings 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information