DC: Configure the Windows Firewall policy

This procedure describes the steps for configuring the Windows Firewall policy in the domain to allow Configuration Manager 2007 to install the clients using the Client Push method.

The policy settings are different for the Windows XP SP2 and Windows XP SP1 or before clients. Windows Firewall from Windows XP SP2 has more configuration options than Internet Connection Firewall from Windows XP SP1 or before, which can only be activated or deactivated.

Prerequisites

  • Active Directory and DNS server are installed and configured for the domain TECHREADY.RO.
  • Configuration Manager 2007 was installed in a Primary Site (Site Code = TRD).
  • Site Boundaries were correctly configured to include only the systems you want to manage.
  • The Discovery Methods were configured and discovered correctly the systems from the current site.
  • The Site Systems were configured: Distribution Point, Management Point, Reporting Point, Software Update Point and Fallback Status Point.

Installation and Configuration

  1. Logon on the Domain Controller server using the domain Administrator account.
  2. Launch Group Policy Management console. In the right pane right-click on the Default Domain Policy and select Edit.
  3. Group Policy Object Editor will start. Expand Computer Configuration, Policies, Administrative Templates, Network, Network Connections and select the policy Windows Firewall: Protect all network connections.
  4. In the policy settings window select the Enabled option and click OK.
  5. In the Group Policy Object Editor select the policy Windows Firewall: Allow file and printer sharing exception.
  6. At the Setting tab select Enabled and enter the range of IP addresses from where remote administration will be allowed. This setting will allow remote access to the Server service.
  7. In the Group Policy Object Editor select the policy Windows Firewall: Allow remote administration exception.
  8. At the Setting tab select Enabled and enter the range of IP addresses from where remote connections will be allowed. This setting will allow remote access using RPC and WMI.

Next policies apply to Remote Desktop feature.

  1. In the Group Policy Object Editor select the policy Windows Firewall: Allow remote Desktop exception.
  2. At the Setting tab select Enabled and enter the range of IP addresses from where remote connections will be allowed. This setting will allow remote access with Remote Desktop.

Note: We also need to configure the systems to accept connections with Terminal Services

  1. In the Group Policy Object Editor expand Computer Configuration, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host, Connections and select the policy Allow users to connect remotely…
  2. At the Setting tab select Enabled and click Apply. This setting will allow remote access with Remote Desktop or Terminal Services.
  3. Close the Group Policy Object Editor.

To verify that the policy is applied correctly, restart a Windows XP SP2 or later workstation from the domain.

  1. Logon on the workstation using an administrative account.
  2. From Control Panel, Security Center, open Windows Firewall. Observe that it is activated by default and cannot be deactivated.
  3. At the Exceptions tab observe the configured exceptions. Select File and Print Sharing and click Edit.
  4. In the Edit a Service window observe the open ports and the fact that they cannot be edited. Click Cancel and then again Cancel.
This entry was posted in Configuration Manager, Proof of Concept, System Center and tagged , , . Bookmark the permalink.