Firewall Rules for CVP

Similar Messages

• Firewall rule for Novell Client

  My company recently purchased McAfee Desktop Firewall and I'm trying to
  configure the rules prior to deployment but I'm having trouble getting
  the Novell Client to cooperate. I've tried having the firewall "learn"
  the client, addresses, ports, protocols, etc. but have had no luck.
  My company is running a mix of Win2k/XP computers as well as Win95/98
  computers so any assistance in creating a firewall rule to allow the
  clients to log in is greatly apprecaited.
  Thanks!
  Ash

  Excellent, thanks!!
  > For NetWare connectivity over IP, you need ports TCP,UDP 524 and 427
  > which are NCP over IP and SLP.
  >
  >
  > --
  > Edison Ortiz
  > Novell Product Support Forum SysOp
  > (No Email Support, Thanks !)

• Firewall rules for a IPSec Tunnel mode connection

  I'm using Windows 7 Embedded with a Tunnel mode IPSec Connection. Are firewall rules applied before the traffic is decrypted or after? In other words, will I be able to apply firewall rules to allow only certain application traffic within the tunnel? Any
  KB article would be appreciated.
  Thanks,

    When VPN traffic comes through the firewall it is still encrypted and encapsulated. The firewall will only see the data in the container, not the encrypted payload. So the short answer is no.
  Bill

• Firewall Rules for Printing and Scanning through Windows Firewall

  Hello,
  I am having trouble determining the Ports, Programs, and Services required for printing and scanning with my AIO.
  I am using Windows Firewall in Windows 7, and am only allowing certain rules in and out.
  I know the firewall is the problem, for when I disable it, everything works fine.
  Which rules are required for printing and scanning through the firewall?

  4th Bump,
  Is there anyone who can help me with this?
  As I said before, other printer manufacturers such as Lexmark and Brother provide this exact information.
  Why doesn't hp have a document for this? Does everyone just disable their firewall or open every port?

• Firewall rules for JCo ?

  Hi,
  Can you tell me the necessary filewall rules JCo needs for communication with R/3 ?
  Thanks
  Michael

  Hello Michael,
  if you connect directly to an application Server the only Port you have to open is 32 + System Number. If you connect via load Balancing you also have to open the Message Server Port. I think it is 33 + System Number. You can find this ports when you use Ethereal on your development Computer and run the JCo Program.
  Regards
  Gregor

• ISE 1.1.1 firewall rules distributed deployment

  My question is in reference to the following link:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_e-ports.html
  Basically I am struggling in some areas to work out my firewall rules for a distributed deployment. The referenced documentation is not entirely clear in my opinion. In some instances it is easy to work out what ports need to be opened eg Admin node TCP 22,80,443 for management from administrator hosts/ranges. In other instances it difficult to work out eg TCP 1521 Database listener and AQ is this for ISE nodes only or for access devices aswell
  My question is whether there is a better document that details these requirements. What rules are meant to be ISE node - ISE node communications and which rules are for access device - ISE, or ISE - access device. One of the rules I am pretty confused about is the PSN CoA ports. SHould the rule be WLC - PSN on 1700 and 3799 or is it the otherway round or unidirectional?
  I am pretty sure that the ports are meant to be ISE-ISE in most instances barring the PSN for Radius and CoA.

  Try this for size.
  In answer to the specific CoA question, I see no need for the WLC to send CoA to PSN, so just PSN to WLC as far as I can see.
  You might be able to cut this list down, and you might have to add to it for any specific requirements.
  From PSN to AD (potentially all AD nodes):
  TCP 389, 3268, 445, 88, 464
  UDP 389, 3268
  From PSN to Monitoring nodes:
  TCP 443
  UDP 20514
  PSN to Admin Nodes (2Way):
  TCP 443, 1521
  ICMP echo and reply (heartbeat)
  WLC to PSN:
  TCP 443, 8443, 80, 8080
  UDP 1645, 1646, 1812, 1813, 1700, 3799, 161, 162, 9993, 67
  PSN to other PSN’s (2 way)
  UDP 30514, 45588, 45990
  Endpoint (Laptop) to PSN (Guest laptops just need to get to external PSN’s, internal users just to internal PSN’s)
  TCP 8443, 8905
  UDP 8905
  Admin/Sponsor to all ISE nodes:
  TCP 22, 80, 443, 8080, 8443
  UDP 161
  PSN access to DNS servers:
  TCP/UDP 53
  PSN access to NTP servers:
  UDP 123

• LAN side firewall settings for Direct Access (Windows Server 2012 R2) in DMZ?

  I am currently planning to set up our first Direct Access server (Windows Server 2012 R2). I will be in our firewall DMZ and we will be using the IP-HTTPS listener.
  For the Internet facing rule only TCP 443 inbound/outbound is sufficient but for the LAN facing rules (not talking about the Windows server firewall) what would be the recommended firewall rules for a Direct Access server? Is there a best practice guideline
  to follow for this? Appreciate any advice or comments. Thank you.

  Hi Barkley
  Please see this Technet Link which will backup your requirements - https://technet.microsoft.com/en-gb/library/jj574101.aspx
  Section Reads - 
  When using additional firewalls, apply the following internal network firewall exceptions for Remote Access traffic:
  ISATAP—Protocol 41 inbound and outbound
  TCP/UDP for all IPv4/IPv6 traffic
  Also another link from http://www.ironnetworks.com/blog/directaccess-network-deployment-scenarios#.VO3tfvmsVrU
  "I have had a number of conversations with security administrators and network architects who have expressed a desire to place the DirectAccess server between two firewalls (firewall sandwich) in order to explicitly control access from the DirectAccess
  server to the internal corporate network. While at first this may sound like a sensible solution, it is often quite problematic and, in my opinion, does little to improve the overall security of the solution. Restricting network access from the DirectAccess
  server to the internal LAN requires so many ports to be opened on the inside firewall that the benefit of having the firewall is greatly diminished. Placing the DirectAccess server’s internal network interface on the LAN unrestricted is the best configuration
  in terms of supportability and provides the best user experience."
  Kindest Regards
  John Davies
  Thank for your reply and information John. I find it somewhat disappointing that Microsoft does not provide much more in the way of documentation and information regarding this topic. I required more information to show to our security team so they will allow
  us to have the internal facing NIC not have more restrictive rules in place as it is a security concern.

• Add firewall rule with custom environment variable in program path

  Hi,
  We want to create a firewall rule for a program which is placed in folder which changes sometimes. I know you can add a firewall with the ProgramFiles environment variable like this:
  netsh advfirewall firewall add rule name="Test Firewall rule" dir=in program="%%ProgramFiles%%\Test\Test.exe" action=allow security=notrequired
  The environment variable ProgramFiles isn't expanded and if the Program Files folder is different on a system the rule still works.
  We try to use this with a custom environment variable which we set a system environment variable with this command:
  SETX SomeFolder "D:\Some Folder\Apr 2015" /M
  If we use the command below to add the firewall rule in a batch file the environment variable SomeFolder is expanded correctly and the program path is added as a static path.
  netsh advfirewall firewall add rule name="Some Firewall Rule" dir=in program="%SomeFolder%\AFile.exe" action=allow security=notrequired
  Because the folder changes sometimes we want to change the environment variable SomeFolder and not remove the old firewall rule and create a new one. We want to add the environment variable SomeFolder to the program path as a (dynamic) environment variable
  and not as the expanded path at the moment when the rule is added. If we use this command:
  netsh advfirewall firewall add rule name="Some Firewall Rule" dir=in program="%%SomeFolder%%\AFile.exe" action=allow security=notrequired
  We get the error:
            Windows Firewall with Advanced Security
            An error occurred while adding the rule.
            Error: The parameter is incorrect
            Status: The application name could not be resolved
            OK   
  Why can't we use %%SOMEFOLDER%% like we can use %%PROGRAMFILES%%? The same error is shown when we try to add the firewall rule through the management console 'Windows Firewall with Advanced Security'
  W. Spu

  Hi,
  Based on my plenty of test with this problem, it seems like there is no better method to achieve your requirement. To add new policy to firewall, it would be better using general cmdlet. The path parameter like %%SomeFolder%% do have problem in add firewall
  policy cmdlet. 
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• What Specific Firewall Rules are Needed for the DPM Server?

  Hello,
  We want to confirm which firewall ports need to be opened on the DPM server (not protected servers) for all DPM processes, so that we can set these rules in group policy. Below are what we
  think are the needed rules. Note that we have rules for both new DPM 2012 installs and upgrades from DPM 2010 to 2012, since these use different program paths.
  Rule Name
  Program Path
  Protocol
  Local Port
  DPM 2012 DCOM Port
  Any
  TCP
  135
  DPM 2012 AM Port
  Any
  TCP
  6075
  DPM 2012 RTM Agent Coordinator
  C:\Windows\Microsoft Data Protection Manager\DPM\ProtectionAgents\AC\4.0.1908.0\dpmac.exe
  Any
  Any
  DPM 2012 SP1 Agent Coordinator
  C:\Windows\Microsoft Data Protection Manager\DPM\ProtectionAgents\AC\4.1.3313.0\dpmac.exe
  Any
  Any
  DPM 2012 R2 Agent Coordinator
  C:\Windows\Microsoft Data Protection Manager\DPM\ProtectionAgents\AC\4.2.1205.0\dpmac.exe
  Any
  Any
  DPM 2012 AM Service Host (New Install
  %ProgramFiles%\Microsoft System Center 2012\DPM\DPM\bin\AMSvcHost.exe
  Any
  Any
  DPM 2012 AM Service Host (Upgrade Install)
  %ProgramFiles%\Microsoft DPM\DPM\bin\AMSvcHost.exe
  Any
  Any
  DPM 2012 DPM AM Service (New Install)
  %ProgramFiles%\Microsoft System Center 2012\DPM\DPM\bin\DPMAMService.exe
  Any
  Any
  DPM 2012 DPM AM Service (Upgrade Install)
  %ProgramFiles%\Microsoft DPM\DPM\bin\DPMAMService.exe
  Any
  Any
  DPM 2012 MSDPM (New Install)
  %ProgramFiles%\Microsoft System Center 2012\DPM\DPM\bin\msdpm.exe
  Any
  Any
  DPM 2012 MSDPM (Upgrade Install)
  %ProgramFiles%\Microsoft DPM\DPM\bin\msdpm.exe
  Any
  Any
  DPM 2012 DPMRA (New Install)
  %ProgramFiles%\Microsoft System Center 2012\DPM\DPM\bin\DPMRA.exe
  Any
  Any
  DPM 2012 DPMRA (Upgrade Install)
  %ProgramFiles%\Microsoft DPM\DPM\bin\DPMRA.exe
  Any
  Any
  Questions:
  Are any of these rules not needed?
  We know the Agent Coordinator rules are needed on protected servers. Are they also needed on the DPM server (including if we use secondary DPM servers)?
  The DPM Configuring Firewalls TechNet page says DCOM uses TCP 135 and the RPC Dynamic ports. Does that mean we also need a rule that opens all TCP RPC Dynamic ports for
  any program? Or is this not necessary since we have rules for msdpm.exe and dpmra.exe? Reference:
  http://technet.microsoft.com/en-us/library/hh757794
  What other rules may be missing, if any?
  Note that we do not include rules for ports 53 (DNS), 88 (Kerberos), 389 (LDAP), 137-139 & 445 (NetBIOS) because we already open these ports in other group policy objects.
  Also, the below forums post says two exceptions for SQL Server are needed on the DPM server to allow the Remote Administrator console to work. Is there any documentation in the DPM TechNet site on these rules?
  http://social.technet.microsoft.com/Forums/en-US/aa88fd00-6836-46d3-8a93-edb487109118/dpm-2012-remote-administration?forum=dataprotectionmanager
  Thanks,
  -Taylorbox

  Does anyone have any comments on this post? We would especially appreciate some input from Microsoft reps to help us ensure we're setting up the correct firewall rules.
  Thanks,
  -Taylorbox

• Ports for Firewall rules

  Hi,
  can anybody point out which ports are to be opened on firewalls ?
  Im am using a SunMC 4.0 server/console/agent on a v240 and need to monitor systems located behind firewalls.
  Also NATing is involved.
  I would like to know which ports I have to open from agents to server (and vice versa) and from server to java-console on a PC (and vice versa)

  Hi,
  You need to open firewall ports from 161-168. Also take a look at /var/opt/SUNWsymon/cfg/domain-config.x and make sure to open any ports within the "snmpPort" line of that file.
  Take a look at this post on how to configure firewall ports for console to server communication: [http://forums.halcyoninc.com/showthread.php?t=7]
  If you still have problems with adding the agents, you can take a look at the following post on troubleshooting agent icon creation: [http://forums.halcyoninc.com/showthread.php?t=92]
  If you are using agents in NAT mode, it may not work very well as alarms would not show in the alarms tab. Please take a look at the following posts regarding this issue:
  [http://forums.halcyoninc.com/showthread.php?t=186]
  [http://forums.sun.com/thread.jspa?forumID=854&threadID=5363460]
  Pegah Garousi, Halcyon Monitoring Solutions
  [email protected]
  http://www.HalcyonInc.com

• How to reload firewall rules from command line on firewall ?

  Hi all,
  I am trying to create script that controls firewall on server. OS version is OS X Server 10.5.6.
  Part of firewall rules is created using firewall admin tools, part of Server Admin Tools. My first question is where are those rules stored permanently ? As far as I understood it should be set of ipfw rules but they are not stored in /etc/ipfilter/ipfw.conf.
  Idea of script is this:
  I have set of rules that should be controlled by Server Admin Tools.
  Also, I have some dynamic rules.
  Whenever some change occurs, I created script that does following:
  /sbin/ipfw -f flush - to flush all existing rules
  /sbin/serveradmin stop ipfilter - to stop existing firewall
  /sbin/serveradmin start ipfilter - to restart firewall and reload permanent rules
  Add my set of rules...
  After flushing all rules and issuing stop and start ipfilter none of rules set through Server Admin Tools are not reloaded. So how should I reload them ? How to save them permanently in the first place ?
  Please note that I do not have access to server (for security reasons). I am developing script on my Mac, sending to client and he tests it. So I cannot do a lot of testing.
  Thank you in advance.
  Best regards,
  Dusan

  Unix and Terminal queries are best posted to the Unix forum under OS X Technologies where those mavens frolic.

• 0x8007000e (E_OUTOFMEMORY) while adding a firewall rule using the windows firewall COM API

  Hello,
  Configuration: Windows Embedded 8 64-bit.
  I'm using the Windows Firewall with Advanced Security COM API. The program uses the INetFwRules interface. Basically, I'm using the following code (Form the code sample available here : http://msdn.microsoft.com/en-us/library/windows/desktop/dd339604%28v=vs.85%29.aspx.)
   I get the error when performing "hr = pFwRules->Add(pFwRule);".
  We can also encounter the problem when removing a rule (using pFwRules->Remove(ruleName);)
  HRESULT hrComInit = S_OK;
  HRESULT hr = S_OK;
  INetFwPolicy2 *pNetFwPolicy2 = NULL;
  INetFwRules *pFwRules = NULL;
  INetFwRule *pFwRule = NULL;
  long CurrentProfilesBitMask = 0;
  BSTR bstrRuleName = SysAllocString(L"SERVICE_RULE");
  BSTR bstrRuleDescription = SysAllocString(L"Allow incoming network traffic to myservice");
  BSTR bstrRuleGroup = SysAllocString(L"Sample Rule Group");
  BSTR bstrRuleApplication = SysAllocString(L"%systemroot%\\system32\\myservice.exe");
  BSTR bstrRuleService = SysAllocString(L"myservicename");
  BSTR bstrRuleLPorts = SysAllocString(L"135");
  // Initialize COM.
  hrComInit = CoInitializeEx(
  0,
  COINIT_APARTMENTTHREADED
  // Ignore RPC_E_CHANGED_MODE; this just means that COM has already been
  // initialized with a different mode. Since we don't care what the mode is,
  // we'll just use the existing mode.
  if (hrComInit != RPC_E_CHANGED_MODE)
  if (FAILED(hrComInit))
  printf("CoInitializeEx failed: 0x%08lx\n", hrComInit);
  goto Cleanup;
  // Retrieve INetFwPolicy2
  hr = WFCOMInitialize(&pNetFwPolicy2);
  if (FAILED(hr))
  goto Cleanup;
  // Retrieve INetFwRules
  hr = pNetFwPolicy2->get_Rules(&pFwRules);
  if (FAILED(hr))
  printf("get_Rules failed: 0x%08lx\n", hr);
  goto Cleanup;
  // Create a new Firewall Rule object.
  hr = CoCreateInstance(
  __uuidof(NetFwRule),
  NULL,
  CLSCTX_INPROC_SERVER,
  __uuidof(INetFwRule),
  (void**)&pFwRule);
  if (FAILED(hr))
  printf("CoCreateInstance for Firewall Rule failed: 0x%08lx\n", hr);
  goto Cleanup;
  // Populate the Firewall Rule object
  pFwRule->put_Name(bstrRuleName);
  pFwRule->put_Description(bstrRuleDescription);
  pFwRule->put_ApplicationName(bstrRuleApplication);
  pFwRule->put_ServiceName(bstrRuleService);
  pFwRule->put_Protocol(NET_FW_IP_PROTOCOL_TCP);
  pFwRule->put_LocalPorts(bstrRuleLPorts);
  pFwRule->put_Grouping(bstrRuleGroup);
  pFwRule->put_Profiles(CurrentProfilesBitMask);
  pFwRule->put_Action(NET_FW_ACTION_ALLOW);
  pFwRule->put_Enabled(VARIANT_TRUE);
  // Add the Firewall Rule
  hr = pFwRules->Add(pFwRule);
  if (FAILED(hr))
  printf("Firewall Rule Add failed: 0x%08lx\n", hr);
  goto Cleanup;
  This works pretty well but, sometimes, at system startup, adding a rule ends up with the error 0x8007000e (E_OUTOFMEMORY) ! At startup, the system is always loaded cause several applications starts at the same time. But nothing abnormal. This is quite a random
  issue.
  According MSDN documentation, this error indicates that the system "failed to allocate the necessary memory".
  I'm not convinced that we ran out of memory.
  Has someone experienced such an issue? How to avoid this?
  Thank you in advance.
  Regards, -Ruben-

  Does Windows 8 desktop have the same issue? Are you building a custom WE8S image, or are you using a full WE8S image? The reason I ask is to make sure you have the modules in the image to support the operation.
  Is Windows Embedded 8.1 industry an option?
  www.annabooks.com / www.seanliming.com / Book Author - Pro Guide to WE8S, Pro Guide to WES 7, Pro Guide to POS for .NET

• SA 540 INBOUND FIREWALL RULES NOT WORKING

  Hi all,
  I am having trouble configuring the firewall for the SA 540.
  client 1 (160.222.46.154) ----- switch ------ sa 540 ------ cisco 887 W ------ client 2 (50.0.0.10).
  client 1 can ping client 2, however client 2 cannot ping client 1. The default outbound policy (allow all) is set on the sa 540, and I have tried configuring a blanket ipv4 rule on the sa 540 to allow 'all' to 'any' (for all services) related to traffic from the WAN to LAN, and visa versa. The output from the logs are as follows:
  Fri Jan 7 13:43:04 2000(GMT +1000) WARN FIREWALL 50.0.0.10 160.222.46.154 [firewall] LOG_PACKET[DROP] IN=WAN OUT=WAN SRC=50.0.0.10 DST=160.222.46.154 PROTO=ICMP TYPE=8 CODE=0
  Component: KERNEL
  Fri Jan 7 13:43:09 2000(GMT +1000) WARN FIREWALL 50.0.0.10 160.222.46.154 [firewall] LOG_PACKET[DROP] IN=WAN OUT=WAN SRC=50.0.0.10 DST=160.222.46.154 PROTO=ICMP TYPE=8 CODE=0
  Component: KERNEL
  Fri Jan 7 13:43:14 2000(GMT +1000) WARN FIREWALL 50.0.0.10 160.222.46.154 [firewall] LOG_PACKET[DROP] IN=WAN OUT=WAN SRC=50.0.0.10 DST=160.222.46.154 PROTO=UDP SPT=60737 DPT=53
  Component: KERNEL
  Basically any connection identified as coming in from the WAN (i.e. IN=WAN) is dropped. I set up a new vlan on the cisco 887 W, in the 160.222.46.x address space, and connected a spare port directly to the sa 540 and had no problem testing connectivity to any device via ping. Obviously the zone communication is LAN to LAN and firewall treats the traffice differently.
  I assumed that creating an all encompassing rule to allow all trafiic, for all services, between the LAN and WAN (in both directions) would be equivalent to placing the appliance in PASS THROUGH mode? There is no securtiy set on the 887 W or the switch.
  Also is anybody could explain what 'SELF' means in the conttext IN=SELF or OUT=SELF it would be much appreciated. Firmware is latest.
  Thank you.
  Regards
  Marc

  On closer analysis and with some help from Experts Exchange it did seem non sensical to have both the IN and OUT as the WAN interface, but I had literally exhausted every avenue possible bar 1- changing the routing mode to CLASSIC and configuring a static route (which was at a higher administrative level than my RIP advertised routes) and took preferece when forwarding the packets.
  Now the SA540 firewall rules work as I would expect and I can route between all zones. To summise it appears as if the Double NAT from the router (887W) and then the SA540 was the issue, and the innability to configure any workaround in the interface of the SA54O firewall rules.
  It really makes you appreciate the power of the command line and the full scope of CIsco's command line options. Does anybody know if (and how) it would be possible to configure Double NAT on the SA540?
  Regards
  Marc

• [Solved] Windows Firewall rule that allows Windows Update

  Can anyone kindly give me a Windows Firewall rule that allows Windows Update? Assume I'm running MMC's "Windows Firewall with Advanced Security" snap-in as Administrator. Note that a "solution" that takes down the outbound firewall is
  not acceptable.
  Thank You.
  ===== Solution =====
  Suppose that, as the default, you've set the outbound firewall to block (see
  To close the outbound firewall, below). In order for Windows Update to check whether an update is available and then to download the update files, you first need an outbound firewall
  allow-rule that allows the Windows Update service to pass through the outbound firewall.
  Prerequisite: Knowledge of the Microsoft Management Console (MMC) and its "Windows Firewall with Advanced Security" plug-in.
  What you will do: You will use the "Windows Firewall with Advanced Security" MMC plug-in to create an outbound firewall rule that
  allows '%SystemRoot%\System32\svchost.exe' (the generic service driver) to pass through the outbound firewall on behalf of 'wuauserv' (the name of the specific service that performs the update).
  Warning: If you don't know what I'm writing about, get help.
  Name: Allow Windows Update (...or any name you prefer - it doesn't matter)
  Group:
  Profile: Public
  Enabled: Yes
  Action: Allow
  Program: %SystemRoot%\System32\svchost.exe
  Local Address: Any
  Remote Address: Any
  Protocol: Any
  Local Port: Any
  Remote Port: Any
  Allowed Computers: Any
  Status: OK
  Service: wuauserv
  Rule Source: Local Setting
  Interface Type: All interface types
  Excepted Computers: None
  Description:
  To open the outbound firewall:
  More accurate wording would be
  Outbound connections are allowed unless explicitly blocked by a rule.
  If you look at the standard rules you will find no block-rules. That means that nothing is blocked, everything is allowed, and the outbound firewall is wide open.
  To close the outbound firewall:
  More accurate wording would be
  Outbound connections are blocked unless explicitly allowed by a rule.
  If you look at the standard rules you will find only allow-rules that have been crafted to allow the vital Windows connections to pass through the outbound firewall. To an informed observer it's obvious that the firewall engineers crafted these
  allow-rules so that users who closed the outbound firewall wouldn't have to write them. But the firewall engineers left out Windows Update.

  Hi mark,
  Thanks for sharing, it will help other users who have similar issue.
  Regards

• Firewall rules don't seem to be working correctly

  i have my firewall turned on and have rules for itunes and jungle disk to all incoming, but itunes still alerts me to change firewall settings to allow sharing, which is an annoyance, but jungledisk will not work with me adding a rule, it seems as if i have to the firewall off completely for these to work. Also my screensharing will not work now either, but i have no problem with any other apps like skype where the rules work fine. Any suggestions?

  Great news, thanks!