Purpose
The following article explains how to configure Windows Firewall to allow Shavlik Protect in every supported environment via the GUI, command prompt, and GPO. (Scroll to the bottom to see Protect's Port Requirements)
Description
Configuring Firewall
How to configure the Firewall in Windows XP and Windows Server 2003
- Click Start > Control Panel > Security Center
- In Windows Security Center, under Manage Security Settings click Windows Firewall
- Under Programs and Services, select the check box for File and Printer Sharing and click OK
- Navigate to the Exceptions tab and click on the Add Port.. button
- In the Name box, enter any name you wish (i.e. Protect1, Protect2, etc)
- In the Port number box, enter your desired port, Select TCP or UDP and hit OK
- Next, navigate back to the Add Ports.. button under the Firewall Exceptions and create a second rule
- Repeat Steps 5-6 for all desired Ports.
How to configure the Firewall in Windows Vista
- Click Start > Control Panel > Security > Windows Firewall
- Click Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
- Click Add port
- In the Name box, enter any name you wish (i.e. Protect1, Protect2, etc)
- In the Port number box, enter your desired port, Select TCP or UDP and hit OK
- Repeat on steps 3-5 until all ports below have been entered.
How to configure the Firewall in Windows 7, Windows 8, Server 2008 and Windows Server 2012
- Click Start > Control Panel > Security > Windows Firewall
- Click Advanced Settings
- Select Inbound rules
- Click New Rule.. in the right action window
- Select Port and hit Next
- Select TCP and Specific local ports:
- Add your desired ports into the port field and hit Next
- Select Allow the Connection, hit Next
- Check all three boxes: Domain, Private and Public, then hit Next
- Give the rule any name and description you wish, and hit Finish
- Click Advanced Settings again
- Select Outbound rules this time
- Repeat steps 4-10
Opening Ports Using GPO
To create rules using Server 2003 GPO:
- Log on to a machine on the network with domain administrator privileges. The machine needs to be running Microsoft Windows XP SP1 or Microsoft Windows Server 2003.
- Download and install the .NET framework (Required for the next step)
- Download and install the Microsoft Group Policy Management Console (GPMC). The GPMC can be downloaded from:http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
- To launch GPMC, click Start > Run and type in gpmc.msc
- Expand the tree under the forest you will be updating
- Expand the tree under Domains and expand the domain which you will be updating
- Right click Default Domain Policy or the GPO you will be applying the changes to, and select Edit…
Do the following in the Group Policy Object editor MMC:
- Go to Computer Configuration > Administrative Templates > Network > Network Connection > Windows Firewall > Domain Profile
- Double click the entry Windows Firewall: Define port exceptions
- Select Enabled
- Click the Show… button to bring up the port exception list dialog
- Select the Add… button
- Specify the required port using the following syntax/convention: <port>:<transport>:<scope>:<status>:<name>
For example, to allow connections on port 139 from the IP addresses in the local subnet, configure the rule as follows: 139:TCP:localsubnet:enabled:SMB
Repeat steps 5 & 6 to add the following ports:
How to create rules using Windows Server 2008 (including R2) GPO and Server 2012
To enable Firewall permissions on all domain clients:
- Click Start > Administrative Tools > Group Policy Management
- Expand Group Policy Management > Forest > Domains > <Domain name> > Group Policy Objects
- Right click Default Domain Policy and select Edit
- Expand Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security, then right click Inbound Rules and select New Rule…
- In the New Inbound Rule Wizard, select Port and click Next
- Select Specific Local Ports and type your desired Port numbers and click Next
- Select Allow the Connection and click Finish
- From Group Policy Management Editor, expand Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security, then right click Outbound Rules and select New Rule…
- Repeat Steps 5 to 7 and allow your desired ports.
- Close the Group Policy Management Editor
- From Group Policy Management, expand Group Policy Management > Forest > Domains > <Domain name> > Default Domain Controllers Policy
- Repeat steps 4 to 9
- Close Group Policy Management
Additional Information
Port Requirements for Protect. (taken from this documentPort requirements for Shavlik Protect)
This table outlines the port requirements for inbound ports:
| Inbound | Port |
| Client System – Asset Scans | TCP 135 |
| Client System – Patch Scans and Deployments | TCP 137-139 or TCP 445 |
| Client System – Listening Agents | TCP 4155 |
| Client System – Scheduler | TCP 5120 |
| Client System – WOL | UDP 9 |
| Protect Console – Traffic to Shavlik Console service | TCP 3121 |
| Distribution Server – HTTP configuration | TCP 80 |
| Distribution Server – HTTPS configuration | TCP 443 |
| Distribution Server – UNC configuration | TCP 137-139 or TCP 445 |
This table outlines the port requirements for outbound ports:
| Outbound | Port |
| Client System – Agents | TCP 80 |
| Client System – Agentless scans | TCP 139 or TCP 445 |
| Client System – Agents & Deployment Tracker | TCP 3121 |
| Protect Console – Patch and data downloads | TCP 80 |
| Protect Console – Patch Scans and Deployments | TCP 139 and TCP 445 |
| Protect Console – Scheduler | TCP 5120 |
| Protect Console – WOL and error reporting | UDP 9 |
***Some information may have been referenced fromhttp://kb.gfi.com/articles/SkyNet_Article/How-to-prepare-your-firewall-to-allow-proper-communication-between-agents-and-…
Affected Product(s)
Shavlik Protect 9.x