SCCM 2016 – Firewall configuration
I know some organisations are very strict to what goes in their environment. Typically you have ports open when Servers are not in production, so you can have your windows firewall disabled for the setup.
But reality is once it is in production, you will have to fine tune to minimum security settings allowed.
If you require, run this following commands in elevated command line or Powershell to configure the Powershell on required server
netsh advfirewall firewall add rule name=“SQL Server” dir=in action=allow protocol=TCP localport=1433
netsh advfirewall firewall add rule name=“SQL Admin Connection” dir=in action=allow protocol=TCP localport=1434
netsh advfirewall firewall add rule name=“SQL Service Broker” dir=in action=allow protocol=TCP localport=4022
netsh advfirewall firewall add rule name=“SQL Debugger/RPC” dir=in action=allow protocol=TCP localport=135
netsh advfirewall firewall add rule name=“Analysis Services” dir=in action=allow protocol=TCP localport=2383
netsh advfirewall firewall add rule name=“SQL Browser” dir=in action=allow protocol=TCP localport=2382
netsh advfirewall firewall add rule name=“HTTP” dir=in action=allow protocol=TCP localport=80
netsh advfirewall firewall add rule name=“SSL” dir=in action=allow protocol=TCP localport=443
netsh advfirewall firewall add rule name=“SQL Browser” dir=in action=allow protocol=TCP localport=1434
netsh advfirewall firewall add rule name=“ICMP Allow incoming V4 echo request” protocol=icmpv4:8,any dir=in action=allow
Use following links to go to required blog
Comments: 11
PS C:\Users\Administrator> netsh advfirewall firewall add rule name=“ICMP Allow incoming V4 echo request” protocol=icmpv
4:8,any dir=in action=allow
A specified protocol value is not valid.
Usage: add rule name=
dir=in|out
action=allow|block|bypass
[program=]
[service=|any]
[description=]
[enable=yes|no (default=yes)]
[profile=public|private|domain|any[,…]]
[localip=any|||||]
[remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|
||||]
[localport=0-65535|[,…]|RPC|RPC-EPMap|IPHTTPS|any (default=any)]
[remoteport=0-65535|[,…]|any (default=any)]
[protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|
tcp|udp|any (default=any)]
[interfacetype=wireless|lan|ras|any]
[rmtcomputergrp=]
[rmtusrgrp=]
[edge=yes|deferapp|deferuser|no (default=no)]
[security=authenticate|authenc|authdynenc|authnoencap|notrequired
(default=notrequired)]
Remarks:
– Add a new inbound or outbound rule to the firewall policy.
– Rule name should be unique and cannot be “all”.
– If a remote computer or user group is specified, security must be
authenticate, authenc, authdynenc, or authnoencap.
– Setting security to authdynenc allows systems to dynamically
negotiate the use of encryption for traffic that matches
a given Windows Firewall rule. Encryption is negotiated based on
existing connection security rule properties. This option
enables the ability of a machine to accept the first TCP
or UDP packet of an inbound IPsec connection as long as
it is secured, but not encrypted, using IPsec.
Once the first packet is processed, the server will
re-negotiate the connection and upgrade it so that
all subsequent communications are fully encrypted.
– If action=bypass, the remote computer group must be specified when dir=in.
– If service=any, the rule applies only to services.
– ICMP type or code can be “any”.
– Edge can only be specified for inbound rules.
– AuthEnc and authnoencap cannot be used together.
– Authdynenc is valid only when dir=in.
– When authnoencap is set, the security=authenticate option becomes an
optional parameter.
Examples:
Add an inbound rule with no encapsulation security for browser.exe:
netsh advfirewall firewall add rule name=”allow browser”
dir=in program=”c:\programfiles\browser\browser.exe”
security=authnoencap action=allow
Add an outbound rule for port 80:
netsh advfirewall firewall add rule name=”allow80″
protocol=TCP dir=out localport=80 action=block
Add an inbound rule requiring security and encryption
for TCP port 80 traffic:
netsh advfirewall firewall add rule
name=”Require Encryption for Inbound TCP/80″
protocol=TCP dir=in localport=80 security=authdynenc
action=allow
Add an inbound rule for browser.exe and require security
netsh advfirewall firewall add rule name=”allow browser”
dir=in program=”c:\program files\browser\browser.exe”
security=authenticate action=allow
Add an authenticated firewall bypass rule for group
acmedomain\scanners identified by a SDDL string:
netsh advfirewall firewall add rule name=”allow scanners”
dir=in rmtcomputergrp= action=bypass
security=authenticate
Add an outbound allow rule for local ports 5000-5010 for udp-
Add rule name=”Allow port range” dir=out protocol=udp localport=5000-5010 action=allow
Rajan, please try using cmd and run as administrator
Thank you!
Does Firewall configuration script need to run on DC Server or SCCM server??
And Should i Configure Firewall settings through group policy in AD server??
Please clarify !!
They need to run on sccm server. Yes you can use group policy to do. It is up your organization requirements.
Thanks Harmikbatt, we are planning to deploy new primary standalone SCCM 2016 server in our infra and by interlinking with existing AD server. Could you please suggest which firewall configuration is best, either DC Group policy method or in SCCM server configuration method.
Rajan , as you are only going to need these settings on demand basis. You can setup manually using on those servers.
Alternatively you can setup a group policy but restrict it to group of computers only.
Either way you can apply them.
Thanks for the prompt response. Could it possible to share the SCCM 2016 post configuration steps.it will be useful.
Here you go
https://harmikbatth.com/2017/02/02/sccm-2016-post-installation-tools/
Follow whole sccm setup here
https://harmikbatth.com/tag/sccm-2016/
Thank you!!