SCCM 2016 – Firewall configuration

I know some organisations are very strict to what goes in their environment. Typically you have ports open when Servers are not in production, so you can have your windows firewall disabled for the setup.

But reality is once it is in production, you will have to fine tune to minimum security settings allowed.

If you require, run this following commands in elevated command line or Powershell to configure the Powershell on required server

netsh advfirewall firewall add rule name=“SQL Server” dir=in action=allow protocol=TCP localport=1433
netsh advfirewall firewall add rule name=“SQL Admin Connection” dir=in action=allow protocol=TCP localport=1434
netsh advfirewall firewall add rule name=“SQL Service Broker” dir=in action=allow protocol=TCP localport=4022
netsh advfirewall firewall add rule name=“SQL Debugger/RPC” dir=in action=allow protocol=TCP localport=135
netsh advfirewall firewall add rule name=“Analysis Services” dir=in action=allow protocol=TCP localport=2383
netsh advfirewall firewall add rule name=“SQL Browser” dir=in action=allow protocol=TCP localport=2382
netsh advfirewall firewall add rule name=“HTTP” dir=in action=allow protocol=TCP localport=80
netsh advfirewall firewall add rule name=“SSL” dir=in action=allow protocol=TCP localport=443
netsh advfirewall firewall add rule name=“SQL Browser” dir=in action=allow protocol=TCP localport=1434
netsh advfirewall firewall add rule name=“ICMP Allow incoming V4 echo request” protocol=icmpv4:8,any dir=in action=allow

 

Use following links to go to required blog

  1. SCCM Install guide
  2. SCCM-2016 Installation Pre-Requistes
    1. SCCM 2016 – Extend the Active Directory Schema
    2. SCCM 2016 – Create Service and User Accounts
    3. SCCM 2016 – Firewall configuration
    4. SCCM 2016 – Windows Server Roles and Features
    5. SCCM 2016 – Report Viewer
    6. SCCM 2016 – ADK for Windows
    7. SCCM 2016 – Install WSUS
  3. SCCM 2016 – Install System Center Configuration Manager 2016
  4. SCCM 2016 – Post Installation Tools

11 Replies to “SCCM 2016 – Firewall configuration”

  1. PS C:\Users\Administrator> netsh advfirewall firewall add rule name=“ICMP Allow incoming V4 echo request” protocol=icmpv
    4:8,any dir=in action=allow
    A specified protocol value is not valid.
    Usage: add rule name=
    dir=in|out
    action=allow|block|bypass
    [program=]
    [service=|any]
    [description=]
    [enable=yes|no (default=yes)]
    [profile=public|private|domain|any[,…]]
    [localip=any|||||]
    [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|
    ||||]
    [localport=0-65535|[,…]|RPC|RPC-EPMap|IPHTTPS|any (default=any)]
    [remoteport=0-65535|[,…]|any (default=any)]
    [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|
    tcp|udp|any (default=any)]
    [interfacetype=wireless|lan|ras|any]
    [rmtcomputergrp=]
    [rmtusrgrp=]
    [edge=yes|deferapp|deferuser|no (default=no)]
    [security=authenticate|authenc|authdynenc|authnoencap|notrequired
    (default=notrequired)]
    Remarks:
    – Add a new inbound or outbound rule to the firewall policy.
    – Rule name should be unique and cannot be “all”.
    – If a remote computer or user group is specified, security must be
    authenticate, authenc, authdynenc, or authnoencap.
    – Setting security to authdynenc allows systems to dynamically
    negotiate the use of encryption for traffic that matches
    a given Windows Firewall rule. Encryption is negotiated based on
    existing connection security rule properties. This option
    enables the ability of a machine to accept the first TCP
    or UDP packet of an inbound IPsec connection as long as
    it is secured, but not encrypted, using IPsec.
    Once the first packet is processed, the server will
    re-negotiate the connection and upgrade it so that
    all subsequent communications are fully encrypted.
    – If action=bypass, the remote computer group must be specified when dir=in.
    – If service=any, the rule applies only to services.
    – ICMP type or code can be “any”.
    – Edge can only be specified for inbound rules.
    – AuthEnc and authnoencap cannot be used together.
    – Authdynenc is valid only when dir=in.
    – When authnoencap is set, the security=authenticate option becomes an
    optional parameter.
    Examples:
    Add an inbound rule with no encapsulation security for browser.exe:
    netsh advfirewall firewall add rule name=”allow browser”
    dir=in program=”c:\programfiles\browser\browser.exe”
    security=authnoencap action=allow
    Add an outbound rule for port 80:
    netsh advfirewall firewall add rule name=”allow80″
    protocol=TCP dir=out localport=80 action=block
    Add an inbound rule requiring security and encryption
    for TCP port 80 traffic:
    netsh advfirewall firewall add rule
    name=”Require Encryption for Inbound TCP/80″
    protocol=TCP dir=in localport=80 security=authdynenc
    action=allow
    Add an inbound rule for browser.exe and require security
    netsh advfirewall firewall add rule name=”allow browser”
    dir=in program=”c:\program files\browser\browser.exe”
    security=authenticate action=allow
    Add an authenticated firewall bypass rule for group
    acmedomain\scanners identified by a SDDL string:
    netsh advfirewall firewall add rule name=”allow scanners”
    dir=in rmtcomputergrp= action=bypass
    security=authenticate
    Add an outbound allow rule for local ports 5000-5010 for udp-
    Add rule name=”Allow port range” dir=out protocol=udp localport=5000-5010 action=allow

    Like

  2. Does Firewall configuration script need to run on DC Server or SCCM server??
    And Should i Configure Firewall settings through group policy in AD server??
    Please clarify !!

    Like

      1. Thanks Harmikbatt, we are planning to deploy new primary standalone SCCM 2016 server in our infra and by interlinking with existing AD server. Could you please suggest which firewall configuration is best, either DC Group policy method or in SCCM server configuration method.

        Like

  3. Rajan , as you are only going to need these settings on demand basis. You can setup manually using on those servers.

    Alternatively you can setup a group policy but restrict it to group of computers only.

    Either way you can apply them.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s