How To: Install an Agent on a Machine with the Windows Firewall Enabled.

Version 2

    Verified Product Versions

    Endpoint Manager 2016.x

    HOW TO: Install a Landesk Agent onto a machine with the Windows Firewall already enabled.


    Installing Landesk Agent to machines with the Windows Firewall turned on.


    The Windows XP SP2 Firewall will block communication with the client machines on a level that blocks Landesk by default from being able to deploy an agent to the machine.


    There are a couple of methods to bypass the firewall restrictions. By default, when the Landesk agent installs to a machine, it will make the necessary exclusions to the firewall using fwregister.exe.


    Option One: Deploy an Agent from behind the firewall.
    This is probably going to be the most common method used for an installation that bypasses the firewall. The methods of choice here are:


    •   Advance Agent Deploy:This is a two stage process. The advance agent consists of a small MSI and a self contained EXE. The MSI is deployed to the client and then the MSI downloads and installs the EXE. This allows for bandwidth friendly downloads.
    •   Self-Contained .exe Deployment: Creates an EXE that can be installed. The EXE contains all client files and settings. This can be used manually, posted on web site or deployed using LANDesk® Software Distribution.
    •   Calling WSCFG32.EXE or IPSETUP.BAT from the core server:Map a drive to the Ldlogon Folder and run Wscfg32.exe. This is used for single client installs and testing. Switches for use with Wscfg32.exe are here:
    •   Login Script: Agents can be installed using login scripts, the batch file IPsetup.bat can be added to the login script. This method requires that the users have administrative rights.
    All of these methods will start the agent install on the client from behind the firewall. This allows the agent to make the necessary exclusions to the firewall on installation. Further documentation on these processes is in the Best Known Method for Agent Deploymentdocument.
    Option Two: Configure the Windows Systems and Scheduler Service to allow firewall bypass.
    This method allows you to push agents from the core to target machines, but will require configuration on the client and core sides.
    1)On the client, disable Simple File Sharing.
    2)On the client,turn ON File and Print Sharing in the firewall exceptions in control panel.
    3)On the client, turn ON the option to 'Allow incoming echo requests'.
    4)On the core server, configure the Scheduler service to run under a domain account, or add alternate credentials to a local admin account on the boxes, or a service account with permissions to the box.


    Once you have done this, you should be able to disocver machines via UDD and push agents to them. This configuration allows us to open the rpc admin share on C$ by enabling File and Print sharing and using an admin account.