9 Replies Latest reply on Jan 6, 2012 12:05 PM by Catalysttgj

    Help Administring Windows Firewall

    Rookie

      Hi Guys,

       

      Im new to administering windows firewall via LANDesk and Ive not successfully changed a host.

       

      What Ive done.

       

      1. Already had an agent pushed out with no firewall settings.

      2. Created a new agent and associated a new firewall object with more then 7 inbound exceptions. Two firewall objects where created with XP,Server 2003 or Win7, Server 2008 in mind.

      3. I created an advanced agent for the new agent configuration and I did a "schedule update to agent settings". The scheduled task has a status of "Done" and a result of "Not Specified".  I thought that would implement the firewall changes but nope.

      4. I then tried to do a "Change Settings" for the firewall object under scheduled task. It completed with status "Done" and result "No Error". But this also did not do anything to the host in question. No changes what so ever.

       

      I did try rebooting the host. The OS is server 2008 x64.

       

      Using LANDesk 9.0.2.3

       

      Any help is greatly appreciated.

       

      Jason

        • 1. Re: Help Administring Windows Firewall
          Rookie

          This morning I didnt do an update to the agent configuration. I just deployed it as if an agent didnt previously exist. No Change.

           

          I guess Ill try uninstalling and reinstalling the agent next. But I really shouldnt have to do that on all the host that already have an agent. Id just be happy to see something happen for the first time.

          • 2. Re: Help Administring Windows Firewall
            Catalysttgj Expert

            We've been pretty happy with just poking registry values in for firewall exceptions and what not. That might not be a very elegant thing to do with your environment, but its an option. After poking in values you just have to restart the firewall service to get the new values recognized. We do all this with a custom definition patch.

            • 3. Re: Help Administring Windows Firewall
              Rookie

              Thanks for the suggestion. If LANDesk isn’t able to do it natively then Ill strongly consider it. In fact I can see how that option becomes much more flexible.

              I wish I had the extra time to invest in the initial scripting. If all else fails Ill push back to GPOs for now.

              • 4. Re: Help Administring Windows Firewall
                Rookie

                Hi Catalysttgj,

                 

                Could you elaborate a bit on how you guys do it?

                 

                What script methods do you use to mod the registry?

                 

                Do you have any examples you can share?

                 

                Hmmm, a custom definition. Ill start looking at that. As you may be a ble to tell I still havnt resolved the 2008 firewall issue via LANDesk firewall.

                • 5. Re: Help Administring Windows Firewall
                  Catalysttgj Expert

                  I think it'll much easier if I just give you an example. I'm enclosing a copy of a custom definition. In order to protect the guilty, I've changed some specific things so as not to reveal anything private.

                   

                  This example basically is just creating an exception for Internet Explorer, the executable: "C:\Program Files\Internet Explorer\iexplore.exe". This would likely have to be expanded to support more than windows xp, so keep this in mind, but this def should give you a good foundation/idea of how to do what you need to do.

                   

                  If you do import this def, keep in mind that it is looking for values and would put values on a system (if used) that would do very little. I replaced the IP addresses for the exceptions as 127.0.0.1 and 127.0.0.2. Obviously, you'd change these. I made it this way just in this example.

                   

                  Study it for a bit and let me know if you have any questions on it.

                  1 of 1 people found this helpful
                  • 6. Re: Help Administring Windows Firewall
                    Rookie

                    That is super cool... thank you so much. I found some existing 2008 firewall reg keys and used that info to build some custom defs. Now I need to learn how to use patch manager. (-: Thank you so much for your help.

                    • 7. Re: Help Administring Windows Firewall
                      Catalysttgj Expert

                      Glad to hear that will be useful for ya, but i didn't really solve the mystery as to why reinstalling the agent didn't get those firewall settings in. That should have worked at least. I suspect that its the funky extra protections that the newer windows OS's have that's maybe blocking those firewall mods. We just turned them off on our server, but i think there's some AD stuff that could be setting a policy to harden them. This might be the real problem that you're dealing with. You might try turning down the UAC settings on the server in question, and then try reinstalling that agent again and see if that doesn't help, if you haven't already tried that.

                      • 8. Re: Help Administring Windows Firewall
                        Rookie

                        Turning UAC off didnt help. LANDesk support was able to reproduce the issue in their lab. It may be just a matter of time for them to figure out whats going on.

                         

                        Thanks again for all your help.

                        • 9. Re: Help Administring Windows Firewall
                          Catalysttgj Expert

                          Thats good to hear. I guess we've not had this problem yet as our customer doesn't have any 64bit OS's out there yet.

                           

                          Thanks for the follow-up. I know at some point we will have 64bit OS's to deal with, so this is good stuff to share.