Solved

group policy, firewall, exceotions.

Posted on 2008-11-03
1,517 Views
is there a way to use group policy to diftribute an exception to windwos firewall?
I.E add Real VNC as an exception to windwos firewall...

i have this as an exception on my machine but considering we have 8 offices around the contry i just want to find a way to do this via GP
i found a possible way in the policy editor but it is worded quiet difficult...

any help guys?

-HEX
0
Question by:Leon Teale

LVL 1

Expert Comment

It will be best to set this by creating a new grouppolicy then assigning the policy to specific OUs.
Once the Policy is created, go to Computer Configuration, Administrative Templates, Network, Network Connections, and then Windows Firewall. Locate the domain Profile and the last setting is Allow local port Exceptions.  Enable this setting.   Next is the setting above, enable this setting and add the VNC port that you use (5900 i think) and then the subnet that your VNC server is on.  Allowing all networks is very risky as this will allow any remote user w/ access to your network legimiate or hacked to take control over the PC. I highly suggest using an alternate port for VNC as well.

5900:TCP:192.168.1.0/24:enabled:VNC
5900 is the port
TCP is the protocol
192.168.1.0/24 is the subnet your VNC server is on
enabled: is well.. it  is on
VNC: is a description for this port number.

Make sure DNS and firewall port forwarding is setup between all your routers as well for proper port forwarding.

0

LVL 16

Expert Comment

How about giving a batch file that configures thesingle computer wich is ran on?

netsh firewall add allowedprogram program = C:\path\to\vnc.exe name = VNC mode = ENABLE scope = CUSTOM [specify the incoming IPs, in the form of subnets, like 166.1.1.0/24 ],LocalSubnet

This allows a single computer firewall to pass the vnc connection.

To disable, type in the batch script

netsh firewall delete allowedprogram program = C:\path\to\vnc.exe

Otherwise, if you think that PCs should do the PCs and the office firewalls should do the filtering, apply just this rule on the office firewalls and disable the individual firewalls on the single PCs. What good are they going to do if there is a much better and bigger working firewall behind the wall office?
0

LVL 6

Author Comment

im afraid it doesnt seem to be worjking, here is my code

netsh firewall add allowedprogram program = C:\Program Files\RealVNC\VNC4\winvnc4.exe name = vnc mode = ENABLE

and tried..

netsh add firewall allowedprogram program = C:\Program Files\RealVNC\VNC4\winvnc4.exe name = vnc mode = ENABLE scope = ALL addresses = localsubnet
0

LVL 16

Expert Comment

this should work
netsh firewall add allowedprogram program = C:\Program Files\RealVNC\VNC4\winvnc4.exe name = VNC mode = ENABLE scope = all

this enable all vnc connections on this machine
0

LVL 6

Author Comment

'the sytax for this is not a valid command'
0

LVL 16

Expert Comment

what os are we on?
0

LVL 6

Author Comment

xp
0

LVL 16

Expert Comment

sgrunt, the commands differ from xp to vista. try these, will open the good ports
netsh firewall set portopening TCP 5800 vnc-http

netsh firewall set portopening TCP 5900 vnc

netsh firewall set portopening TCP 5901 vnc

0

LVL 6

Author Comment

thats perfect it works :)

thanks,

i would however ask if you could help put this into a format which i can simply place into a batch file. or would it simply work just by putting 'netsh firewall set portopening TCP 5900 vnc' in a batch file?

would privalages effect this? woudl a standard user be able to add an exception to windows firewall using cmd? or does admin privalages have to be instated.
0

LVL 16

Accepted Solution

it's a command and you can put it in a batch file without problems (test it, if you don't belive :))
unfortunately, netsh demands administrator privileges, so a normal user can't run this script
0

LVL 6

Author Closing Comment

many thanks :)
0

Featured Post

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…