Link to home
Start Free TrialLog in
Avatar of Stiebel Eltron
Stiebel EltronFlag for Thailand

asked on

How to resolve Port problem in Firewall exception?

Dear EE,

I would like to ask on how to resolve this problem of mine, I've added a port into the Windows Firewall Exceptions, then during the time that the server is up, it's working, but when we restart the server, some ports are gone from the list of exceptions. For example, I add the port 2007, but when I restart the server it'll be gone & I need to add it up again in order to access the site that use that port.

Thank you!
Avatar of bgoering
bgoering
Flag of United States of America image

If you are on a domain and there is a domain level firewall policy, then any local chnages will be lost when the domain level policy is applied - such as after a reboot.
Avatar of Hypercat (Deb)
If your domain level policy is resetting the firewall exceptions, then what you need to do to fix this would be to create a separate group policy and apply it just to this server. Then create the firewall port exceptions you need in that policy and it will be applied to that server only.
Avatar of Stiebel Eltron

ASKER

@hypercat: How can I create a separate group policy for that server only? Do I need create it thru our main firewall or just in the firewall policy setting of windows server?

Please advise... :-)
You would need to create another OU in AD, and create a GPO containing the firewall settings for that server and apply to the new OU. Then move that server to be under that new OU
@bgoering: Sorry, but what does "OU" means? :-(
Will it not affect the settings of the other server that needs the Port Exceptions in the Firewall?
Sorry - OU is Organizational Unit, group policy settings need to be applied to some container for objects and an OU is such a container. If your firewalls are managed by group policy, and you need different settings for this one server - then you need to move that server to the new container, and create the new group policy and apply it to the new container.

Now if your GPO structure is not restricting overrides, it will likely be easiest to create the new OU inside of your existing GPO - that way you just need to customize the overrides, otherwise you would need to re-create the entire group policy and include the new settings.

Take a look at http://searchwindowsserver.techtarget.com/tutorial/Active-Directory-Tutorial for a short overview of Active Directory objects, containers, and group policy
@bgoering: Would u please advise on how to do it, step by step? Is it in AD or do I need to open GPEDIT.MSC?
I'm sorry but I'm not that expert in this area...

Thanks!
ASKER CERTIFIED SOLUTION
Avatar of bgoering
bgoering
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I stopped in this part:
>>Open Group policy management
Right click your new OU and select create a new policy in the domain and link it here
    Give it a name
Right click your new GPO and select Edit, the GP Editor will open
    Drill down to computer policies, Windows settigns, Security Settings, Windows Firewall
    with advanced settings

From there create the firewall configuration for the computer<<

Because I can't see the Create a new policy after I right-clicked the new OU.
Or do I need to select Properties of the new OU, then Group Policy --> New? Please advise...
Either way should do it
I couldn't find the Windows Firewall with Advance Settings, anyway, I'm attaching the screenshot of the GPO Editor from our server...
GPO.jpg
From your screen capture above, it looks like you're opening the Group Policy console from a Windows 2003 or XP machine. You need to open the group policy from your Windows 2008 Server. The policy you're looking, as explained by bgoering, is only applicable to Windows 2008/Vista/Windows7 machines, so you won't see it listed unless you're running that version of the GPMC.
Yes, I got that screenshot from our main AD, which is running on Windows 2003. The SharePoint Server that is running on Windows 2008 is not a DC, have AD Users and Computers inside Administrative Tools, but I couldn't find on how to create a New GPO on the new OU that have created. Now, I have attached the screenshot of the GPO from that server, I just typed it manually (gpedit.msc) from RUN, kindly check & advise on what to do next.

Thanks!
GPO-Win2008.jpg
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial