Solved

Adding exceptions to Windows Firewall via Group Policy

Posted on 2014-04-18
3
1,010 Views
Last Modified: 2014-05-03
I'm trying to get PST Station software working across the domain and have run into problems:

Overview:
PST Station is a software that runs across the network collecting backing up PST file to a shared folder on a server.

Issue:
The problem that i ran into was that when the Client software on all user's computer started for the first time triggered Windows firewall to prompt users to either ALLOW or BLOCK it. Of course they chose to BLOCK even after I specifically told them to ALLOW! Ugghh...
Since we have over 1200 computers across the US I need to find a way to fix this via GPO and since the software runs on ports 3833 and 3835, I've created an entry under
Default Domain Policy|Computer Condfiguration|Polices|Administrative Templates|Network|Network Connections|Windows Firewall|Domain Profile
Windows Firewall: Define inbound Port Exceptions
to ALLOW these two ports with the string under Define port exceptions:
 
3835:TCP:localsubnet,10.0.0.0/8:enabled:PSTClient - Port 3835
3833:TCP:localsubnet,10.0.0.0/8:enabled:PSTClient - Port 3833


That works fine for the most part because the port is by all means OPEN (tested with Telnet).  
The trouble that remains is the stupid software gets hung because on those computers that have initially selected to "BLOCK" still have the entries listed in their Windows Firewall, matter of fact it has both ALLOW Port 3833 abd 3835 and BLOCK Port 3833 abd 3835

My question is HOW do I remove the blocked ones from the windows firewall?
PST-firewall-ports.jpg
0
Comment
Question by:Floyd_Droid
  • 2
3 Comments
 
LVL 28

Expert Comment

by:serialband
ID: 40009828
Microsoft has a technet link that describes all the steps.  http://technet.microsoft.com/en-us/library/bb490626.aspx

Load a clean registry hive and save it to a file, then run the reg command on the remote system to load the registry settings you want.

http://blog.jkvine.com/2009/10/06/windows-firewall-registry-keys/
The group policy rules might be here.

Here's an example line taken from the above link.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

netsh advfirewall firewall add rule name="WePrint" dir=in action=allow profile=any description="WePrint Firewall Exception" program="C:\Program Files\WePrint\WePrint Server.exe"

Open in new window

And after FW GPO deployed, those rules are created under
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
0
 

Accepted Solution

by:
Floyd_Droid earned 0 total points
ID: 40027227
Sorry, I appreciate the effort but your directions did not help, not to mention are very confusing for an average user (they spoke of Windows XP while I'm working in Windows 2008 Server) and since the magnitude of the network with mostly Windows 7 and few hundred Windows XP workstaions... imodifing the regisrty was not something I was willing to chance.
 
Instead I was able create and run a script file instead that removed the entries from both Windows 7 and Windows XP:

@echo off
REM
REM SCRIPT TO REMOVE THE "BLOCKED" LOCAL FIREWALL POLICY THAT GOT ADDED TO SOME CLIENT WORKSTATIONS
REM THIS SCRIPT CAN BE CALLED THROUGH A COMPUTER STARTUP SCRIPT IN GROUP POLICY
REM RHK - 2014-04-23
REM
REM Win 7 64 bit
REM
c:\windows\system32\netsh.exe advfirewall delete rule name="PSTStation.Client" program="C:\program files (x86)\pststation client\pststationclient.exe"
REM
REM Win 7 32 bit
REM
c:\windows\system32\netsh.exe advfirewall delete rule name="PSTStation.Client" program="C:\program files\pststation client\pststationclient.exe"
REM
REM Win XP 64 bit
REM
c:\windows\system32\netsh.exe firewall delete allowedprogram "C:\program files (x86)\pststation client\pststationclient.exe"
REM
REM Win XP 32 bit
REM
c:\windows\system32\netsh.exe firewall delete allowedprogram "C:\program files\pststation client\pststationclient.exe"
0
 

Author Closing Comment

by:Floyd_Droid
ID: 40039034
Since there was just one reply and the suggested solution would not have worked and I ended up resolviong this issue with a totally different way that works. I therefore, claim my own documented solution.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now