Windows – Open a Firewall Port with Group Policy

Define Inbound Port Exceptions

KB ID 0000979 

Problem

For everyone who simply does not disable the Windows firewall, then you need to be able to manage what ports are open on your machines. The simplest way to do this is via group policy. This week I had to open TCP port 9503 on the local firewall of my McAfee Move Offload Servers. Below I will open that port on all my machines, but in production I will only apply the GPO to the OU with my Move Offload servers in it.

Solution

1. On a domain controller or a client running the remote administration tools > Windows Key+R > gpmc.msc {Enter} > The Group Policy Management Console will open.

GPMC shortcut

2. Select the OU that contains the ‘Computers’ you want to enforce this policy on, (or here I’m choosing the entire domain) > Right Click > ‘Create GPO in this domain, and link it here..’.

Firewall GPO link

3. Give the policy a sensible name so you can see what it is doing later.

Firewall Group Policy Create

4. Right click your new policy > Edit.

Firewall GPO Edit

5. Navigate to;

Computer configuration > Policies >Administrative Templates > Network > Network Connections >Windows Firewall > Domain Profile > Windows Firewall: Define inbound port exceptions

Firewall GPO Domain Firewall

6. Open the policy and enable it > Show.

Firewall Policy open a port

7. As this is a new policy the list will be empty, (you can return and add multiple entries to this policy later if you require further ports opening). In the example below I’ve opened port 9053, over TCP, the asterisk means ‘from anywhere’, I’ve Enabled the rule, and called it McAfee Move.

Port Exception Syntax

<Port>:<Transport>:<Scope>:<Name>

  • <Port>: Number in decimal from 0 to 65,335
  • <Transport>: TCP or UDP
  • <Scope>: Where the traffic is coming from, i.e 192.168.1.1, or 192.168.1.0/24, or simply ‘localsubnet’ or ‘*’ for everywhere. You can enter multiple values separated with a comma.
  • <Name>: A simple text entry to define what the exception is.

Firewall GPO TCP Port

8. OK > Apply > OK > Close the Group Policy Management Editor. If you have a Windows 2012 domain you can force the policy refresh on a particular OU like so.

2012 force GPO update

9. Or simply run gpupdate /force on the target machine, (or you could also wait a couple of hours, or reboot the target machines.)

gpupdate force

10. To make sure it has worked on the target machine > Windows Key+R > WF.msc {Enter} > Inbound Rules > Your rule should be visible.

Firewall GPO

11. If you open the rule you can see its been applied by group policy, and check the correct port has been defined.

Firewall port exception

 

Related Articles, References, Credits, or External Links

Windows Group Policy – Disable The Local Windows Firewall

Author: Migrated

Share This Post On