Windows – Open a Firewall Port with Group Policy

Define Inbound Port Exceptions

KB ID 0000979 

Problem

For everyone who simply does not disable the Windows firewall, then you need to be able to manage what ports are open on your machines. The simplest way to do this is via group policy. This week I had to open TCP port 9503 on the local firewall of my McAfee Move Offload Servers. Below I will open that port on all my machines, but in production I will only apply the GPO to the OU with my Move Offload servers in it.

Solution

1. On a domain controller or a client running the remote administration tools > Windows Key+R > gpmc.msc {Enter} > The Group Policy Management Console will open.

2. Select the OU that contains the ‘Computers’ you want to enforce this policy on, (or here I’m choosing the entire domain) > Right Click > ‘Create GPO in this domain, and link it here..’.

3. Give the policy a sensible name so you can see what it is doing later.

4. Right click your new policy > Edit.

5. Navigate to;

[box]

Computer configuration > Policies >Administrative Templates > Network > Network Connections >Windows Firewall > Domain Profile > Windows Firewall: Define inbound port exceptions

[/box]

6. Open the policy and enable it > Show.

7. As this is a new policy the list will be empty, (you can return and add multiple entries to this policy later if you require further ports opening). In the example below I’ve opened port 9053, over TCP, the asterisk means ‘from anywhere’, I’ve Enabled the rule, and called it McAfee Move.

Port Exception Syntax

<Port>:<Transport>:<Scope>:<Name>

  • <Port>: Number in decimal from 0 to 65,335
  • <Transport>: TCP or UDP
  • <Scope>: Where the traffic is coming from, i.e 192.168.1.1, or 192.168.1.0/24, or simply ‘localsubnet’ or ‘*’ for everywhere. You can enter multiple values separated with a comma.
  • <Name>: A simple text entry to define what the exception is.

8. OK > Apply > OK > Close the Group Policy Management Editor. If you have a Windows 2012 domain you can force the policy refresh on a particular OU like so.

9. Or simply run gpupdate /force on the target machine, (or you could also wait a couple of hours, or reboot the target machines.)

10. To make sure it has worked on the target machine > Windows Key+R > WF.msc {Enter} > Inbound Rules > Your rule should be visible.

11. If you open the rule you can see its been applied by group policy, and check the correct port has been defined.

 

Related Articles, References, Credits, or External Links

Windows Group Policy – Disable The Local Windows Firewall

Configuring Multiple Cisco Switch Ports at the Same Time

KB ID 0001009 

Problem

If you have the same configuration that needs to be placed on multiple ports, then doing each one individually can be time consuming. To save time use the ‘interface range‘ command. Be aware this command is only available on devices running IOS versions newer than 12.0(7)XE, Release 12.1 E, and Release 12.1(5)T.

Solution

1. From configure terminal mode, I want to apply the same configuration to Gigabit Ethernet ports 3 and 4. Note: There is a space each side of the hyphen.

[box]

Petes-Switch(config)#interface range GigabitEthernet 0/3 - 4
Petes-Switch(config-if-range)#switchport mode access
Petes-Switch(config-if-range)#switchport access vlan 123
Petes-Switch(config-if-range)#exit
Petes-Switch(config)#

[/box]

2. Let’s see if that worked;

[box]

Petes-Switch#show run
Building configuration...

Current configuration : 1888 bytes
!
<------------config removed for the sake of brevity------------>
!
interface GigabitEthernet0/3
switchport access vlan 123
switchport mode access
!
interface GigabitEthernet0/4
switchport access vlan 123
switchport mode access
!
<------------config removed for the sake of brevity------------>
!

end

[/box]

How To Configure Multiple Cisco ‘Non Contiguous’ Switch Ports

1. The process is the same as above, but you separate ranges, (or individual ports) with a comma. Note: There is a space each side of the comma.

[box]

Petes-Switch(config)#interface range GigabitEthernet 0/3 - 4 , GigabitEthernet 0/9 - 10
Petes-Switch(config-if-range)#switchport mode access
Petes-Switch(config-if-range)#switchport access vlan 123
Petes-Switch(config-if-range)#exit
Petes-Switch(config)#

[/box]

2. Let’s see if that worked;

[box]

Petes-Switch#show run
Building configuration...

Current configuration : 1888 bytes
!
<------------config removed for the sake of brevity------------>
!
interface GigabitEthernet0/3
switchport access vlan 123
switchport mode access
!
interface GigabitEthernet0/4
switchport access vlan 123
switchport mode access
!
interface GigabitEthernet0/5
!

<------------config removed for the sake of brevity------------>
!
interface GigabitEthernet0/9
switchport access vlan 123
switchport mode access
!
interface GigabitEthernet0/10
switchport access vlan 123
switchport mode access
!
<------------config removed for the sake of brevity------------>
!
end

[/box]

You can use the interface range command with the following interfaces;

  • FastEthernet
  • GigabitEthernet
  • TenGigabitEthernet
  • Port-Channel
  • VLAN

Related Articles, References, Credits, or External Links

NA