I’ve got nothing against the Windows firewall, it’s certainly a lot easier to manage now than it was back in the XP SP2 days. But I find a lot of clients still just ‘want it gone’ and, providing they have a decent corporate firewall in front of them that’s fair enough.
Solution
1. On a domain controller or a client running the remote administration tools > Windows Key+R > gpmc.msc {Enter} > The Group Policy Management Console will open.
2. Select the OU that contains the ‘Computers’ you want to enforce this policy on, (or here I’m choosing the entire domain) > Right Click > ‘Create GPO in this domain, and link it here..’.
3. Give the policy a sensible name so you can see what it is doing later.
4. Right click your new policy > Edit.
5. Navigate to;
[box]
Computer Configuration > Policies > Administrative Templates > Network > Network connections > Windows Firewall > Domain Profile > Windows Firewall: Protect all network connections
[/box]
6. Set the policy to disabled.
7. Close the Group Policy Management Editor. If you have a Windows 2012 domain you can force the policy refresh on a particular OU like so.
9. Or simply run gpupdate /force on the target machine, (or you could also wait a couple of hours, or reboot the target machines).
SBS Note
An (SBS) Small Business Server domain enables the client firewall by default! The policy us called Windows Firewall Policy, which is usually linked to the computer OU under ‘My Business’.
Related Articles, References, Credits, or External Links
For everyone who simply does not disable the Windows firewall, then you need to be able to manage what ports are open on your machines. The simplest way to do this is via group policy. This week I had to open TCP port 9503 on the local firewall of my McAfee Move Offload Servers. Below I will open that port on all my machines, but in production I will only apply the GPO to the OU with my Move Offload servers in it.
Solution
1. On a domain controller or a client running the remote administration tools > Windows Key+R > gpmc.msc {Enter} > The Group Policy Management Console will open.
2. Select the OU that contains the ‘Computers’ you want to enforce this policy on, (or here I’m choosing the entire domain) > Right Click > ‘Create GPO in this domain, and link it here..’.
3. Give the policy a sensible name so you can see what it is doing later.
7. As this is a new policy the list will be empty, (you can return and add multiple entries to this policy later if you require further ports opening). In the example below I’ve opened port 9053, over TCP, the asterisk means ‘from anywhere’, I’ve Enabled the rule, and called it McAfee Move.
<Scope>: Where the traffic is coming from, i.e 192.168.1.1, or 192.168.1.0/24, or simply ‘localsubnet’ or ‘*’ for everywhere. You can enter multiple values separated with a comma.
<Name>: A simple text entry to define what the exception is.
8. OK > Apply > OK > Close the Group Policy Management Editor. If you have a Windows 2012 domain you can force the policy refresh on a particular OU like so.
9. Or simply run gpupdate /force on the target machine, (or you could also wait a couple of hours, or reboot the target machines.)
10. To make sure it has worked on the target machine > Windows Key+R > WF.msc {Enter} > Inbound Rules > Your rule should be visible.
11. If you open the rule you can see its been applied by group policy, and check the correct port has been defined.
Related Articles, References, Credits, or External Links
By default all modern distributions of Windows come with their client firewall enabled. Which is a good thing, most corporate networks simply disable it using the rationale that they have a corporate firewall and security software etc. Again thats fine, but what if you want to leave it on, and still be able to ping that host to see if its alive.
Solution
The firewall exception is already written for you, you just have to enable it.
Open the Window Firewall with Advanced Security console > Inbound Rules > ‘File and Printer Sharing (Echo Request – ICMPv4-In) > Enable Rule > Obviously do the same for IPv6 (if required).
Related Articles, References, Credits, or External Links
FTP might be an ages old solution for moving files around, but a lot of people swear by it. With Windows Server it’s still supported, even if it is hidden as a ‘role service’.
Solution
Create a Security Group For Domain FTP Access
Note: For a Standalone/Workgroup server see below for setting up users and groups.
1. Launch Server Manager > Tools > Active Directory Administrative Center.
2. New > Group.
3. Give the group a sensible name.
4. Here I’m going to create a user to test with, in production you would just use the domain users who you want to give access to.
5. I will simply create a user called ‘ftpuser’.
6. Add the domain user(s) to your new security group.
7. Create a folder that will be the ‘root’ of your FTP site.
8. Grant your security group rights to this folder (Note: By default they will only get Read rights, you will need to add ‘Write’ if you want your users to be able to ‘put’ files).
Create a Security Group For Workgroup / Standalone FTP Access
1. From Server Manager > Tools >Computer Management.
2. System Tools > Local Users and Groups > Groups.
3. Give the group a sensible name.
4. I’m going to create a test user called ftpuser, this is done in Local users and groups > Users.
5. Place the user(s) you want to grant access to, into your local security group.
6. Crete a folder that will be the ‘root’ of your FTP site and open its properties.
7. On the security Tab > Advanced > Grant your security group rights to this folder (Note: By default they will only get Read rights, you will need to add ‘Write’ if you want your users to be able to ‘put’ files).
Windows Server 2012 Install FTP
1. From Server Manager > Tools > Add Roles and Features.
2. Next.
3. Next
4. Next
5. Select Web Server (IIS) > Select Add (when prompted) > Next.
6. Next
7. Next
8. Locate and Select FTP Server AND FTP Extensibility > Next.
9. Install
10. Close.
11. Reboot the server. This is because some of the firewall settings have a habit of not enabling until the server has restarted, this does not happen all the time, so you may be lucky and not need to reboot. But I’m a firm believer in ‘If something can go wrong, it will go wrong’.
Windows Server 2012 Configure FTP
1. Windows Key > Internet Information Services (IIS) Manager.
3. Expand the servername > Right click ‘Sites’ > Add FTP Site.
4. Give the site a name > Browse to the folder you are going to use as the FTP ‘root’ folder > Next.
5. Select No SSL (I’m not going to secure the site with web certificates) > Next.
6. Authentication = Basic > Allow Access to = Selected roles or user groups > Permissions = Select read and write as appropriate > Finish.
7. Windows Key+R > firewall.cpl > Allow an app or feature through Windows Firewall.
8. Ensure FTP Server is allowed for the ‘profile’ that your network card has been allocated.
9. Advanced Settings.
10. Incoming Rules.
11. There should be three FTP Settings, by default they should be enabled (for FTP Port 21, Passive Ports, and Secure FTP / TCP 990).
Windows 2012 FTP Server – Testing Access
1. You can test the firewall is open by opening a telnet session to the server on port 21;
[box]
telnet {ip address or name of server} 21
[/box]
2. This is what you should see (or in some cases a blinking cursor, if you are going through a firewall or device that suppresses response headers).
3. Or you can use a web browser and navigate to ftp://{ip address or name of the FTP server}.
4. Or from command line you can use the direct ftp command like so;
[box]
ftp {ip address or name of server}[/box]
Windows 2012 FTP Server – Testing External Access
To access the server externally (from the internet), requires your remote users to know either the public IP address or the public name of the server. In addition FTP (TCP Port 21) needs to be open to that IP address. This can be done by giving the server its own public IP address, or by Port Forwarding FTP from your public IP address to the private IP address of the FTP server. How that is done will differ depending on your firewall or router.
Note: If you have a Cisco Firewall, I’ll put the links you require on the bottom of the page.
1. Here I’m on an external machine, and I’m using FileZilla (a free FTP client) to connect to my FTP server.
2. Just to test I’ll drag a file to the FTP server, to make sure I can write/put files.
3. Here is the file uploaded.
4. Back on the server, in the ‘root’ folder you can see the file successfully uploaded.
Related Articles, References, Credits, or External Links
There are a number of reasons for you seeing this error, you will see this even if the Offload server(s) are shut down. In my case it was a new deployment, and the Windows firewall on the MOVE Offload server was blocking communication.
McAfee Updater OK
MOVE AV Multi-Platform Issue – MOVE AV Protection Disabled
Solution
Below I will configure the Windows firewall on my MOVE Offload Server, if you would prefer to do this via Group Policy see the following article.