Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Windows Firewall Group Policy

Status
Not open for further replies.
1DMF

1DMF

Programmer
Jan 18, 2005
8,795
0
0
GB
Hello,

I'm trying to set up a group policy to set some ports open on the windows firewall for the Domain Users, I can find the policy via the server management console. (Windows Firewall: Allow local port exceptions)

But when I right click and choose edit all it does is open the Group Policy Snap In and I cannot find the policy I need to edit and add the ports I want to have exceptions on.

Can someone help?

Many Thanks,
1DMF.

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you.
 
Sort by date Sort by votes
Have you istalled the Group Policy Management Console? It helps alot!

 
Upvote 0 Downvote
Well I don't beleive i've personally done this, how can I tell if the server providers when they pre installed everything did this as well, what's it look like and how do I get to it?

Thanks, 1DMF.

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you.
 
Upvote 0 Downvote
I've been googling and found what I needed on this link....


However upon checking the setting it seems to be 'Enabled' and have found this note
Windows Firewall: Define port exceptions. If this policy setting is not configured, administrators can define a local port exceptions list. If it is enabled or disabled, administrators cannot define a local port exceptions list.
Click to expand...

Which says if it is enabled or disabled you cannot define port exceptions, yet if you click the policy and select properties, and click the 'Explain' Tab it says
If you enable this policy setting, you can view and change the port exceptions list defined by Group Policy. To view this port exceptions list, enable the policy setting and then click the Show button. To add a port, enable the policy setting, note the syntax, click the Show button, click the Add button, and then type a definition string that uses the syntax format.
Click to expand...

I'm going to just go ahead and add some port exceptions and see how I get on, but does anyone know why the contradiction or am I reading something wrongly ?

A little confused [ponder] 1DMF


"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you.
 
Upvote 0 Downvote
Regardless of what was said and where, here is what you need to do:
Edit the group policy with gpmc.msc. Under Computer Configuration->Administrative Templates->Network->Network Connections->Domain Profile be sure to ENABLE "Define Port Exception". Then click the SHOW button within this item. ADD exceptions in a format like this without the quotes ex "293:TCP:*:Enabled:Symantec - Port" 293 is the port number, TCP is the type.



Be sure you have the appropriate templates loaded on whatever machine you are using to edit the policy. If you don't have the necessary ADM file, things won't show up correctly.

 
Upvote 0 Downvote
With Small Business Server the Windows Firewsll on XP is configured automatically. There should be no need to enable anything further.

And, you most certainly do NOT need to modify the default Group Policy Objects in most instances.

Generally, if the XP Firewall has not been configured it's because you did not join your workstations to the domain correctly by first adding them with the Add-Client-Computers wizard (or as part of the Add User Wizard) and then going to the workstation and running to join the computer to the domain.

If you manually joined the workstations to the domain through System Properties, then they are not going to get the proper settings from SBS. To resolve this, you need to do the following on each workstation:


At the client machine:
1. Log in with THAT machine's LOCAL administrator account.
2. Unjoin the domain into a WORKGROUP
3. Change the name of the computer (this is not an option, you must use a name that is unique and hasn't been used before on your SBS)
4. Delete or rename the following directory C:\Program Files\Microsoft Windows Small Business Server\Clients if it exists
5. Make sure that the network settings are configured to get an IP address automatically (DHCP enabled)
6. Reboot

Then on the server, from the Server Management Console:
1. Remove the client computers if it still shows in the Client Computer screen on the Server Management Console
2. Add the client with it's NEW name using the Add Computer wizard

Then, go back to the client machine, log back in with the local Administrator account and join the domain by opening Internet Explorer and navigating to
If after all that you still want to make modifications to the XP Firewall via Group Policy then you need to first back up the default GPO's and then you can edit the GPO called "Small Business Server Windows Firewall". There's also one called "Small Business Server Internet Connection Firewall" but that was for Pre-SP2 XP Machines so it's no longer used.

A visual how-to for this is here:






Jeffrey B. Kane
TechSoEasy
Blog:
 
Upvote 0 Downvote
I added the port exceptions and everything is running fine, thanks anyhow.

And, you most certainly do NOT need to modify the default Group Policy Objects in most instances.
Click to expand...
well that's not what Sophos tells me, they say i need 3 ports open for their software to work properly, so I have added them to the group policy and now every user has these port exceptions.



"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you.
 
Upvote 0 Downvote
Actually you do need to modify the group policy if you are looking to make port exceptions that are not part of the default setup. That is the purpose of the firewall group policy. With it you are able to make changes for all machines on your SBS network without allowing all the users to make changes on their own. There are often many ports you will need to open in a secure environment such as ports used by Symantec AV products.
 
Upvote 0 Downvote
Which is why I ended my comments with an "if you do want to ..." statement.

However, I've found in the past that it's better to leave the default GPOs alone and to create separate ones for any additional changes for third party applications. That way if the third party apps change, you can just remove or modify the additional GPO.



Jeffrey B. Kane
TechSoEasy
Blog:
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
116
Aquiles Vidal
Aquiles Vidal
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
142
suncit
suncit
antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
92
antonio_dsanchez
antonio_dsanchez
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
129
gbaughma
gbaughma
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
141
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top