System Center Essentials 2007 Wiki

Menu

Home

FAQ

Supported Topologies

Setup

Configuring Policy

Discovery & Agent Deployment

Software Deployment

Configuring Monitoring

Managed Services

Troubleshooting

Wishlist

Known Issues (Bugs)

Tools

Other Sites & Blogs

System Center Essentials Self-Help Resources

The Real World is Messy - Making Sense with Essentials 2007

System Center Forum

Dustin's Managed Services Blog

2008-02-01

Firewall Policy

Configuring Group Policy to be able to discover and deploy Essentials 2007 Agents to computers behind a firewall


 

Step 1: Log on as a Domain Administrator on the Domain Controller server (Windows Server 2003 with Service Pack 1)

 

Step 2: Go to Start > Administrator Tools > Active Directory Users and Computers

 

Step 3: If you would like to set the group policy for the whole domain you can select the domain name “Right Click” and choose “Properties”. If you want to apply the Group Policy to only certain Organizational Units etc you can select the OU and follow the same steps as above.

Step 4: Choose the Group Policy Tab and then select the Default Domain Policy and click “Edit”

 

Step 5: Group Policy Object Editor will open Navigate to Computer Configuration > Administrative Templates > Network > Network Connections > Domain Profile

 

Step 6: In the Domain Profiles setting choose “Windows Firewall: Allow remote administration exception” and double click.
Step 7: Under “Settings” choose “Enabled” option and in the “Allow unsolicited incoming messages from:” text box enter the IP Address or addresses of the Principle Management Server or Management Servers that will manage the agents in that domain or OU as specified by you. Multiple Management Server IP address can be entered by having a comma between each IP Address once completed click “OK”.

 

Step 6: In the Domain Profiles setting choose “Windows Firewall: Allow file and printer sharing exception” and double click.
Step 7: Under “Settings” choose “Enabled” option and in the “Allow unsolicited incoming messages from:” text box enter the IP Address or addresses of the Principle Management Server or Management Servers that will manage the agents in that domain or OU as specified by you. Multiple Management Server IP address can be entered by having a comma between each IP Address once completed click “OK”.

 

Step 8: In the Domain Profiles setting choose “Windows Firewall: Define port exceptions” and double click
Step 9: Under “Setting” choose “Enabled” option and click “Show” button. Click “Add” in the “Show Contents” dialog and enter “6270:TCP:<IP address of principal management server>:enabled:SCOMAgent”

 

Note: By default Group Policy takes 90 minutes to push down the configuration to the server and client machines. If you would like a computer to pull down the new group policy configuration you can go to the server machine Open a command window by going to Start > Run > and type cmd

 

Once the command window is open you need to type in gpupdate /force.
To see if the Group Policy configuration got to a server go to Start > Run > and type rsop.msc and scroll to Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\ and see if the IP address exceptions set for remote administration exception and file and printer sharing exceptions were applied to the local machine.

 

Once these steps are completed you can push agent to computers that have the firewall enabled.

 

For more information on group policy please visit: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ics/ics/windows_firewall_start_page.asp

 

To apply Group Policy to specific computers please visit:
http://support.microsoft.com/kb/555253/en-us

 

Site

Changes
Index
Search

 

User

 

Log In

 
 

Last Modified 1/31/07 12:20 PM