Tuesday, February 13, 2007

Configuring the Vista Firewall by Group Policy

Adding a Firewall rule in Group Policy to a Vista client is a little more difficult than Windows XP. It's not because it's harder, it's because there is no ADMX configuration file for the Vista Firewall.

But there is hope...

It is recommended that you only use this procedure to open the path for applications to connect through Windows Vista Firewall when you have installed the application consistently to the same program path across the network since this procedure applies to the entire domain. Alternatively, if you don't use the policy the user can accept the prompt at each computer when the application attempts to access the firewall.

  1. From a Vista client (this is the main difference, you can't edit the policy from the server) connected to the domain, log on as the domain administrator

  2. Open gpmc.msc

  3. Navagate through your domain to the Small Business Group Policies

  4. Right-click Small Business Server – Windows Vista policy (which will be available with the Vista Update coming soon), and then click edit. The Group Policy Object Editor appears

  5. Computer configuration -> windows settings -> Windows Firewall with Advanced Security -> Windows Firewall With Advanced Security (no, this isn’t a repeat of the UI)

  6. Right-click Outbound Rules, and then click New Rule

  7. On the Rule Type page, accept the default of Program, and then click Next.

  8. On the Program page, type the exact path used for installing the application on your client computers, for example, c:\path\program.exe

  9. On the Action page, select the option to Allow the Connection

  10. On the Profile page, select the types of network location that the rule will apply to (Domain, Private, or Public)

  11. On the Name page, type a name and description for this program rule and the click Finish.

  12. Close the Group Policy Object Editor and then close Group Policy Management

Note – to apply the policy immediately, you can run "gpupdate /force" using an elevated command prompt from the client

Why didn't the SBS team do this?
SBS didn't automatically configure the Vista Windows Firewall, because the new Vista firewall requires you to specify fully qualified paths to your installed applications. Since we have no way to know if you installed all the applications to the default locations, we chose not to open the firewall for applications that (1) may not exist, and (2) may be in a different location. Take extra care when creating such policies to not create exceptions in your client firewalls for applications that do not exist, or are installed in different locations.

Usually 642-432 and 642-825 are easy enough and do not require any background knowledge. However, if you plan to go for more than 642-825, maybe something like 220-601 or 70-290. it is best to cover 70-528 as well. Only then will you be eligible to go for mcse.


Anonymous said...

Surely they could have made it easier...

Anonymous said...

thats just annoying, so now i have to get in my car drive the 75 mile round trip to get this work done, i really hope 7 isnt the same.

not everyone is dumb enough not setup things to deault locations that done exist....

massage nashville said...

This is a great place for me to visit as I need to understand more of this

healthcare tv said...

This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!