Cool Solutions

Firewall Settings for ZCM on Windows 2003



By:

August 14, 2008 11:19 am

Reads: 8601

Comments:2

Score:0

Having trouble imaging workstations in a WAN environment using ZCM? One likely cause is the Windows Firewall. Below is a sample MS-DOS batch file that opens in the ports on the firewall, and restricts the traffic to certain subnets! I even threw in the entry for Remote Desktop, also subnet-restricted.

The two example WAN subnets are 123.45.x.x and 67.89.x.x. You can have more or less by editing the script to tailor it to your environment.

Also, running “netsh firewall /?” will give you additional options for the script.

Just copy and paste this into Notepad, and customize. You’ll need to save as a *.bat file, double click it and you’re good to go. The server will now allow imaging traffic, but only through the specified subnets.


::This bat file opens ports in the Windows Firewall
::Written by Peter Filardo August 2008 as an example for Novell Cool Solutions

::The following opens ports for ZCM Imaging services from specific WAN subnets
netsh firewall add portopening TCP 67 "ZENworks DHCP-PXE" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 67 "ZENworks DHCP-PXE" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 69 "ZENworks TFTP" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 69 "ZENworks TFTP" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 80 "ZENworks Tomcat" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 80 "ZENworks Tomcat" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 443 "ZENworks Tomcat" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 443 "ZENworks Tomcat" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 998 "ZENworks ProxyDHCP" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 998 "ZENworks ProxyDHCP" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 1433 "ZENworks MS-SQL" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 1433 "ZENworks MS-SQL" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 1521 "ZENworks Oracle" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 1521 "ZENworks Oracle" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 2638 "ZENworks Sybase" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 2638 "ZENworks Sybase" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 2645 "ZENworks CASA" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 2645 "ZENworks CASA" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 4011 "ZENworks ProxyDHCP" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 4011 "ZENworks ProxyDHCP" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 5550 "ZENworks RM Listener" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 5550 "ZENworks RM Listener" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 5950 "ZENworks Agent Listener" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 5950 "ZENworks Agent Listener" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 7628 "ZENworks Adaptive Agent" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 7628 "ZENworks Adaptive Agent" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 8005 "ZENworks Tomcat" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 8005 "ZENworks Tomcat" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 8009 "ZENworks Tomcat" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 8009 "ZENworks Tomcat" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 13331 "ZENworks Preboot Policy" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 13331 "ZENworks Preboot Policy" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL

::The following creates an allowance for the ZENworks Remote Management
netsh firewall add allowedprogram "C:\Program Files\Novell\ZENworks\bin\nzrWinVNC.exe" "Novell ZENworks Remote Management" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL

::The following opens ports for RDC from 152.3 subnets
netsh firewall add portopening TCP 3389 "Remote Desktop" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL

pause

I know what you’re thinking, and yes, it is indeed a great many holes punched. But running a Windows Server OS with no firewall in a public IP setup, like a university, is a major no-no. At least by restricting to the institutions subnets, you lower the vulnerability and hopefully mitigate the threat to an acceptable degree.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags:
Categories: Uncategorized

Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

2 Comments

  1. By:martinusen

    I you are running the PDHCP service on Windows 2003 you also need to create a firewall exception for novell-zcmprebootpolicy.exe. In the Windows Firewall go to Exceptions > click “Add Program” > Browse to:
    “C:\Program FIles (x86)\Novell\ZENworks\bin\preboot” and select “novell-zcmprebootpolicy.exe”

    The example shown is a 64bit Windows 2003. I guess the path is:
    “C:\Program Files\Novell\ZENworks\bin\preboot” on a 32bit system.

    The reason for this is that novell-zcmprebootpolicy.exe will use a random port for communication with the device booting PXE.

    /Anders Martinusen

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  2. By:upinya

    Yep, you’re right. I had to go back and alter the script by adding the following to allow multicasting:

    ::The following creates allowances for various ZENWorks utilities
    netsh firewall add allowedprogram "C:\Program Files\Novell\ZENworks\bin\preboot\novell-pbserv.exe" "Novell ZENworks Imaging Server" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
    netsh firewall add allowedprogram "C:\Program Files\Novell\ZENworks\bin\preboot\novell-zmgprebootpolicy.exe" "Novell ZENworks Preboot Policy" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
    netsh firewall add allowedprogram "C:\Program Files\Novell\ZENworks\bin\preboot\novell-proxydhcp.exe" "Novell ZENworks Proxy DHCP" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
    netsh firewall add allowedprogram "C:\Program Files\Novell\ZENworks\bin\preboot\novell-tftp.exe" "Novell ZENworks TFTP" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
    netsh firewall add allowedprogram "C:\Program Files\Novell\ZENworks\bin\preboot\zmgmcast.exe" "Novell ZENworks Multicast" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)

Comment

RSS