Novell Doc: Dynamic File Services 2.2 Administration Guide - Configuring Firewall Access for the Service Port

6.9 Configuring Firewall Access for the Service Port

Dynamic File Services allows you to manage the pairs and policies on a server from a different computer when the Windows Firewall Access option is enabled (the default). When the option is enabled, Dynamic File Services configures an exception for the configured Service port in the Windows Firewall. When the option is disabled, it removes the firewall exception and the Service cannot be accessed remotely. Firewall access is not required for local management of pairs and policies.

6.9.1 Understanding Remote Access

The Windows Firewall allows you to specify exceptions to allow programs to communicate through the firewall. Inbound connections that do not have an exception are blocked. Exceptions to the Windows Firewall allow unsolicited inbound communications through the firewall. Use the Dynamic File Service Controller > Windows Firewall Access option to control whether an exception for the configured Service port is allowed in the firewall.

Allowing Remote Management

You enable the Windows Firewall Access option to allow remote management of pairs and policies. This is the default setting after install. DynamicFS automatically adds an exception for the configured Dynamic File Service port to the Windows Firewall > Exceptions list. The Windows Firewall allows unsolicited inbound communications through the firewall on the configured port. This allows you to manage pairs and policies from another computer through the firewall on the configured Service port.

IMPORTANT:On Windows Server 2008 or later, DynamicFS creates a firewall exception for the Domain and Private network profiles. The network should be marked as Private, or both computers need to be part of a single domain.

For example, in the Windows Firewall with Advanced Security > Inbound Rules, the entry might look like this:

DswAccessPort
Profile: Domain
Enabled: Yes
Action: Allow
Override: No
DswAccessPort
Profile: Private
Enabled: Yes
Action: Allow
Override: No

To mark the network as Private, log in as a user with Administrator privileges on the machine, go to the Network and Sharing Center, click Customize, select Private, then click OK.

Dynamic File Services uses TCP communications over the configured Service port. You must specify the configured port when connecting to the server. If you modify the port number, DynamicFS automatically updates the firewall exception settings to use the new port. For information about changing the port to use, see Section 6.10, Configuring Ports for the Service and Retention Review.

By default, Dynamic File Services sets the scope of the port exception to Any computer (including on the Internet). You can modify the scope option by going to the Windows Firewall > Exceptions page, double-clicking the Dynamic File Services exception, then selecting Change Scope. Alternative manual settings are My network (subnet) only and Custom list.

To allow remote management, enable the Windows Firewall Access option as described in Section 6.9.2, Enabling or Disabling the Windows Firewall Access.

Denying Remote Management

You disable the Windows Firewall Access option to deny remote management of pairs and policies. DynamicFS automatically removes any firewall exceptions from the Windows Firewall > Exceptions list that it created for the configured Dynamic File Service port. When the exception is removed, Windows Firewall denies unsolicited inbound communications on the configured port. This prevents you from connecting to the server for remote management sessions.

For security reasons, you might want to disable the exception when you are not actively managing the Dynamic File Service from another computer.

To deny remote management, disable the Windows Firewall Access option as described in Section 6.9.2, Enabling or Disabling the Windows Firewall Access.

6.9.2 Enabling or Disabling the Windows Firewall Access

IMPORTANT:Before you disable the Windows Firewall Access, close any remote Management Console or command line management sessions with the server.

To enable or disable the firewall exception for the configured Dynamic File Service port:

Log in to the DynamicFS server as the Administrator user or as a user with Administrator privileges.
In the notification area, right-click the Service Controller icon, then select Windows Firewall Access to open the Firewall Access dialog box.
In the Firewall Access dialog box, select one of the following:
- On (default): Adds and enables an exception for the configured Dynamic File Service port via TCP. The exception applies only when the Windows Firewall is enabled and exceptions are unblocked.
- Off: Removes the exception for the configured Dynamic File Service port. This disallows remote management of this server. You can still manage pairs and policies locally.
Click OK to save and apply your changes.