Adding exception to windows firewall

How to Add Outbound Windows Firewall Exception?

I need to open up the Windows Firewall for outbound connections for an application I’m writing.

The best answers I’ve been able to locate are here:

The problem is that method only creates an inbound rule, and not an outbound rule. (Both the C# and InnoSetup script use the same method.) This is entirely useless for me.

The default behaviour for the Windows Firewall is to allow outbound traffic, but that doesn’t guarantee that someone won’t change that.

I would prefer to do this in the installer (using InnoSetup) rather than doing it in C#.

Did I miss something?

Does anyone know how to create an outbound rule?

4 Answers 4

You can use netsh if you need add some exceptions for your application.

write in command line (for XP):

write in command line (for W7):

This difference becouse netsh firewall command is deprecated. Instead, we have to use the command netsh advfirewall firewall.

More information about using the command netsh advfirewall firewall instead of the netsh firewall command we can see in Knowledge Base there: http://go.microsoft.com/fwlink/?linkid=121488

Adding a rule for incoming traffic without security encapsulation for messenger.exe:

Adding a rule for outgoing traffic at the port 80:

Adding rules to inbound traffic with safety & traffic encryption for TCP through port 80:

Although I assume you meant to create such rules programatically, if that’s the case you might be interested in Working with Group Policy Objects Programmatically.

Finally if you’re planning to do that during installation, InnoSetup should be able to merge the necessary registry keys at setup time.

The problem with netsh is that it does not work on some Windows versions (e.g. Windows Vista Basic). That is why it is better to add the exception without using netsh. This article contains sample Inno Setup code.

This is one of the many tasks that can be passed off to the Windows command-line tools. netsh does the appropriate things, but it (like everything else netsh does) is next to impossible to find. The simple version is:
netsh firewall add allowedprogram

Note that this is depreciated in Windows 7; if you’re only targeting Vista/2008 or later, you should use netsh advfirewall firewall instead. Microsoft has an article on converting from the former the latter, but I still have to support XP, so I haven’t done this.

Источник

Add Windows Firewall Exception

When enabled, the Windows Firewall blocks all incoming network traffic to your computer except those applications and ports you allow. Use the Windows Firewall control panel utility to manage these exceptions.

Note: It is not necessary to disable the Windows Firewall to use our software. Firewalls provide a much higher level of security to your computer than default Windows security.

We strongly recommend that you leave the firewall in place, and use the mechanisms in the firewall to allow the traffic you need.

Firewall Program Exception

The installers for RPM Remote Print Manager® (RPM) and ExcelliPrint® create a program exception. The program exception allows the software to receive print jobs from your host system. The exception might be enabled only for specific network types. If our software is not receiving connections, and you have already established that the host system uses the correct IP address, then we recommend you review the firewall exception.

Adding Program Exception

Note: Do not make any changes to existing exceptions.

Your new firewall exceptions will take effect immediately.

Firewall Port Exceptions

Determine Ports to Allow for RPM

While this is a more involved process, you may wish to use port exceptions instead. If so, delete the auto-created program exception and follow the instructions below.

Determine Ports to Allow for ExcelliPrint

The software can be configured to listen on multiple TCP ports simultaneously. First, you need to determine which ports are used by your print host, then create an exception for each port in the Windows Firewall.

To determine the ports in use, follow these instructions.

Note: If you connect to ExcellePrint only from the local computer, it is not necessary to add exceptions for HTTP and HTTPS ports.

Adding Port Exceptions

Now that you have determined which port numbers need to be allowed to add an exception to the Windows Firewall for each port. To add the firewall exceptions, follow these instructions.

Note: Do not make any changes to the existing exceptions.

Your new firewall exceptions will take effect immediately.

Brooks products use firewall exceptions

This topic first came up for us many years ago at the time Microsoft added a firewall to Windows XP. Naturally, we found as soon as the first user tried to run one of our products; consequently, this may be one of the longest-running pages on our website.

If you need a good software print server, please give our RPM Remote Print Manager product a try! Download the free 21-day trial and see what it can do for you. Be sure your firewall is open on ports 515 and 9100, and that you’re not already running the Microsoft TCP/IP services module.

Источник

Inspecting Adapter and Firewall Settings

A misconfigured firewall can cause WSD applications to fail. This topic provides some troubleshooting procedures to use when WSD clients and hosts cannot see each other on the network. The firewall settings should be inspected before using any other application troubleshooting procedure.

To inspect the adapter and firewall settings

Verify that the Network Discovery exception is enabled.

Check that there are no application-specific firewall rules blocking the application.

Explicitly enable the ports used for discovery and metadata exchange.

Disable the firewall and retest the application.

The firewall should be re-enabled after completing this step.

Verifying that the Network Discovery exception is enabled

If any WS-Discovery applications are running, the Network Discovery firewall exception must be allowed.

To enable the Network Discovery firewall exception

Retest the program after making this firewall change. If the program now works successfully, the cause of the problem has been identified and no further troubleshooting steps are necessary. Otherwise, move on to the next step.

Checking for application-specific firewall rules

Advanced configuration of the Windows Firewall can take place in a Microsoft Management Control (MMC) snap-in named Windows Firewall with Advanced Security. This snap-in can be used to troubleshoot suspected firewall problems.

Developers can use the Windows Firewall with Advanced Security APIs to create firewall rules that apply to their WSD applications. Specifically, the Add method of the INetFwRules interface can be used to add a new firewall rule. If firewall rules are created incorrectly, clients and hosts may not be able to see each other on the network.

To check for application-specific firewall rules

If no application-specific rules were found, move on to the next step. If an application-specific rule was found and removed, retest the program after making the firewall change. If the program now works successfully, the cause of the problem has been identified and no further troubleshooting steps are necessary. Otherwise, move on to the next step.

Enabling the ports used for discovery and metadata exchange

WS-Discovery uses the UDP port 3702 for message exchange. In addition, TCP ports 5357 and 5358 are sometimes used for metadata exchange. These ports can be explicitly opened on the firewall using the procedures described in Open a port in Windows Firewall.

Retest the program after making this firewall change. If the program now works successfully, the cause of the problem has been identified and no further troubleshooting steps are necessary. Otherwise, move on to the next step.

Disabling the firewall

The Windows Firewall can be disabled to help troubleshoot suspected problems. Other applicable firewalls (such as the firewall on a router) can also be disabled for troubleshooting purposes. For information about enabling and disabling the Windows Firewall, see Turn Windows Firewall on or off.

Retest the application after disabling any applicable firewalls. If the program now works successfully, then the firewall was blocking the traffic. There are a few possible causes of blocked traffic.

If the application still fails after the firewall is disabled, then the firewall is not causing the application failure. Re-enable the firewalls and continue troubleshooting by following the procedures given in Using a Generic Host and Client for UDP WS-Discovery.

Firewalls should always be re-enabled after troubleshooting has finished.

Источник

Adding exception to windows firewall

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Answered by:

Question

Hi
I want to add my aplication to the firewall exception list. it is working well with XP, but when in installing windows 7, it is added to the firewall exception list but the «Domain» is still unchecked. Therefore my aplication is blocked by the firewall. Here i copying the code.

private void btnAuthenticate_Click( object sender, EventArgs e)

INetFwAuthorizedApplication )getInstance( «INetAuthApp» );

Answers

This shall do the trick:

public static INetFwMgr WinFirewallManager()

public bool AuthorizeProgram( string title, string path,

NET_FW_SCOPE_ scope, NET_FW_IP_VERSION_ ipver)

INetFwMgr mgr = WinFirewallManager();

catch ( Exception ex)<

You’ll need to access the Windows Firewall API and then you
need the GUID and then you must use the style=»color:#a31515″>HNetCfg.FwAuthorizedApplication.

All replies

This shall do the trick:

public static INetFwMgr WinFirewallManager()

public bool AuthorizeProgram( string title, string path,

NET_FW_SCOPE_ scope, NET_FW_IP_VERSION_ ipver)

INetFwMgr mgr = WinFirewallManager();

catch ( Exception ex)<

You’ll need to access the Windows Firewall API and then you
need the GUID and then you must use the style=»color:#a31515″>HNetCfg.FwAuthorizedApplication.

Thank you very much dear friend

Please find the same in the below link.

The above code allows the program to pass thru firewall with Domain profile checked.kindly can anyone let me know what i have to do if i want the remaining profiles public and private also checked.

I have been looking to use these methods to add a Firewall Exception to Winows 7.

I am having trouble using » INetFwAuthorizedApplications » in my VS 2010 project as I don’t have the correct reference.

Found on MSDN namespace of «Microsoft.TeamFoundation.Common» which I can’t seem to find.

Also saw as reference to add «hnetcfg.dll», but still get following error when I try to use » INetFwAuthorizedApplications «:

«The type or namespace name ‘INetFwAuthorizedApplication’ could not be found (are you missing a using directive or an assembly reference?)».

Источник

Windows Firewall and port settings for clients in Configuration Manager

Applies to: Configuration Manager (current branch)

Client computers in Configuration Manager that run Windows Firewall often require you to configure exceptions to allow communication with their site. The exceptions that you must configure depend on the management features that you use with the Configuration Manager client.

Use the following sections to identify these management features and for more information about how to configure Windows Firewall for these exceptions.

Modifying the Ports and Programs Permitted by Windows Firewall

Use the following procedure to modify the ports and programs on Windows Firewall for the Configuration Manager client.

To modify the ports and programs permitted by Windows Firewall

On the computer that runs Windows Firewall, open Control Panel.

Right-click Windows Firewall, and then click Open.

Configure any required exceptions and any custom programs and ports that you require.

Programs and Ports that Configuration Manager Requires

The following Configuration Manager features require exceptions on the Windows Firewall:

Queries

If you run the Configuration Manager console on a computer that runs Windows Firewall, queries fail the first time that they are run and the operating system displays a dialog box asking if you want to unblock statview.exe. If you unblock statview.exe, future queries will run without errors. You can also manually add Statview.exe to the list of programs and services on the Exceptions tab of the Windows Firewall before you run a query.

Client Push Installation

To use client push to install the Configuration Manager client, add the following as exceptions to the Windows Firewall:

Outbound and inbound: File and Printer Sharing

Inbound: Windows Management Instrumentation (WMI)

Client Installation by Using Group Policy

To use Group Policy to install the Configuration Manager client, add File and Printer Sharing as an exception to the Windows Firewall.

Client Requests

For client computers to communicate with Configuration Manager site systems, add the following as exceptions to the Windows Firewall:

Outbound: TCP Port 80 (for HTTP communication)

Outbound: TCP Port 443 (for HTTPS communication)

These are default port numbers that can be changed in Configuration Manager. For more information, see How to How to configure client communication ports. If these ports have been changed from the default values, you must also configure matching exceptions on the Windows Firewall.

Client Notification

For the management point to notify client computers about an action that it must take when an administrative user selects a client action in the Configuration Manager console, such as download computer policy or initiate a malware scan, add the following as an exception to the Windows Firewall:

Outbound: TCP Port 10123

If this communication does not succeed, Configuration Manager automatically falls back to using the existing client-to-management point communication port of HTTP, or HTTPS:

Outbound: TCP Port 80 (for HTTP communication)

Outbound: TCP Port 443 (for HTTPS communication)

These are default port numbers that can be changed in Configuration Manager. For more information, see How to configure client communication ports. If these ports have been changed from the default values, you must also configure matching exceptions on the Windows Firewall.

Remote Control

To use Configuration Manager remote control, allow the following port:

Remote Assistance and Remote Desktop

To initiate Remote Assistance from the Configuration Manager console, add the custom program Helpsvc.exe and the inbound custom port TCP 135 to the list of permitted programs and services in Windows Firewall on the client computer. You must also permit Remote Assistance and Remote Desktop. If you initiate Remote Assistance from the client computer, Windows Firewall automatically configures and permits Remote Assistance and Remote Desktop.

Wake-Up Proxy

If you enable the wake-up proxy client setting, a new service named ConfigMgr Wake-up Proxy uses a peer-to-peer protocol to check whether other computers are awake on the subnet and to wake them up if necessary. This communication uses the following ports:

Outbound: UDP Port 25536

Outbound: UDP Port 9

These are the default port numbers that can be changed in Configuration Manager by using the Power Management clients settings of Wake-up proxy port number (UDP) and Wake On LAN port number (UDP). If you specify the Power Management: Windows Firewall exception for wake-up proxy client setting, these ports are automatically configured in Windows Firewall for clients. However, if clients run a different firewall, you must manually configure the exceptions for these port numbers.

In addition to these ports, wake-up proxy also uses Internet Control Message Protocol (ICMP) echo request messages from one client computer to another client computer. This communication is used to confirm whether the other client computer is awake on the network. ICMP is sometimes referred to as TCP/IP ping commands.

For more information about wake-up proxy, see Plan how to wake up clients.

Windows Event Viewer, Windows Performance Monitor, and Windows Diagnostics

To access Windows Event Viewer, Windows Performance Monitor, and Windows Diagnostics from the Configuration Manager console, enable File and Printer Sharing as an exception on the Windows Firewall.

Ports Used During Configuration Manager Client Deployment

The following tables list the ports that are used during the client installation process.

If there is a firewall between the site system servers and the client computer, confirm whether the firewall permits traffic for the ports that are required for the client installation method that you choose. For example, firewalls often prevent client push installation from succeeding because they block Server Message Block (SMB) and Remote Procedure Calls (RPC). In this scenario, use a different client installation method, such as manual installation (running CCMSetup.exe) or Group Policy-based client installation. These alternative client installation methods do not require SMB or RPC.

For information about how to configure Windows Firewall on the client computer, see Modifying the Ports and Programs Permitted by Windows Firewall.

Ports that are used for all installation methods

Description	UDP	TCP
Hypertext Transfer Protocol (HTTP) from the client computer to a fallback status point, when a fallback status point is assigned to the client.	—	80 (See note 1, Alternate Port Available)

Ports that are used with client push installation

Description	UDP	TCP
Server Message Block (SMB) between the site server and client computer.	—	445
RPC endpoint mapper between the site server and the client computer.	135	135
RPC dynamic ports between the site server and the client computer.	—	DYNAMIC
Hypertext Transfer Protocol (HTTP) from the client computer to a management point when the connection is over HTTP.	—	80 (See note 1, Alternate Port Available)
Secure Hypertext Transfer Protocol (HTTPS) from the client computer to a management point when the connection is over HTTPS.	—	443 (See note 1, Alternate Port Available)

Ports that are used with software update point-based installation

Description	UDP	TCP
Hypertext Transfer Protocol (HTTP) from the client computer to the software update point.	—	80 or 8530 (See note 2, Windows Server Update Services)
Secure Hypertext Transfer Protocol (HTTPS) from the client computer to the software update point.	—	443 or 8531 (See note 2, Windows Server Update Services)
Server Message Block (SMB) between the source server and the client computer when you specify the CCMSetup command-line property /source:

Ports that are used with Group Policy-based installation

Description	UDP	TCP
Hypertext Transfer Protocol (HTTP) from the client computer to a management point when the connection is over HTTP.	—	80 (See note 1, Alternate Port Available)
Secure Hypertext Transfer Protocol (HTTPS) from the client computer to a management point when the connection is over HTTPS.	—	443 (See note 1, Alternate Port Available)
Server Message Block (SMB) between the source server and the client computer when you specify the CCMSetup command-line property /source:

Ports that are used with manual installation and logon script-based installation

Description	UDP	TCP
Server Message Block (SMB) between the client computer and a network share from which you run CCMSetup.exe.

When you install Configuration Manager, the client installation source files are copied and automatically shared from the \Client folder on management points. However, you can copy these files and create a new share on any computer on the network. Alternatively, you can eliminate this network traffic by running CCMSetup.exe locally, for example, by using removable media. — 445 Hypertext Transfer Protocol (HTTP) from the client computer to a management point when the connection is over HTTP, and you do not specify the CCMSetup command-line property /source:

. — 80 (See note 1, Alternate Port Available) Secure Hypertext Transfer Protocol (HTTPS) from the client computer to a management point when the connection is over HTTPS, and you do not specify the CCMSetup command-line property /source:

. — 443 (See note 1, Alternate Port Available) Server Message Block (SMB) between the source server and the client computer when you specify the CCMSetup command-line property /source:

Ports that are used with software distribution-based installation

Description	UDP	TCP
Server Message Block (SMB) between the distribution point and the client computer.	—	445
Hypertext Transfer Protocol (HTTP) from the client to a distribution point when the connection is over HTTP.	—	80 (See note 1, Alternate Port Available)
Secure Hypertext Transfer Protocol (HTTPS) from the client to a distribution point when the connection is over HTTPS.	—	443 (See note 1, Alternate Port Available)

Notes

1 Alternate Port Available In Configuration Manager, you can define an alternate port for this value. If a custom port has been defined, substitute that custom port when you define the IP filter information for IPsec policies or for configuring firewalls.

2 Windows Server Update Services You can install Windows Server Update Service (WSUS) either on the default Web site (port 80) or a custom Web site (port 8530).

After installation, you can change the port. You do not have to use the same port number throughout the site hierarchy.

If the HTTP port is 80, the HTTPS port must be 443.

If the HTTP port is anything else, the HTTPS port must be 1 higher. For example, 8530 and 8531.

Источник