Firewall Settings for ZCM on Windows 2003

0 Likes
Having trouble imaging workstations in a WAN environment using ZCM? One likely cause is the Windows Firewall. Below is a sample MS-DOS batch file that opens in the ports on the firewall, and restricts the traffic to certain subnets! I even threw in the entry for Remote Desktop, also subnet-restricted.

The two example WAN subnets are 123.45.x.x and 67.89.x.x. You can have more or less by editing the script to tailor it to your environment.

Also, running "netsh firewall /?" will give you additional options for the script.

Just copy and paste this into Notepad, and customize. You'll need to save as a *.bat file, double click it and you're good to go. The server will now allow imaging traffic, but only through the specified subnets.



::This bat file opens ports in the Windows Firewall
::Written by Peter Filardo August 2008 as an example for Novell Cool Solutions

::The following opens ports for ZCM Imaging services from specific WAN subnets
netsh firewall add portopening TCP 67 "ZENworks DHCP-PXE" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 67 "ZENworks DHCP-PXE" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 69 "ZENworks TFTP" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 69 "ZENworks TFTP" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 80 "ZENworks Tomcat" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 80 "ZENworks Tomcat" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 443 "ZENworks Tomcat" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 443 "ZENworks Tomcat" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 998 "ZENworks ProxyDHCP" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 998 "ZENworks ProxyDHCP" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 1433 "ZENworks MS-SQL" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 1433 "ZENworks MS-SQL" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 1521 "ZENworks Oracle" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 1521 "ZENworks Oracle" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 2638 "ZENworks Sybase" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 2638 "ZENworks Sybase" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 2645 "ZENworks CASA" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 2645 "ZENworks CASA" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 4011 "ZENworks ProxyDHCP" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 4011 "ZENworks ProxyDHCP" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 5550 "ZENworks RM Listener" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 5550 "ZENworks RM Listener" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 5950 "ZENworks Agent Listener" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 5950 "ZENworks Agent Listener" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 7628 "ZENworks Adaptive Agent" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 7628 "ZENworks Adaptive Agent" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 8005 "ZENworks Tomcat" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 8005 "ZENworks Tomcat" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 8009 "ZENworks Tomcat" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 8009 "ZENworks Tomcat" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening TCP 13331 "ZENworks Preboot Policy" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL
netsh firewall add portopening UDP 13331 "ZENworks Preboot Policy" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL

::The following creates an allowance for the ZENworks Remote Management
netsh firewall add allowedprogram "C:\Program Files\Novell\ZENworks\bin\nzrWinVNC.exe" "Novell ZENworks Remote Management" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL

::The following opens ports for RDC from 152.3 subnets
netsh firewall add portopening TCP 3389 "Remote Desktop" ENABLE CUSTOM 123.45.0.0/255.255.0.0,67.89.0.0/255.255.0.0 ALL

pause



I know what you're thinking, and yes, it is indeed a great many holes punched. But running a Windows Server OS with no firewall in a public IP setup, like a university, is a major no-no. At least by restricting to the institutions subnets, you lower the vulnerability and hopefully mitigate the threat to an acceptable degree.

Tags:

Labels:

How To-Best Practice
Comment List
Anonymous
Parents
  • I you are running the PDHCP service on Windows 2003 you also need to create a firewall exception for novell-zcmprebootpolicy.exe. In the Windows Firewall go to Exceptions > click "Add Program" > Browse to:
    "C:\Program FIles (x86)\Novell\ZENworks\bin\preboot" and select "novell-zcmprebootpolicy.exe"

    The example shown is a 64bit Windows 2003. I guess the path is:
    "C:\Program Files\Novell\ZENworks\bin\preboot" on a 32bit system.

    The reason for this is that novell-zcmprebootpolicy.exe will use a random port for communication with the device booting PXE.


    /Anders Martinusen
Comment
  • I you are running the PDHCP service on Windows 2003 you also need to create a firewall exception for novell-zcmprebootpolicy.exe. In the Windows Firewall go to Exceptions > click "Add Program" > Browse to:
    "C:\Program FIles (x86)\Novell\ZENworks\bin\preboot" and select "novell-zcmprebootpolicy.exe"

    The example shown is a 64bit Windows 2003. I guess the path is:
    "C:\Program Files\Novell\ZENworks\bin\preboot" on a 32bit system.

    The reason for this is that novell-zcmprebootpolicy.exe will use a random port for communication with the device booting PXE.


    /Anders Martinusen
Children
No Data
Related Discussions
Recommended