How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client

Creating Windows Firewall Rules for SCCM or ConfigMgr client is pretty straight forward. I was trying to deploy a client in my lab and I don’t want to disable Windows Firewall to get SCCM 2012 client to work. Normally, I used to disable Windows Firewall in LAB environment to have easy life ;). In this case, the SCCM 2012 client push was not working because Firewall was getting in between. The documentation provided in technet for creating Windows Firewall Rule Settings is excellent. More details TechNet documentation. However I felt like this kind of post would be very helpful for newbies. This will help them to create and master Inbound rules in Windows Firewall settings.sccm 2012 r2 microsoft configmgr sccm  How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client

Through this post, we’ll learn, how to create Inbound Windows Firewall Rules for SCCM (ConfigMgr) client. SCCM client uses components like WMI, RPC End Point Mapper, Remote Control, ICMP for wakeup lan & File and Printer Sharing to communicate with SCCM site servers. These connections/communications are blocked by Windows Firewall (bydefault), so we need to specifically open the required ports and applications whichever required.

This is a step by step guide (not very specific to SCCM/ConfigMgr) which will help anyone to create an Inbound Windows Firewall rule(s).  We can create windows Firewall inbound Rule with different rule types like Program, Port, Predefined and custom. In the next post I’ll cover the guide to create Outbound Rules in Windows Firewall.

In this post, I’m going to cover following step by step guides. I’ve not covered all the Firewall rules required for all the features of SCCM 2012. However, I tried cover one example each with all scenarios.

  1. How to Create “WMI” Inbound Windows Firewall Rule for SCCM ConfigMgr 2012 client push?
  2. How to Create “File and Printer Sharing” Inbound Firewall Rule for SCCM ConfigMgr client?
  3. How to Configure Windows Firewall to “Allow ICMP or Ping Response”?
  4. How do we create an inbound “custom port TCP or UDP in Windows Firewall?

How to Create WMI Inbound Windows Firewall Rule for SCCM ConfigMgr 2012 client push?

1. Type WF from the command prompt to launch Windows Firewall with Advanced Security

sccm 2012 r2 microsoft configmgr sccm  How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client

2. On the Windows Firewall with Advanced Security page, Right click on Inbound Rules and click on new rule.

sccm 2012 r2 microsoft configmgr sccm  How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client

3. On the Rule Type page Select the Predefined Rule Creation option and from the drop down list select the Windows Management Instrumentation (WMI) rule and click NEXT

sccm 2012 r2 microsoft configmgr sccm  How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client

4. On the Predefined Rules page, we need to select all the rules of WMI Inbound connections which we need to enable for Client push and other SCCM ConfigMgr related activities then Click NEXT.

Windows Management Instrumentation (ASync-In), Windows Management Instrumentation (WMI-In), Windows Management Instrumentation (DCOM-In), Windows Management Instrumentation (ASync-In), Windows Management Instrumentation (WMI-In) and Windows Management Instrumentation (DCOM-In) are the rules which we’re going to create.

sccm 2012 r2 microsoft configmgr sccm  How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client

5. On the Action page Select Allow the Connection option in the WMI inbound rule and click FINISH

sccm 2012 r2 microsoft configmgr sccm  How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client

How to Create File and Printer Sharing Inbound Windows Firewall Rule for SCCM ConfigMgr client?

1. On the Windows Firewall with Advanced Security page, Right click on Inbound Rules and click on new rule.

sccm 2012 r2 microsoft configmgr sccm  How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client

2. On the Rule Type page Select the Predefined Rule Creation option and from the drop down list select the File and Printer Sharing rule and click NEXT

sccm 2012 r2 microsoft configmgr sccm  How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client

3. On the Predefined Rules page, we need to select all the rules of File and Printer Sharing Inbound connections which we need to enable for Client push and other SCCM ConfigMgr related activities then Click NEXT.

sccm 2012 r2 microsoft configmgr sccm  How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client

4. On the Action page Select Allow the Connection option inbound rule page and click FINISH.

sccm 2012 r2 microsoft configmgr sccm  How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client

How to Configure Windows Firewall to Allow ICMP or Ping Response?

Note : When you're running SCCM /ConfigMgr 2012 R2 and above then you don't need to create this inbound Windows Firewall rule for Wakeup Proxy at SCCM Client side.

1. On the Windows Firewall and Advanced Security page, Right click on Inbound Rules and click on new rule.

sccm 2012 r2 microsoft configmgr sccm  How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client

2. On the Rule Type page Select Rule Type as Custom then click next.

sccm 2012 r2 microsoft configmgr sccm  How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client

3. On the PROGRAM page Select All Programs and click NEXT.

sccm 2012 r2 microsoft configmgr sccm  How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client

4. On the Protocols and Ports page, click the drop-down for Protocol type, select ICMPv4, and then click the Customize button.

sccm 2012 r2 microsoft configmgr sccm  How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client

5. In the Customize ICMP Settings dialog box we need to click on Specific ICMP types, select Echo Request, and then click OK.

And on the Inbound Wizard page click NEXT.

sccm 2012 r2 microsoft configmgr sccm  How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client

6. On the SCOPE page, we need to select Any IP Address under session “which local IP addresses does this rule apply to”  and Any IP Address under the session “which remote IP addresses does this rule apply to

sccm 2012 r2 microsoft configmgr sccm  How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client

7. On the action page, we need to select Allow the connection and the click.

sccm 2012 r2 microsoft configmgr sccm  How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client

8. On the Profile page select all the profiles (Domain, Private and Public) however for wake up proxy you would require only Domain and hit NEXT.

sccm 2012 r2 microsoft configmgr sccm  How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client

9. On the Name page, Select suitable name for the Inbound rule and then click FINISH.

sccm 2012 r2 microsoft configmgr sccm  How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client

How do we create an inbound custom port TCP or UDP in Windows Firewall?

From ConfigMgr SCCM client perspective, we need to create Inbound rules for following ports TCP Port 2701 for Remote Control and TCP port 135 for Remote Assistance + Remote Desktop.

1. On the Windows Firewall and Advanced Security page, Right click on Inbound Rules and click on new rule.

sccm 2012 r2 microsoft configmgr sccm  How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client

2. On the Rule Type page Select Rule Type as Port then click next.

sccm 2012 r2 microsoft configmgr sccm  How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client

3.  On the Protocol and Ports page we need to specify the protocols and ports to which this rule applies. Select TCP or UDP protocol depending upon your requirements, After that type in the local ports, then click next.

sccm 2012 r2 microsoft configmgr sccm  How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client

4. On the Action page Select Allow the connection and click NEXT.

sccm 2012 r2 microsoft configmgr sccm  How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client5. On the profile page select all the required profiles as per your requirements, I’ve selected all the three profiles which are available and then click NEXT.

sccm 2012 r2 microsoft configmgr sccm  How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client

6. On the Name page, Select suitable name for the Inbound rule and then click FINISH.

sccm 2012 r2 microsoft configmgr sccm  How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client

Following are the Name of Inbound rules which I’ve created for SCCM ConfigMgr

Name Group Profile Enabled Action
ICMP Wake-up proxy communication All Yes Allow
RPC End Point Mapper All Yes Allow
Configuration Manager remote control All Yes Allow
Windows Management Instrumentation (ASync-In) Windows Management Instrumentation (WMI) Private, Public Yes Allow
Windows Management Instrumentation (WMI-In) Windows Management Instrumentation (WMI) Private, Public Yes Allow
Windows Management Instrumentation (DCOM-In) Windows Management Instrumentation (WMI) Private, Public Yes Allow
Windows Management Instrumentation (ASync-In) Windows Management Instrumentation (WMI) Domain Yes Allow
Windows Management Instrumentation (WMI-In) Windows Management Instrumentation (WMI) Domain Yes Allow
Windows Management Instrumentation (DCOM-In) Windows Management Instrumentation (WMI) Domain Yes Allow
File and Printer Sharing (LLMNR-UDP-In) File and Printer Sharing All Yes Allow
File and Printer Sharing (Echo Request – ICMPv6-In) File and Printer Sharing Private, Public Yes Allow
File and Printer Sharing (Echo Request – ICMPv4-In) File and Printer Sharing Private, Public Yes Allow
File and Printer Sharing (Spooler Service – RPC-EPMAP) File and Printer Sharing Private, Public Yes Allow
File and Printer Sharing (Spooler Service – RPC) File and Printer Sharing Private, Public Yes Allow
File and Printer Sharing (NB-Datagram-In) File and Printer Sharing Private, Public Yes Allow
File and Printer Sharing (NB-Name-In) File and Printer Sharing Private, Public Yes Allow
File and Printer Sharing (SMB-In) File and Printer Sharing Private, Public Yes Allow
File and Printer Sharing (NB-Session-In) File and Printer Sharing Private, Public Yes Allow
File and Printer Sharing (Echo Request – ICMPv6-In) File and Printer Sharing Domain Yes Allow
File and Printer Sharing (Echo Request – ICMPv4-In) File and Printer Sharing Domain Yes Allow
File and Printer Sharing (Spooler Service – RPC-EPMAP) File and Printer Sharing Domain Yes Allow
File and Printer Sharing (Spooler Service – RPC) File and Printer Sharing Domain Yes Allow
File and Printer Sharing (NB-Datagram-In) File and Printer Sharing Domain Yes Allow
File and Printer Sharing (NB-Name-In) File and Printer Sharing Domain Yes Allow
File and Printer Sharing (SMB-In) File and Printer Sharing Domain Yes Allow
File and Printer Sharing (NB-Session-In) File and Printer Sharing Domain Yes Allow
Posted in: ConfigMgr (SCCM), Microsoft, SCCM 2012 R2
Visit Us On TwitterVisit Us On FacebookVisit Us On Google PlusVisit Us On YoutubeVisit Us On LinkedinCheck Our Feed