September 8, 2005
ICM Enterprise - 7.0(0)
ICM Hosted - 7.0(0)
IPCC Enterprise - 7.0(0)
IPCC Hosted - 7.0(0)
Cisco Security Agent (CSA) version 22.214.171.1246 policy 2.0.0 for ICM, IPCC Enterprise and Hosted 7.0(0), when run concurrently with the default Windows firewall, will disable the Windows firewall.
Since CSA utilizes firewall-like components, it will disable the currently running Windows firewall. This will occur each time the system is rebooted, even if the Windows firewall has been enabled since the last system startup, on Windows Server 2003 SP1 using the Cisco ICM Firewall Configuration Utility (CiscoICMfwConfig).
CSA provides host based protection for various resources on the system, such as files, registry, network stack, and so on. CSA can also be tuned to control network access and act like a firewall, but CSA 126.96.36.1996 policy 2.0.0 for ICM, IPCC Enterprise and Hosted 7.0(0) does not exploit this feature. Instead, Cisco ICM applications support the configuration of the Windows Firewall on Windows Server 2003 SP1, using a Windows Firewall Configuration Utility called CiscoICMfwConfig.
Microsoft has recommended, as noted in the help guide for the Windows Firewall, that two firewalls should not be running at the same time due to potential configuration compatibility issues. However, since the standalone CSA for ICM, IPCC 7.0(0) applications does not implement the firewall functionality of CSA, the agent can coexist with the Windows Firewall in Windows Server 2003 SP1. An enhancement request, CSCsb48526, has been created against the Cisco Security Agent to not disable the Windows Firewall when CSA's firewall feature is not employed. In the interim, a workaround is provided as described in the Workaround/Solutions section.
There are no immediately visible symptoms for the default Windows firewall being disabled by CSA.
A check of the Windows firewall status after CSA is installed and running, and each time the system is rebooted after this, will indicate that it is off.
This can be done by using the Windows Firewall Control Panel Applet, or through the Services UI. It can also be determined from the command line by executing the following command: netsh firewall show state .
The solution requires deploying Windows Firewall Settings with an Active Directory Group Policy when CSA and Windows Firewall are going to both be enabled on a Windows Server 2003 SP1 host running the Cisco ICM and IPCC applications.
A Group Policy Object (GPO) can be implemented which will override the Cisco Security Agent's disabling of the Windows Firewall. Microsoft recommends managing Windows Firewall settings in an organization's network through the use of Active Directory and the new Windows Firewall settings in the Computer Configuration Group Policy.
Because the Windows Firewall Configuration Utility provided with Cisco ICM and IPCC version 7.0(0) configures both domain and standard profile settings, integration with an Active Directory Group Policy to enable the Windows Firewall is possible and supported. In the case where CSA and Windows Firewall are used in conjunction to protect the host, the integration is of course required.
This requires that all Windows Server 2003 SP1 hosts running the Windows Firewall be a member of an Active Directory domain versus in a Workgroup.
For more information on the Windows Firewall, see the Windows Firewall Operations Guide.
For more information on the Cisco ICM Firewall Configuration Utility (CiscoICMfwConfig), see the Security Best Practices Guide for ICM and IPCC Enterprise & Hosted Editions.
The following are detailed steps to deploy Windows Firewall Settings with an Active Directory Group Policy.
The basic steps for deploying Windows firewall settings with Active Directory are as follows:
Update your Group Policy objects with the new Windows Firewall settings.
Specify Windows Firewall settings for your Group Policy objects.
Note: To update Group Policy objects with the new Windows Firewall settings for network environments using Windows 2000 Active Directory, Microsoft recommends that you use the Group Policy Management Console, a free download. For more information, see Group Policy Management Console with Service Pack 1.
Details on these steps are as follows:
a. Log on as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group.
b. Click Start, click Run, type mmc, and the click OK.
c. On the File menu, click Add/Remove Snap-in.
d. On the Standalone tab, click Add.
e. In the Available Standalone Snap-ins list, click Group Policy Object Editor, and then click Add.
f. In the Select Group Policy Object dialog box, click Browse.
g. In the Browse for a Group Policy Object dialog box, click the Group Policy object that you want to update with the new Windows Firewall settings.
h. Click OK.
i. Click Finish to complete the Group Policy Wizard.
j. In the Add Standalone Snap-in dialog box, click Close.
k. In the Add/Remove Snap-in dialog box, click OK.
l. In the console tree, open Computer Configuration, Administrative Templates, Network, Network Connections, and the Windows Firewall.
Repeat this procedure for every Group Policy object that is being used to apply Group Policy to computers that will have Windows Server 2003 SP1 installed.
Note: These recommendations are meant to apply the Group Policy settings to configure the Windows Firewall on Windows Server 2003 SP1 servers. It will therefore be necessary to create a separate container (Organizational Unit) for every Windows Server where the Windows Firewall will be enabled and configured locally using the Cisco ICM Firewall Configuration Utility (CiscoICMfwConfig) to which this Group Policy will apply. This will avoid having other AD domain members running Windows XP SP2 and Windows Server 2003 SP1 getting the Windows Firewall enabled through the configured GPO.
After a Group Policy object has been updated, it can be configured for Windows Firewall settings that are appropriate for Windows Firewall and the use of management, server, listener, or peer applications and services that are being run on computers running Windows Server 2003 SP1.
There are two sets of Windows Firewall settings to configure:
- The domain profile settings that are used by the computers when they are connected to a network that contains domain controllers for the domain of which the computer is a member.
- The standard profile settings that are used by the computers when they are connected to a network that does not contain domain controllers for the domain of which the computer is a member.
Both the domain profile and standard profile contain the same set of Windows Firewall settings.
Use the Group Policy snap-in to modify the Windows Firewall settings in the appropriate Group Policy objects. Note that you only need to modify Windows Firewall settings for Group Policy objects that are applied to Active Directory system containers (domains, organizational units, and sites) that contain computer accounts corresponding to computers that are or will be running Windows Server 2003 SP1 having been configured using the Cisco ICM Firewall Configuration Utility (CiscoICMfwConfig).
Once you configure the Windows Firewall settings, the next refresh of Computer Configuration Group Policy downloads the new Windows Firewall settings and applies them for computers running Windows Server 2003 SP1. Computers that are running Windows 2000, Windows Server 2003 with no service packs installed, Windows XP with SP1, or Windows XP with no service packs installed ignore the new Windows Firewall settings.
The following are the Windows Firewall Group Policy settings to be implemented:
- Windows Firewall: Protect all network connections Enabled
- Windows Firewall: Do not allow exceptions Not configured
- Windows Firewall: Define program exceptions Not configured
- Windows Firewall: Allow local program exceptions Enabled
- Windows Firewall: Allow remote administration exception Not configured
- Windows Firewall: Allow file and print sharing exception Not configured
- Windows Firewall: Allow ICMP exceptions Not configured
- Windows Firewall: Allow Remote Desktop exception Not configured
- Windows Firewall: Allow UPnP framework exception Not configured
- Windows Firewall: Prohibit notifications Not configured
- Windows Firewall: Allow logging Not configured
- Windows Firewall: Prohibit unicast response to multicast or broadcast requests Not configured
- Windows Firewall: Define port exceptions Not configured
- Windows Firewall: Allow local port exceptions Not configured
Extra Step for CSA deployments in managed environment using the CSA Management Center:
If CSA is deployed in a managed environment using the Cisco ICM CSA Policy 2.0.0 export file downloaded from Cisco Connection Online (CCO), then an additional step may be required as described below.
The CSA 4.5 Management Center can send hint messages to the agent to request a poll outside its scheduled polling cycle. A hint message will be sent only if a policy change is made on the Management Center. Hint messages are disabled in Cisco ICM CSA Policy 2.0.0. However, if the customer chooses to enable this feature of managed agent, then the following exception is required in the Windows Firewall.
When the hint feature is enabled, the leventmgr process on the agent machine starts to listen on UDP port 5401 and the firewall must be tuned to allow the hint message to pass through. This change can be made by issuing the following command at a command prompt:
netsh firewall add portopening protocol = UDP port = 5401 name = ManagedCSA mode = ENABLE scope = ALL profile = ALL
This can also be done through the Windows firewall GUI interface, using the values noted above.
Please note that after this, the CSAgent will need to be restarted on each machine running the agent software for this to take effect.
To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.