Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0
Windows Server 2008 R2 firewall configuration
Downloads: This chapterpdf (PDF - 514.0KB) The complete bookPDF (PDF - 3.48MB) | Feedback

Windows Server 2008 R2 firewall configuration

Contents

Windows Server 2008 R2 firewall configuration

Windows Server 2008 R2 include Windows Firewall. Windows Firewall is a stateful host firewall that drops all unsolicited incoming traffic; that is to say, traffic that is not sent in response to a request of the computer (solicited traffic), or traffic that has not been specified as allowed (excepted traffic). This behavior of Windows Firewall provides a level of protection from malicious users and programs that use unsolicited incoming traffic to attack computers.

More information can be found in the Microsoft Windows Firewall Operations Guide.

If you are using IPsec, consult the following Microsoft TechNet article on Managing IPSec and Multicast Settings.


Note


Windows Firewall is disabled by default on systems that have been upgraded to SP1. Systems that have a new installation of Windows Server 2008 R2 have Windows Firewall enabled by default.

You may enable Windows Firewall on your Unified ICM/ Unified CCE Servers; however, you must ensure that all required ports are open so that the Unified ICM/ Unified CCE components installed on the server can function properly.

Cisco provides a utility to automatically allow all traffic from Unified ICM/ Unified CCE applications on a and Windows Server 2008 R2. Additionally, the utility can open ports for common third-party applications used in the Unified ICM/ Unified CCE environment. The script reads the list of ports in the file %SYSTEMDRIVE%\CiscoUtils\FirewallConfig\CiscoICMfwConfig_exc.xml and uses the directive contained therein to modify the firewall settings. See below for more information on the CiscoICMfwConfig_exc.xml file.

The utility allows all traffic from Unified ICM/ Unified CCE applications by adding the relevant applications to the list of excepted programs and services. When the excepted application runs, Windows Firewall monitors the ports on which the program listens and automatically adds those ports to the list of excepted traffic.

The script can allow traffic from the third-party applications by adding the application port number to the list of excepted traffic. However, you must edit the CiscoICMfwConfig_exc.xml file to enable these ports.

Ports/Services enabled by default:

Optional ports you can open:

  • 5900/TCP - VNC
  • 5800/TCP - Java Viewer
  • 21800/TCP - Tridia VNC Pro (encrypted remote control)
  • 5631/TCP and 5632/UDP - pcAnywhere

Note


The XML file may be configured to add port based exceptions outside of this list.

Cisco Firewall configuration utility prerequisites

The following must be installed before using the Firewall configuration utility:

  1. Windows Server 2008 R2 SP1+
  2. Unified ICM/CCE Version 8.0(1) components

Note


Any subsequent installation of any new component to the Application installation will require reconfiguring the Windows Firewall. This involves removing the configuration previously applied and rerunning the Windows firewall configuration utility.

Run Cisco Firewall configuration utility

You can run the Cisco Firewall Configuration Utility either from the command line or from the Unified Contact Center Security Wizard. For instructions on how to run the utility from the Security Wizard, see Applying Security with the Cisco Unified Contact Center Security Wizard.


Warning


If you attempt to run this utility from a remote session, such as VNC, you may be "locked out" after the firewall starts. If possible, perform any firewall-related work at the computer because network connectivity may be severed for some remote applications.


Use the Cisco Firewall Configuration Utility on each server running a Unified ICM component. To use the utility, follow these steps:

Procedure
    Step 1   Stop all application services.
    Step 2   From a command prompt, on Windows Server 2008 R2 run cscript %SYSTEMDRIVE%\CiscoUtils\FirewallConfig\CiscoICMfwConfig.vbe, or on Windows Server 2008 R2 run %SYSTEMDRIVE%\CiscoUtils\FirewallConfig\ConfigFirewall.bat.
    Step 3   If this is the first time the script has run, then it will run register.bat for Windows Server 2008 R2 or configfirewall.bat for Windows Server 2008 R2, and will ask you to rerun the application using the same command as above. Rerun the script if instructed to do so.
    Note   

    When using a Windows Server 2008 R2 system, if you subsequently rerun the script and it says that it is (again) running for the first time, and to (again) rerun the script, then manually run the register.bat file from the command line.

    After you run the script, a confirmation dialog box appears.

    Step 4   Click OK.

    The script verifies the Windows Firewall service is installed, then starts this service if it is not running.

    The script then updates the firewall with the ports and services specified in the file %SYSTEMDRIVE%\CiscoUtils\FirewallConfig\CiscoICMfwConfig_exc.xml.

    Step 5   Reboot the server.

    Verify new Windows Firewall settings

    You can verify that the Unified ICM components and ports have been added to the Windows Firewall exception list by following these steps:

    Procedure
      Step 1   Choose Start > Settings > Control Panel > Windows Firewall or select Administrative Tools > Windows Firewall with Advanced Security when using Windows Server 2008 R2.

      The Windows Firewall dialog box appears.

      Step 2   Click the Exceptions tab, and then click the Inbound and Outbound Rules tab of the Windows Firewall dialog box for Windows Server 2008 R2.
      Step 3   Scroll through the list of excepted applications. Several Unified ICM executables now appear on the list as well as any ports or services defined in the configuration file.

      Windows Server 2008 R2 Firewall communication with Active Directory

      You need to open up the ports used by domain controllers (DCs) for communication via LDAP and other protocols to ensure Active Directory is able to communicate through a firewall.

      Be sure to consult the Microsoft Knowledge Base (KB) KB179442 for important information about configuring firewall for Domains and Trusts.

      To establish secure communications between DCs and Unified ICM Services you need to define the following ports for outbound and inbound exceptions on the firewall:

      • Ports that are already defined
      • Variable ports (high ports) for use with Remote Procedure Calls (RPC)

      Domain controller port configuration

      The following port definitions must be defined on all DCs within the demilitarized zone (DMZ) that might be replicating to external DCs. It is important that you define the ports on all DCs in the domain.

      Restrict FRS traffic to specific static port

      Be sure to consult the Microsoft Knowledge Base (KB) KB319553 for more information about restricting File Replication Service (FRS) traffic to a specific static port.

      Procedure
        Step 1   Start Registry Editor (regedit.exe).
        Step 2   Locate and then click the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS\Parameters.
        Step 3   Add the following registry values:
        • New: Reg_DWORD
        • Name: RPC TCP/IP Port Assignment
        • Value: 10000 (decimal)

        Restrict Active Directory replication traffic to specific port

        Be sure to consult the Microsoft Knowledge Base (KB) KB224196 for more information about restricting Active Directory replication traffic to a specific port.

        Procedure
          Step 1   Start Registry Editor (regedit.exe).
          Step 2   Locate and then click the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.
          Step 3   Add the following registry values:
          • New: Reg_DWORD
          • Name: RPC TCP/IP Port
          • Value: 10001 (decimal)

          Configure Remote Procedure Call (RPC) port allocation

          Be sure to consult the Microsoft Knowledge Base (KB) KB154596 for more information about configuring RPC port allocation.

          Procedure
            Step 1   Start Registry Editor (regedit.exe).
            Step 2   Locate and then click the following key in the registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
            Step 3   Add the Internet key.
            Step 4   Add the following registry values:
            • Ports: MULTI_SZ: 10002-10200
            • PortsInternetAvailable: REG_SZ : Y
            • UseInternetPorts: REG_SZ : Y

            Windows Server 2000 and 2008 R2 firewall ports

            Be sure to consult the Microsoft Knowledge Base (KB) KB179442 for a detailed description of the ports that are used to configure a firewall for domains and trusts.

            Table 1 Windows Server 2000 and 2008 R2 Firewall Ports

            Server Port

            Protocol

            Protocol

            Service

            135

            TCP

            RPC

            RPC Connector Helper (machines connect to determine which high port to use)

            137

            TCP

            UDP

            NetBIOS Name

            138

             

            UDP

            NetBIOS NetLogon and Browsing

            139

               

            NetBIOS Session

            123

             

            UDP

            NTP

            389

            TCP

             

            LDAP

            636

            TCP

            UDP

            LDAP SSL

            3268

               

            LDAP GC

            3269

               

            LDAP GC SSL

            42

               

            Wins Replication

            53

            TCP

            UDP

            DNS

            88

            TCP

            UDP

            Kerberos

            445

            TCP

            UDP

            SMB over IP (Microsoft-DS)

            10000

            TCP

             

            RPC NTFRS

            10001

            TCP

             

            RPC NTDS

            10002 - 10200

            TCP

             

            RPC - Dynamic High Open Ports

             

            ICMP

               

            Test connectivity

            To test connectivity and show the FRS configuration in Active Directory, use the Ntfrsult tool.

            Procedure
            From the command line, run the Windows File Replication utility: Ntfrsutl version <server_name>.

            When communications between the domain controllers are configured properly, the Ntfrsutl output shows the FRS configuration in Active Directory.


            Validate connectivity

            To validate connectivity between the domain controllers, use the Portqry tool.

            To obtain the Portqry tool, see the following Microsoft website: http://download.microsoft.com/download/3/f/4/3f4c6a54-65f0-4164-bdec-a3411ba24d3a/PortQryUI.exe.

            Procedure
              Step 1   Download the PortQryUI.exe and run the tool.
              Step 2   Select the destination CD or PDC.
              Step 3   Select Domains and Trusts.
              Step 4   Use the response from PortQry to verify the ports are open.

              Be sure to consult the Microsoft Knowledge Base (KB) KB832919 for more information about PortQry features and functionality.

              CiscoICMfwConfig_exc.xml file

              The CiscoICMfwConfig_exc.xml file is a standard XML file that contains the list of applications, services, and ports that the Cisco Firewall Script uses to modify the Windows Firewall so that the firewall works properly in the Unified ICM/ Unified CCE environment.

              The file consists of three main parts:

              • Services: The services that are allowed access through the firewall.
              • Ports: The ports that the firewall should open. This is conditional depending on the installation of IIS in the case of TCP/80 and TCP/443.
              • Applications: The applications that are not allowed access through the firewall. The script automatically excludes all of the applications listed in the CiscoICMfwConfig_exc.xml file.

                Note


                The behavior of the Applications section is opposite to that of the other two sections in the file. The Ports and Services sections allow access, whereas the Application section denies access.


              You can manually add additional services or ports to the CiscoICMfwConfig_exc.xml file and rerun the script to reconfigure Windows Firewall; for example, if you wanted to allow your Jaguar server connections from port 9000 (CORBA), then you could add a line within the <Ports> part of the file to open port 9000 on the Windows Firewall:

              <Port Number="9000" Protocol="TCP" Name="CORBA" />.


              Note


              This would only be needed if remote Jaguar administration is required. In most cases this is not needed.


              On Windows Server 2008 R2, you could use Windows Firewall with Advanced Security to add or deny the ports or applications.

              Some commonly used ports are listed in the file; however they are commented out. In XML, comments (ignored code) are surrounded by the <!-- and --> tags respectively. Anything within those tags is ignored. You can easily enable one of the commonly used ports by cutting it out of the commented section and pasting it after the closing comment tag (-->), but before the </Ports> tag.

              Windows Firewall troubleshooting

              The following notes and tasks can aid you if you have trouble with Windows Firewall.

              Windows Server 2008 R2 general troubleshooting notes

              Some general troubleshooting notes for Windows Firewall:

              1. Running the CiscoICMfwConfig application for the first time requires that it be run twice to allow for the registration of FirewallLib.dll. In some cases, a time lapse is needed for the registration to complete, especially on a slower system.
              2. If the registration fails, it is possible the .NET framework is not installed correctly. Verify the following path and files exist: %windir%\Microsoft.NET\Framework\v1.1.4322\regasm.exe %windir%\Microsoft.NET\Framework\v1.1.4322\gacutil.exe
              3. Change %SYSTEMDRIVE%\CiscoUtils\FirewallConfig\Register.bat as needed to meet the environment.

              Windows Firewall interferes with router private interface communication

              Problem    The MDS fails to connect from the Side-A router to Side-B router on the private interface IP Addresses (Isolated) only when the Windows Firewall is enabled.
              Possible Cause    Windows Firewall is preventing the application (mdsproc.exe) from sending traffic to the remote host on the private network.
              Solution    Configure static routes on both Side-A and Side-B routers for the private addresses (high and non-high).

              Windows Firewall shows dropped packets but no Unified ICM or Unified CCE failures evident

              Problem    The Windows Firewall Log shows dropped packets but the Unified ICM and Unified CCE applications do not exhibit any application failures.
              Possible Cause    The Windows Firewall is designed to log any and all traffic destined to the host when the traffic either is not allowed or it is sent to a port that no allowed application is listening on.
              Solution    Review the pfirewall.log file closely to determine the source and destination IP Addresses and Ports. Use netstat or tcpview to determine what processes listen/connect on what ports.

              Undo Firewall settings

              You can use the firewall configuration utility to undo the last application of the firewall settings. You will need the CiscoICMfwConfig_undo.xml file.


              Note


              The undo file is written only if the configuration is completed successfully. Manual cleanup may be necessary using the Windows Firewall Control Panel Applet if this file does not exist.

              To undo the firewall settings:

              Procedure
                Step 1   Stop all application services.
                Step 2   Open a command window by choosing Start > Run and entering CMD in the dialog window.
                Step 3   Click OK.
                Step 4   Enter the following command cd %SYSTEMDRIVE%\CiscoUtils\FirewallConfig.
                Step 5   Enter UndoConfigFirewall.bat for Windows Server 2008 R2.
                Step 6   Reboot the server.