Windows Server 2012R2 Firewall Rules - Inbound and Outbound

This article is all about allowing Standard Windows Server to communicate with the existing servers in the environment that are domain joined such as LDAP Servers for Authentication, SCOM for monitoring and SCCM for deploying updates and patches including Software deployment.

In many such cases we are left to investigate issues that are either Network Firewall related, Antivirus Software that have inbuilt Firewall policies or Windows Firewall that block communications if they are not configured with allow rules or configured with exceptions.

There are cases when Administrator have to remotely manage Servers to gather information or to deploy a script and if Windows Firewall is not setup correctly someone has to either login via Console or if it is physical server it will be a physical visit to the Datacentre to allow remote management for managing the servers.

Below set of Firewall rules can be deployed via Group Policy (TechNet Article Link )or via a script and hope this useful to setup Windows Servers with default set of policies and rules.

These rule sets are standard set of rules that allows default ports to communicate within the environment to manage and control the Server estate.

As always these are set of rules that is deployed on Test Environment as we have implemented secure Network lockdown to mimic my Production environment, so please implement this in your test/development environment prior to creating the policies in the Production environment.

Purpose of these wiki is to allow administrator to create a template that allows standard communication between the Servers in an secure lockdown environment and to be confident that Server policy is configured at the appropriate lockdown settings.

Inbound Rules

 

 

 

Name

Protocol

Local Port

Remote Port

ALL ICMP V4

ICMPv4

Any

Any

Core Networking - Destination Unreachable (ICMPv6-In)

ICMPv6

Any

Any

Core Networking - Destination Unreachable Fragmentation Needed (ICMPv4-In)

ICMPv4

Any

Any

Core Networking - Dynamic Host Configuration Protocol (DHCP-In)

UDP

68

67

Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-In)

UDP

546

547

Core Networking - Internet Group Management Protocol (IGMP-In)

IGMP

Any

Any

Core Networking - IPv6 (IPv6-In)

IPv6

Any

Any

Core Networking - Multicast Listener Done (ICMPv6-In)

ICMPv6

Any

Any

Core Networking - Multicast Listener Query (ICMPv6-In)

ICMPv6

Any

Any

Core Networking - Multicast Listener Report (ICMPv6-In)

ICMPv6

Any

Any

Core Networking - Multicast Listener Report v2 (ICMPv6-In)

ICMPv6

Any

Any

Core Networking - Neighbor Discovery Advertisement (ICMPv6-In)

ICMPv6

Any

Any

Core Networking - Neighbor Discovery Solicitation (ICMPv6-In)

ICMPv6

Any

Any

Core Networking - Packet Too Big (ICMPv6-In)

ICMPv6

Any

Any

Core Networking - Parameter Problem (ICMPv6-In)

ICMPv6

Any

Any

Core Networking - Router Advertisement (ICMPv6-In)

ICMPv6

Any

Any

Core Networking - Router Solicitation (ICMPv6-In)

ICMPv6

Any

Any

Core Networking - Time Exceeded (ICMPv6-In)

ICMPv6

Any

Any

File Server Remote Management (DCOM-In)

TCP

135

Any

File Server Remote Management (SMB-In)

TCP

445

Any

File Server Remote Management (WMI-In)

TCP

RPC Dynamic Ports

Any

AD Global Catalog 

TCP

3268

Any

AD Global Catalog Secure

TCP

3269

Any

AD Kerberos TCP

TCP

88

Any

AD Kerberos UDP

UDP

88

Any

AD DNS TCP

TCP

53

Any

AD DNS UDP

UDP

53

Any

AD LDAP 

TCP

389

Any

AD LDAP Secure

TCP

636

Any

Time Service

UDP

123

Any

Remote Desktop - Shadow (TCP-In)

TCP

Any

Any

Remote Desktop - User Mode (TCP-In)

TCP

3389

Any

Remote Desktop - User Mode (UDP-In)

UDP

3389

Any

Remote Service Management (NP-In)

TCP

445

Any

Remote Service Management (RPC)

TCP

RPC Dynamic Ports

Any

Remote Service Management (RPC-EPMAP)

TCP

RPC Endpoint Mapper

Any

SMC Service

UDP

Any

Any

SMC Service

TCP

Any

Any

SNAC Service

TCP

Any

Any

SNAC Service

UDP

Any

Any

SCCM Client - Http

Http

80

Any

SCCM Client - Https

Https

443

Any

SCCM Client UDP

UDP

135

Any

SCCM Client UDP

UDP

137

Any

SCCM Client UDP

UDP

138

Any

SCCM Client

TCP

139

Any

SCCM Client Notification

TCP

10123

Any

SCCM Remote Control

TCP

2701

Any

SCOM Agent

TCP

5723

Any

SQL Server Access

TCP

1433

Any

Windows Firewall Remote Management (RPC)

TCP

RPC Dynamic Ports

Any

Windows Firewall Remote Management (RPC-EPMAP)

TCP

RPC Endpoint Mapper

Any

Windows Remote Management (HTTP-In)

TCP

5985

Any

WSUS 

TCP

8530

Any

WSUS 

TCP

8531

Any

Windows KMS License

TCP

1688

Any

Outbound Rules

 

 

 

SCCM Client

TCP

10123

Any

SCCM Client WSUS

TCP

8530

Any

SCCM Client WSUS

TCP

8531

Any

SCCM Multicast

TCP

63000-64000

Any

SCCM PXE DP

UDP

67-69

Any

SCCM PXE ProxyDHCP

UDP

4011

Any

SCCM Client - Http

Http

80

Any

SCCM Client - Https

Https

443

Any

SCOM Agent

TCP

5723

Any

AD Global Catalog 

TCP

3268

Any

AD Global Catalog 

TCP

3269

Any