Archive

Posts Tagged ‘Blackpearl’

PowerShell and Firewall Rules (With K2 Blackpearl Samples)

November 18, 2016 Leave a comment

PowerShell and Firewall Rules.

First things:

  1. Import-Module NetSecurity
  2. Run Get-Command *firewall*

netsecurity

When setting up new servers or just checking to see what firewall rules are in place, PowerShell is a great tool to help with that management.
Using New-NetFirewallRule statements could be used post SYSPREP on servers or VM’s.
There are quite a few parameters that can be specified with New-NetFirewallRule.  I’ll show a few that I use in the rules I’ve listed.

This definitely is the quick way to add rules. You could have your rules setup in an XML file that are pulled to server on occasion for audit comparisons and versioning when rules have
been added or changed.

New-NetFirewallRule -DisplayName <String> [-Action <Action> ] [-AsJob] [-Authentication <Authentication> ] [-CimSession <CimSession[]> ] [-Description <String> ] [-Direction <Direction> ] [-DynamicTarget <DynamicTransport> ] [-EdgeTraversalPolicy <EdgeTraversal> ] [-Enabled <Enabled> ] [-Encryption <Encryption> ] [-GPOSession <String> ] [-Group <String> ] [-IcmpType <String[]> ] [-InterfaceAlias <WildcardPattern[]> ] [-InterfaceType <InterfaceType> ] [-LocalAddress <String[]> ] [-LocalOnlyMapping <Boolean> ] [-LocalPort <String[]> ] [-LocalUser <String> ] [-LooseSourceMapping <Boolean> ] [-Name <String> ] [-OverrideBlockRules <Boolean> ] [-Owner <String> ] [-Package <String> ] [-Platform <String[]> ] [-PolicyStore <String> ] [-Profile <Profile> ] [-Program <String> ] [-Protocol <String> ] [-RemoteAddress <String[]> ] [-RemoteMachine <String> ] [-RemotePort <String[]> ] [-RemoteUser <String> ] [-Service <String> ] [-ThrottleLimit <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>]

New-NetFirewallRule `
-DisplayName “LDAP: TCP” `
-Group “APP NAME” `
-Enabled True `
-Protocol tcp `
-RemotePort 389 `
-Direction Outbound
 
Each rule would be on a separate line without the continuation charecture `.

I like using –Group and as the name implies groups your rules how you want for faster viewing in the gui.
Here are some firewall settings that can be copied and used for setting up rules for using K2 BLACKPEARL in your environment. Copy what you need as it can save a lot of time for post server setup.

##
######### Outbound rules from the K2 Web Server
##
New-NetFirewallRule -DisplayName “K2 Workflow server” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 5252 -Direction Outbound
New-NetFirewallRule -DisplayName “K2 Host server” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 5555 -Direction Outbound
New-NetFirewallRule -DisplayName “K2 Discovery Service for server farm” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 49600 -Direction Outbound
New-NetFirewallRule -DisplayName “K2 WCF and REST EndPoints” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 8888 -Direction Outbound
New-NetFirewallRule -DisplayName “WinRM 2.0 HTTP” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 5985 -Direction Outbound
New-NetFirewallRule -DisplayName “WinRM 2.0 HTTPs” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 5986 -Direction Outbound
New-NetFirewallRule -DisplayName “WinRM 2.0 HTTP” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 5985 -Direction Inbound
New-NetFirewallRule -DisplayName “WinRM 2.0 HTTPs” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 5986 -Direction Inbound
New-NetFirewallRule -DisplayName “LDAPS: TCP” -group “K2 Software Ports” -Enabled True -Protocol tcp -LocalPort 636 -Direction Inbound
New-NetFirewallRule -DisplayName “LDAPS: UDP” -group “K2 Software Ports” -Enabled True -Protocol udp -LocalPort 636 -Direction Inbound
New-NetFirewallRule -DisplayName “LDAP: TCP” -group “K2 Software Ports” -Enabled True -Protocol tcp -LocalPort 389 -Direction Inbound
New-NetFirewallRule -DisplayName “LDAP: UDP” -group “K2 Software Ports” -Enabled True -Protocol udp -LocalPort 389 -Direction Inbound
New-NetFirewallRule -DisplayName “LDAPS: TCP” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 636 -Direction Outbound
New-NetFirewallRule -DisplayName “LDAPS: UDP” -group “K2 Software Ports” -Enabled True -Protocol udp -RemotePort 636 -Direction Outbound
New-NetFirewallRule -DisplayName “LDAP: TCP” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 389 -Direction Outbound
New-NetFirewallRule -DisplayName “LDAP: UDP” -group “K2 Software Ports” -Enabled True -Protocol udp -RemotePort 389 -Direction Outbound

#KERBEROS
New-NetFirewallRule -DisplayName “K2 For Kerberos tcp” -group “K2 Software Ports” -Enabled True -Protocol tcp -LocalPort 88 -RemotePort 88 -Direction outbound
New-NetFirewallRule -DisplayName “K2 For Kerberos udp” -group “K2 Software Ports” -Enabled True -Protocol udp -LocalPort 88 -RemotePort 88 -Direction outbound
New-NetFirewallRule -DisplayName “K2 For time udp” -group “K2 Software Ports” -Enabled True -Protocol udp -LocalPort 123 -RemotePort 123 -Direction outbound
New-NetFirewallRule -DisplayName “K2 For DNS” -group “K2 Software Ports” -Enabled True -Protocol tcp -LocalPort 53 -RemotePort 53 -Direction outbound

K2 Blackpearl also interacts with SQLSERVER and EXCHANGE SERVERS.
##
### RPC endpoint mapper
##
New-NetFirewallRule -DisplayName “K2 MSDTC RPC Endpoint mapper tcp” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 135 -Direction Outbound
New-NetFirewallRule -DisplayName “K2 MSDTC RPC Endpoint mapper udp” -group “K2 Software Ports” -Enabled True -Protocol udp -RemotePort 135 -Direction Outbound
New-NetFirewallRule -DisplayName “K2 MSDTC RPC Random high ports” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 11024-65535 -Direction Outbound

##Done on SQLSERVER
netsh advfirewall firewall add rule name=”MSSQLSERVER” dir=in action=allow program=”D:\MSSQL11\MSSQL11.MSSQLSERVER\MSSQL\Binn\sqlservr.exe” enable=yes
“D:\MSSQL11\MSSQL11.MSSQLSERVER\MSSQL\Binn\sqlservr.exe”

##
### Exchange and Email Rules
##
New-NetFirewallRule -DisplayName “K2 Email Events and Notifications” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 587 -Direction Outbound
##
### SQL ports
##
OUTBOUND
New-NetFirewallRule -DisplayName “K2 SQL Instance” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 1433 -Direction Outbound
New-NetFirewallRule -DisplayName “K2 SQL SSMS” -group “K2 Software Ports” -Enabled True -Protocol udp -RemotePort 1434 -Direction Outbound
New-NetFirewallRule -DisplayName “K2 SQL Instance” -group “K2 Software Ports” -Enabled True -Protocol tcp -LocalPort 1433 -Direction Inbound
New-NetFirewallRule -DisplayName “K2 SQL SSMS” -group “K2 Software Ports” -Enabled True -Protocol udp -LocalPort 1434 -Direction Inbound

##
######### Inbound rules from the K2 Web Server
##
New-NetFirewallRule -DisplayName “K2 Workflow server” -group “K2 Software Ports” -Enabled True -Protocol tcp  -LocalPort 5252 -RemotePort any -Direction Inbound
New-NetFirewallRule -DisplayName “K2 Host server” -group “K2 Software Ports” -Enabled True -Protocol tcp  -LocalPort 5555 -RemotePort any -Direction Inbound
New-NetFirewallRule -DisplayName “K2 Discovery Service for server farm” -group “K2 Software Ports” -Enabled True -Protocol tcp  -LocalPort 49600 -RemotePort any -Direction Inbound
New-NetFirewallRule -DisplayName “K2 HTTPS”  -group “K2 Software Ports” -Enabled True -Protocol tcp -LocalPort 443 -RemotePort any -Direction Inbound
##
### SQL Endpoint clustering 5022
New-NetFirewallRule -DisplayName “AlwaysOn Endpoint” -group “K2 Software Ports” -Enabled True -Protocol tcp -LocalPort 5022 -RemotePort any -Direction Inbound
New-NetFirewallRule -DisplayName “AlwaysOn Endpoint” -group “K2 Software Ports” -Enabled True -Protocol tcp -LocalPort 5022 -RemotePort any -Direction OutBound

K2 Blackpearl also uses DTC
Here you can turn enable the DTC ports by Group Name or individual New-NetFirewallRule
##
### USING NETSH to add items
##
# DTC
netsh advfirewall firewall add rule name=”MSDTC” dir=in action=allow program=”%windir%\system32\msdtc.exe” enable=yes

New-NetFirewallRule -DisplayName “K2 DTC (TCP-In)” -group “K2 Software Ports” -Enabled True -Protocol tcp -Program ‘%SystemRoot%\system32\msdtc.exe’ -LocalPort any -RemotePort any -Direction Inbound

dtcdisabled

###
#### Enable DTC rules on servers
###
Import-Module NetSecurity
Enable-NetFirewallRule -DisplayName “Distributed Transaction Coordinator (TCP-In)”
Enable-NetFirewallRule -DisplayName “Distributed Transaction Coordinator (RPC-EPMAP)”
Enable-NetFirewallRule -DisplayName “Distributed Transaction Coordinator (RPC)”
Enable-NetFirewallRule -DisplayName “Distributed Transaction Coordinator (TCP-Out)”

# Or by Group
Enable-NetFirewallRule –Group “Distributed Transaction Coordinator”

Once in a script the firewall rules are quick to maintain and can be used to help document your application for trouble shooting should the need arise.

Part 2 if I do one 🙂 will cover a few of the other parameters with New-NetFirewallRules.