How to configure a Windows Firewall Exception for Altiris Agent "Push" Installation using Group Policy In Active Directory
Last Updated July 29, 2009
In a Domain Environment I can not push the Altiris Agent out to client machines because of the Windows Firewall blocking "File and Print Sharing".
How can I configure a Windows Firewall Exception for File and Printer Sharing and do this remotely using Group Policy on our Active Directory Server?
Log in to your Windows Server 2003 machine with Administrator rights.
From the Start menu, choose "Run"
Type in mmc and click OK
From the File menu in the newly opened console, choose "Add/Remove Snap-In"
Click the "Add" button
Find the "Group Policy Object Editor" and click add
In the "Select Group Policy Object" dialog. Click "Browse".
Select "Default Domain Policy" and click OK
Click Finish in the "Select Group Policy Object" dialog.
Click "Close" in the "Add Standalone Snap-in" dialog.
Click "OK" in the "Add/Remove Snap-in" dialog.
In the console tree, open Computer Configuration, Administrative Templates, Network, Network Connections, and then Windows Firewall, Domain Profile.
Double Click on "Windows Firewall: Allow file and print sharing exception" in the right pane of console dialog.
In the "Windows Firewall: Allow file and print sharing exception Properties" dialog , Click "Enabled" below in the text box under
"Allow unsolicited incoming message from" enter the ip addresses or subnet descriptions that you would like the exception applied to. Click "Ok" when done.
Then exit the "Default Domain Policy Console". Save the console if desired. This could be useful for disabling the exception after all the Altiris Agents are pushed out to the clients as desired.
If all went well after your clients* get their new policies you should now have "Group Policy" controlling your firewall settings.
And under the "Exceptions" tab you should see a similar result as shown below.
*Several variables control when the clients get their new policy you just applied such as logon, reboot and the "GroupPolicyRefreshInterval" for you domain.
For testing purposes you can manually update the policy on a client after making a change by using the "gpupdate /force" command. Which can be run from the "Run" command or a "cmd" window.
Notes: Using the instructions here are very basic and applies this policy to the root of your domain. Other options are available when browsing for a Group Policy Object. For example, you could have chosen a Organizational Unit to place a custom policy in as opposed it being placed in the root "Default" domain.
For more advanced features and usage of Group Policy download Microsofts Group Policy Management Console from here: