Deploying SCCM 2012 Part 5 – SCCM Install WSUS Configure Firewall Exceptions – In this post we will install WSUS server role, Configure the firewall to add exceptions to allow the Client Push, Open the SQL ports 1433 and 4022.
In Part 1 we saw the installation of Active Directory Domain Services. In Part 2 we created the AD container and delegated the permissions on it. In Part 3 we installed pre-requisites for SCCM server. In Part 4 we installed SQL server, updated the service pack and cumulative update patch.
Installing WSUS 3.0 SP2
Software updates requires that WSUS 3.0 SP2 is installed on all site system servers that you configure for the software update point site system role. Additionally, when you install the active software update point on a remote site system, you must install the WSUS Administration Console on the site server computer if it is not already installed. This allows the site server to communicate with WSUS running on the active software update point. You can install WSUS by opening up the server manager, roles and by adding WSUS role. I prefer to install the WSUS by downloading the setup file from Microsoft. The WSUS 3.0 SP2 is available here:- http://www.microsoft.com/en-us/download/details.aspx?id=5216 .We will be installing WSUS role on SCCM.PRAJWAL.LOCAL machine with the user account “sccmadmin”.
Run the WSUS Setup file. Click Next.
Select Full server installation including the administrator console. click next
We will be storing the WSUS updates on the other drive named E. You can store the updates on C drive but it is not recommended because if the operating system crashes then you might loose the WSUS updates folder.
In this case we will not be using the internal database, instead we will use the SQL database instance.
The SQL server is installed on the same server so it gets connected to SQL server instance quickly. If you have a SQL server running on other server select “Using a existing database server on remote machine“. You will have to provide the machine nameinstance name to connect.
Select “Use existing IIS default Web site” and click next.
Click finish to complete the WSUS installation.
Note : Once you click finish, the WSUS configuration wizard comes up. Do not configure it as we will be using SCCM to deploy the updates. Click cancel to close the wizard.
Configuring Firewall for Client installation.
To know what are the ports used in Configuration Manager 2012, please go through this link :- http://technet.microsoft.com/en-us/library/hh427328.aspx. In order to successfully use client push to install the Configuration Manager 2012 client, you must add the following as exceptions to the Windows Firewall.
- Printer Sharing
- Windows Management Instrumentation (WMI)
We will create an inbound and outbound rule, add File and Printer sharing service as exception to firewall . An inbound rule to allow WMI. We will perform this activity on the Domain Controller.
Click All Programs, Administrative Tools, open Group policy management console. Right Click on the domain and Create a GPO.
We will create a policy named SCCM Client Push Policy. Click Okay to create the policy. Now under Default Domain policy you will find the policy that you created just now. Right the SCCM Client Push policy and click edit. A GP management editor comes up.
Expand computer configuration, Windows settings, Security settings, Windows firewall with advanced security. Refer the below figure.
Now right click the Inbound Rule and select New Rule. Select the Predefined and select File and Printer Sharing from the list. Click Next.
Make sure all the options are checked. Click Next
Check the radio button “Allow the Connection” and Click Finish.
What we did is created a rule to allow the File and Printer sharing Inbound.
Now we will create an outbound rule for the same.
Make sure all the options are checked. Click Next.
Select Allow the Connection. Click Finish.
We have created a rule to allow the File and Printer sharing Outbound.
Now we will create an Inbound Rule to allow Windows Management Instrumentation. Create an inbound rule selecting “Windows Management Instrumentation” from predefined. Click next.
Check all the rules and click next.
Allow the connection. Click Next.
Next we will open TCP port 1433 and 4022 for SQL replication. By default, Microsoft Windows enables the Windows Firewall, which closes port 1433 to prevent Internet computers from connecting to a default instance of SQL Server on your computer. Connections to the default instance using TCP/IP are not possible unless you reopen port 1433. We will now create a group policy to open TCP ports 1433 and 4022.
Open the Group Policy Management console. Create a new policy and name it as “SQL Ports for SCCM 2012″. Right Click the policy “SQL Ports for SCCM 2012″ and edit it. In the Windows GP management console, expand computer configuration, Windows settings, Security settings, Windows firewall with advanced security.
Create an Inbound Rule and select Port. Click next.
Select TCP, and specify port 1433 in specific local ports.
click “Allow connection” and Next.
The firewall rule will be applied for all the 3 profiles.
Provide a name to identify the rule. Click Finish.
We will now open the TCP port 4022. Create an Inbound Rule and select Port. Click Next
Specify the port number as 4022. Click Next.
Choose Allow the connection.
This rule applies to all the 3 profiles, click next.
Specify the name to identify the rule and click finish.
The rules that we created can be seen in the inbound rules section.