Using Windows Firewall with Orchestrator
Updated: May 13, 2016
Applies To: System Center 2012 SP1 - Orchestrator, System Center 2012 - Orchestrator, System Center 2012 R2 Orchestrator
Windows Firewall with Advanced Security is enabled by default on all Windows 2008 R2 computers, and blocks all incoming traffic unless it is a response to a request by the host or it is specifically allowed by a firewall rule to allow the traffic. You can explicitly allow traffic by specifying a port number, application name, service name, or other criteria by configuring Windows Firewall with Advanced Security settings.
When you configure a Runbook Designer or a runbook server outside of a firewall, certain rules must be enabled on the management server computer to allow the Runbook Designer and the runbook server to communicate with the management. Additionally, for some activities such as the Monitoring Activities, if the target computer is outside the firewall, you must enable certain firewall rules to allow WMI communication.
Configuration of Orchestrator computers
When a Runbook Designer or a runbook server is installed behind a firewall, specific firewall rules are required between the management server and the remote computers.
Enable the following rules as they apply to your configuration.
To enable access to your SQL server
- On the remote computer where a Runbook Designer or a runbook server is installed, open a port to connect to your SQL server. The default SQL port is TCP:1433.
To enable access between the Runbook Designer and the management server
On the computer running the Management Server Service, add a firewall rule to allow Runbook Designer or runbook server to access ManagementService.exe.
Location of Orchestrator Management Service
Operating system Firewall rule 64-bit %ProgramFiles(x86)%\Microsoft System Center 2012\Orchestrator\Management Server\ManagementService.exe
To grant privilege to the Runbook Server Service account
- On the remote runbook server computer, confirm that the Runbook Server Service account has the Logon as service privilege.
To allow remote deployments with the Deployment Manager
On the remote computer where you deployed the runbook server or the Runbook Designer, add a rule to allow the Deployment Manager to access the Orchestrator Remoting Service.
Location of Orchestrator Remoting Service
Operating system File location 64-bit %SystemRoot%\SysWOW64\OrchestratorRemotingService.exe 32-bit %SystemRoot%\System32\OrchestratorRemotingService.exe
For more information about adding firewall rules see Add or Edit a Firewall Rule.
Firewall rules for activities
Any activities that use WMI communication, such as any of the Monitoring Activities, require certain Windows Firewall rules to function correctly.
For Windows Server 2008 R2, enable the following rules to allow any activity that uses WMI to function correctly:
Windows Management Instrumentation (Async-In)
Windows Management Instrumentation (DCOM-In)
Windows Management Instrumentation (WMI-In)