prajwaldesai.co mhttp://prajwaldesai.com/installing-wsus-configuring-firewall-exceptions-opening-ports-for-sql-replication-sccm-2012-sp1/

Opening Ports for SQL Replication

So f ar in this deployment series of sccm 2012 SP1, In the f irst post we saw the steps to install andconf igure active directory domain services, in the second post we saw the steps to install SCCM 2012 SP1prerequisites and in the third post we saw the steps to install SQL server f or SCCM 2012 SP1. In this postwe will see the steps f or installing WSUS, conf iguring f irewall exceptions, opening ports f or SQL replication.WSUS is Microsof t’s separate, stand-alone server-based product f or distributing updates to Windowssystems. WSUS also uses the WUA to scan f or patch applicability and subsequently install updatesdelivered by WSUS. WSUS 3.0 Service Pack 2 is required f or System Center 2012 Conf iguration Manager.SCCM 2012 SP1 supports only 64-bit site systems, you must use the 64-bit version of WSUS on one ofthe supported 64-bit edit ions of Windows Server. You can install WSUS by opening up the server manager,roles and by adding WSUS role. I pref er to install the WSUS by downloading the setup f ile f rom Microsof t.The WSUS 3.0 SP2 is available here:- http://www.microsof t.com/en-us/download/details.aspx?id=5216 . Wewill be installing WSUS role on SCCM.PRAJWAL.LOCAL machine with the user account “sccmadmin”.

Installing WSUS 3.0 SP2

Download WSUS 3.0 SP2 f rom here. Double click the setup f ile to begin the installation. On the welcomepage click on Next.

On the Installation Mode Selection, Choose Full server installation including Administrator Console .Click on Next .

Conf igMgr looks f or applicable license terms in the content f older. If it cannot f ind the license terms, it willnot synchronize the update. Accept the license agreement and click on Next .

It is recommended to store the updates on a dif f erent drive instead of storing it on C: drive. In our examplewe will be storing the updates locally on E:\WSUS path. Click on Next .

For Database Options we will not be using the internal database, instead we will use the SQL databaseinstance. Choose Use an existing database server on this computer and click on Next .

The SQL server is installed on the same server so it gets connected to SQL server instance quickly. If youhave a SQL server running on other server select “Using a existing database server on remotemachine“. You will have to provide the machine name\instance to connect.

If you are planning to create a dedicated IIS site, then choose Create a Windows Server UpdateServices 3.0 SP2 Web Site, the port numbers f or a dedicated site are 8530 and 8531 f or Secure SocketLayer (SSL) connections. If you are planning to use a IIS def ault Website then Select “Use the existing IISDefault Web site” and click on Next .

Click on Next .

We have successf ully completed the WSUS 3.0 SP2 installation. Click on Finish.

Note

Once you click complete installing WSUS 3.0 SP2, the WSUS conf iguration wizard comes up. Do notconf igure it as we will be using SCCM to deploy the updates. Click cancel to close the wizard.

Configuring Firewall for SCCM 2012 SP1 Client installat ion

To know what are the ports used in Conf iguration Manager 2012 SP1 , please go through this link :-http://technet.microsof t.com/en-us/library/hh427328.aspx. In order to successf ully use client push to installthe Conf iguration Manager 2012 SP1 client, you must add the f ollowing as exceptions to the WindowsFirewall.

Printer Sharing

Windows Management Instrumentation (WMI)

We will create an inbound and outbound rule, add File and Printer sharing service as exception tof irewall and an Inbound rule to allow WMI. We will perf orm this activity on the Domain Controller.

Click on All Programs, Administrative Tools, open Group policy management console . Right Click onthe domain and Create a GPO . Provide a name to the GPO and click on OK.

Right click on the policy that you created and click on Edit.

Expand computer configuration, Windows sett ings, Security sett ings, Windows firewall withadvanced security. Right click on Inbound rules and click on New Rule ..

Click on Predef ined and select File and Printer Sharing. Click on Next .

Click on Next .

Click on Allow the connection. Click Finish.

We have created an inbound rule to allow f ile and printer sharing, similarly right click on the Outbound Ruleand click on New Rule . select File and Printer Sharing. Click on Next .

Click on Next .

Click on Allow the connection and click on Finish.

We need to create an Outbound Rule to allow the WMI service on our Firewall. So right click on OutboundRule and click on New Rule . Click on Predef ined and select Windows Management Instrumentation(WMI). Click on Next .

Click on Next .

Click on Allow the connection. Click on Finish.

Why port 1433 and 4022 ??

Port 1433 – SQL Server listens for incoming connections on a particular port. The default port forSQL Server is 1433. It applies to routine connections to the default installation of the DatabaseEngine, or a named instance that is the only instance running on the computer.

Port 4022 – This is SQL Service Broker, Though there is no default port for SQL Server ServiceBroker, but this is the port that we allow inbound on our f irewall.

Script to Open the ports for SQL Replication

If you are looking for a script to open the ports for SQL replication here it is. Copy this script inthe notepad and save it as opensqlports.bat. Right click on the batch f ile and run as administrator.

@echo off

echo ========= SQL Server Ports for SCCM =================== echo.

echo.

echo **Right click on the batch f ile and Run As Administrator**

echo.

echo.

echo Adding SQL Firewall Exceptions for SCCM

echo.

echo Adding TCP 1433

netsh advfirewall f irewall add rule name = “SCCM SQL (TCP 1433)” dir = in protocol = tcp action =allow localport = 1433 remoteip = localsubnet profile = DOMAIN

echo.

echo Adding TCP 4022

netsh advfirewall f irewall add rule name = “SCCM SQL (TCP 4022)” dir = in protocol = tcp action =allow localport = 4022 remoteip = localsubnet profile = DOMAIN

echo.

echo Done adding f irewall exceptions

echo..

By def ault, Microsof t Windows enables the Windows Firewall, which closes port 1433 to prevent Internetcomputers f rom connecting to a def ault instance of SQL Server on your computer. Connections to thedef ault instance using TCP/IP are not possible unless you reopen port 1433. We will now create a grouppolicy to open TCP ports 1433 and 4022.

In case you choose to create a rule manually in f irewall then open the Group Policy Managementconsole . Create a new policy and name it as “SQL Ports”. Right Click the policy “SQL Ports″ and edit it. Inthe Windows GP management console, expand computer configuration, Windows sett ings, Securitysett ings, Windows firewall with advanced security.

Right click on Inbound Rule and create an Inbound Rule and select Port . Click on Next .

Select TCP, and specif y port 1433 in specif ic local ports.

click on Allow connection and click on Next .

The f irewall rule will be applied f or all the 3 prof iles. Click on Next .

Name the rule as TCP Inbound 1433. Click on Finish.

Similarly, Create an Inbound Rule f or allow port 4022, choose TCP and specif y the port number as 4022.Click on Next.

Click on Allow the connection. Click on Next .

Select Domain, Private and Public and click on Next .

Provide the name as TCP Inbound 4022 to identif y the rule. Click on Finish.

We have allowed TCP inbound ports 1433 and 4022 on our f irewall.

On the client machine, launch the command prompt and type the command gpupdate /force and hit enter.In the same command prompt, type the command rsop.msc. This will show the resultant set of policies,group policies that are applied to this client. Expand Administrative Templates and click on ExtraRegistry Settings. On the right side pane you will f ind two ports 1433 and 4022 which are allowed in thef irewall. This step is just to check if the policy has been pushed to the client machine or not.

Written by Prajwal Desai

Written by Prajwal Desai

I am Prajwal Desai and I have been working in the IT f or over 5 years with a strong f ocus onMicrosof t Server Technologies. For the last f ive years, as a System Administrator I have beenworking on Lync, SCCM, Vmware, VDI, Exchange, Windows Servers etc. I’m currently veryinterested in everything related to Conf iguration Manager 2012, Lync, Windows Server and Exchange.