cancel
Showing results for 
Search instead for 
Did you mean: 

Epolicy and Windows XP firewall exception GPO

Does anyone have a good link for setting up a GPO to allow Epolicy to function properly with Windows XP?

I am running Epolicy 4.0 with VirusScan 8.5i on WinXP machines and the user manual mentions that you are supposed to set up file and print sharing as an exception as well as the framework service, however, it only mentioned how to do this from a single workstation and not from a Windows GPO which is different. And, even the info they provided for setting up a single workstation seems as though it is missing parts for this procedure.

I would think the user manual should have more information when it comes to setting up a GPO for this as most people will probably be using a GPO to control the Windows XP machines firewall exceptions. Also just wondering if I am the only person who thinks a section on setting up the GPO would be helpful in the user manual, or overkill. thanks
Labels (1)
8 Replies

RE: Epolicy and Windows XP firewall exception GPO

Here's a link to help with your GPO issue. I assume you have read the EPO manuals, and you already know which ports you need to open, etc...

http://technet.microsoft.com/en-us/library/bb490626.aspx

I think adding this type of information to the manual would be overkill. Perhaps they could of done a better job explaining the communications portion... wink

RE: Epolicy and Windows XP firewall exception GPO

Thanks. I guess I should clarify. I know how to set up the GPO, just need to know exactly what data to put in it.

Are most just putting in the .exe from the framepackage and the file and print sharing exception, or are you adding the epolicy server ip, etc?
Turift
Level 7
Report Inappropriate Content
Message 4 of 9

RE: Epolicy and Windows XP firewall exception GPO

Due to the fact that ePO is dependent on certain things to be able to deploy the agent to remote system it would really be of help with an GPO section in the manual.

RE: Epolicy and Windows XP firewall exception GPO



This is exactly what I was thinking, because, as is, many companies leave the XP firewall on and that of course causes an issue for the machines getting deployed via Epolicy. I still have not been able to locate a decent procedure for this. Someone must have it documented somewhere?

RE: Epolicy and Windows XP firewall exception GPO

+1

I have similar problems with deploying agents through firewall.
mrpg
Level 7
Report Inappropriate Content
Message 7 of 9

RE: Epolicy and Windows XP firewall exception GPO

I was wondering about this also, if I should create a GPO to allow port or program exception. In the end I went with port exception.

Below are the ports agents bind to, I also allow File and Print Sharing and Echo request(ping) under ICMP execptions. The only issue is its probably best to instead of specifying network (10.20.30...) for 8081:TCP, you should use * to allow from anywhere. If you have superAgents they will send wakeup calls on this port I believe.

8081:TCP:10.20.30.40/50:enabled:OMG ePO Exception
8081:UDP:10.20.30.40/50:enabled:OMG ePO Exception
8082:UDP:10.20.30.40/50:enabled:OMG ePO Exception

*correction, superAgents broadcast wakeups and use 8082, so 8082 should be allowed from * or define networks or IPs of all your superagents.
d0x
Level 7
Report Inappropriate Content
Message 8 of 9

RE: Epolicy and Windows XP firewall exception GPO

I think what you want is a GPO like this:

Network/Network Connections/Windows Firewall/Domain Profile
- Define inbound program exceptions:
%programfiles%\McAfee\Common Framework\FrameworkServices.exe:*:Enable:Comment

- Allow inbound remote administration exception:
IPoftheEPOServer

The * can be replaced with the machines that should be able to see the log. With this you the local firewall should not be a problem.
Highlighted
d0x
Level 7
Report Inappropriate Content
Message 9 of 9

RE: Epolicy and Windows XP firewall exception GPO

I think what you want is a GPO like this:

Network/Network Connections/Windows Firewall/Domain Profile
- Define inbound program exceptions:
%programfiles%\McAfee\Common Framework\FrameworkServices.exe:*:Enable:Comment

- Allow inbound remote administration exception:
IPoftheEPOServer

The * can be replaced with the machines that should be able to see the log. With this your local firewall should not be a problem.
More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community