3 Replies Latest reply on Apr 27, 2011 10:31 AM by JJAYARA

    Question from developer: How to maintain firewall exceptions between application updates?



      I am a developer for a commercial application that is used in thousands of quick-serve restaurants across the US.  Customers of ours that use McAfee SaaS Endpoint Protection software routinely enable only web traffic to certain sites using the firewall.  Our application uses web services that connect to our servers here at our data center via http and https.  When our application first attempts to connect to the Internet, McAfee SaaS prompts the user to allow or disallow.  (Alternatively, some customers manually add an exception to their firewall rules.)


      When our application is updated, however, the firewall apparently recognizes the change in software and a brand new exception must be made (the user is prompted to allow or block again).


      We were under the impression that when a user adds an exception, the exception is made for that particular application and, if the application is digitally signed and the signature is both valid and identical to the signature that was there when the exception was made, that the firewall exception would still apply to the newly-updated application.  The bits have changed, but the signature remains the same; the idea being that the user trusted the software the first time, and the digital signatures match so the newly-updated application is the same as it was when it was OK'd the first time.


      Apparently, that's not the method McAfee's firewall uses.


      How, as a developer of a digitally-signed application, can we persist firewall exception in between application upgrades?