What is the recommended method to deploy the ITCM agents having the Windows firewall enabled on the target workstations?

Document ID : KB000021368
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction:

Due to security restrictions in a customer's environment, the ITCM agents need to be deployed to agent computers with the Windows firewall enabled.

The following configuration needs to be done on the firewall in order to run successful deployments in a restricted environment.

  

Environment:

CA Client Automation - All Versions

Windows Operating Systems - All Versions

 

Instructions:

1. In Windows Firewall with Advanced Security application open the 'Properties' window and select the proper profile tab to configure the firewall.

Set the 'firewall state' to 'On (recommended)'
Set the 'inbound connections' to 'Block (default)'
Set the 'outbound connections' to 'Allow (default)'
Click the 'OK' button to save the configuration.

After that add a new custom inbound rule not setting any port but selecting the 'ICMPv4' value in the 'Protocol type' drop down list in the 'Protocols and Ports' tab of the rule being created. Leave the rest of tabs with default values, set the rule name and save it.

2. Then add the following rules to the 'Inbound' rules to open the following ports in the firewall:

  • Port 7 TCP bidirectional for incoming echo requests from the Domain Manager during the deployment scanning phase.

  • Port 135 TCP bidirectional, Windows RPC call to start primer install.

  • Port 137 UDP bidirectional, used for NetBIOS Name Resolution.

  • Port 138 UDP bidirectional, used for enabling NetBIOS Datagram transmission and reception.

  • Port 139 TCP bidirectional, used for enabling NetBIOS session Service.

  • Port 445 TCP bidirectional, used for enabling Server Message Block transmission and reception via Named Pipes.

  • Port 4104 UDP bidirectional, Communications through CAM across the network.

  • Port 4105 TCP bidirectional, Local communications through CAM.

  • Port 7163 (TCP) bidirectional, for the CA Connection Broker Service (CSAMPMUX) which manages all ITCM communication once the agents are installed.

 

Additional Information:

By default, the firewall will allow the outbound traffic if there is no rule blocking it, so no outbound definition would be needed in the default configuration.

These ports have to be open only during the deployment process. When the deployment is completed just a few of them (135, 4104, 4105 and 7163) have to remain open for ITCM to work.