Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Firewall exceptions not honored after cluster failover

Firewall exceptions not honored after cluster failover

Symptoms

Consider the following scenario:
 
•         You have a computer that is running Windows Server 2008 or Windows Server 2008 R2.  
•         You install the Failover Clustering feature 
•         You install an application to a shared cluster drive
•         You create a Firewall application exception rule for the application


In this scenario, when the resources fail over to another node, the Firewall service blocks network traffic to the application.

↑ Back to the top

Cause

This issue occurs because the volume ID portion of the path to the application in the Firewall rule is different than when the Firewall rule was added. Thus, the Firewall service does not find the matching rule and blocks the traffic.
To work around the issue, write a script that utilizes the Firewall service script INetFwRule Interface to delete and recreate the appropriate rules.  
Then create a scheduled task that is triggered by the Event ID 1201 (The Cluster service successfully brought the clustered service or application '{name}' online.)

More information on the INetFwRule interface can be found below:
http://msdn.microsoft.com/en-us/library/aa365344(v=VS.85).aspx


↑ Back to the top

More Information

Here is an example of such a script:
' Sample Code is provided for the purpose of illustration only and is not intended to be 
' used in a production environment. THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED 
' "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED 
' TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. We 
' grant You a nonexclusive, royalty-free right to use and modify the Sample Code and to 
' reproduce and distribute the object code form of the Sample Code, provided that. 
' You agree: 
' (i) to not use Our name, logo, or trademarks to market Your software product in 
' which the Sample Code is embedded; 
' (ii) to include a valid copyright notice on Your software product in which the Sample Code 
' is embedded; and 
' (iii) to indemnify, hold harmless, and defend Us and Our suppliers from and against 
' any claims or lawsuits, including attorneys’ fees, that arise or result from the 
' use or distribution of the Sample Code
Option Explicit
Dim rule
Dim success
success = FALSE
' Add your application path and name below, 
' NOTE:  Case Sensitive
Const AppPath = "C:\temp\myapp.exe"

' Create the FwPolicy2 object.
Dim fwPolicy2
Set fwPolicy2 = CreateObject("HNetCfg.FwPolicy2")
' Get the Rules object
Dim RulesObject
Set RulesObject = fwPolicy2.Rules
For Each rule In Rulesobject
    if (rule.ApplicationName = AppPath) then
        
        Dim newApplication
    
        Set newApplication = CreateObject("HNetCfg.FWRule")
    
        ' Copy the Firewall Rule
        newApplication.Action = rule.Action
        newApplication.ApplicationName = rule.ApplicationName
        newApplication.Description = rule.Description
        newApplication.Direction = rule.Direction
        newApplication.EdgeTraversal = rule.EdgeTraversal
        newApplication.Enabled = rule.Enabled
        newApplication.Grouping = rule.Grouping
        newApplication.Interfaces = rule.Interfaces
        newApplication.LocalAddresses = rule.LocalAddresses
        newApplication.Name = rule.Name
        newApplication.Profiles = rule.Profiles
        newApplication.RemoteAddresses = rule.RemoteAddresses
        newApplication.ServiceName = rule.ServiceName
        
        'Remove the Firewall Rule
        RulesObject.Remove(rule.Name)
        
        WScript.Echo "Removed application """ & newApplication.Name & """"
        
        'Add back the Firewall Rule
        RulesObject.Add(newApplication)
        
        WScript.Echo "Added application """ & newApplication.Name & """"
        success = TRUE
    end if
Next
If success = FALSE Then
    WScript.Echo "FAIL: Did not perform the remove/add operation to the application.  Perhaps the AppPath does not exist"   
End If
'---References
' [1] http://msdn.microsoft.com/en-us/library/aa365344(v=VS.85).aspx


↑ Back to the top

Keywords: kb

↑ Back to the top

Article Info
Article ID : 2568645
Revision : 1
Created on : 1/7/2017
Published on : 6/20/2011
Exists online : False
Views : 94