This article is all about allowing Standard Windows Server to communicate with the existing servers in the environment that are domain joined such as LDAP Servers for Authentication, SCOM for monitoring and SCCM for deploying updates and patches including Software deployment.

In many such cases we are left to investigate issues that are either Network Firewall related, Antivirus Software that have inbuilt Firewall policies or Windows Firewall that block communications if they are not configured with allow rules or configured with exceptions.

There are cases when Administrator have to remotely manage Servers to gather information or to deploy a script and if Windows Firewall is not setup correctly someone has to either login via Console or if it is physical server it will be a physical visit to the Datacentre to allow remote management for managing the servers.

Below set of Firewall rules can be deployed via Group Policy (TechNet Article Link )or via a script and hope this useful to setup Windows Servers with default set of policies and rules.

These rule sets are standard set of rules that allows default ports to communicate within the environment to manage and control the Server estate.

As always these are set of rules that is deployed on Test Environment as we have implemented secure Network lockdown to mimic my Production environment, so please implement this in your test/development environment prior to creating the policies in the Production environment.

Purpose of these wiki is to allow administrator to create a template that allows standard communication between the Servers in an secure lockdown environment and to be confident that Server policy is configured at the appropriate lockdown settings.

Inbound Rules      
Name Protocol Local Port Remote Port
ALL ICMP V4 ICMPv4 Any Any
Core Networking - Destination Unreachable (ICMPv6-In) ICMPv6 Any Any
Core Networking - Destination Unreachable Fragmentation Needed (ICMPv4-In) ICMPv4 Any Any
Core Networking - Dynamic Host Configuration Protocol (DHCP-In) UDP 68 67
Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-In) UDP 546 547
Core Networking - Internet Group Management Protocol (IGMP-In) IGMP Any Any
Core Networking - IPv6 (IPv6-In) IPv6 Any Any
Core Networking - Multicast Listener Done (ICMPv6-In) ICMPv6 Any Any
Core Networking - Multicast Listener Query (ICMPv6-In) ICMPv6 Any Any
Core Networking - Multicast Listener Report (ICMPv6-In) ICMPv6 Any Any
Core Networking - Multicast Listener Report v2 (ICMPv6-In) ICMPv6 Any Any
Core Networking - Neighbor Discovery Advertisement (ICMPv6-In) ICMPv6 Any Any
Core Networking - Neighbor Discovery Solicitation (ICMPv6-In) ICMPv6 Any Any
Core Networking - Packet Too Big (ICMPv6-In) ICMPv6 Any Any
Core Networking - Parameter Problem (ICMPv6-In) ICMPv6 Any Any
Core Networking - Router Advertisement (ICMPv6-In) ICMPv6 Any Any
Core Networking - Router Solicitation (ICMPv6-In) ICMPv6 Any Any
Core Networking - Time Exceeded (ICMPv6-In) ICMPv6 Any Any
File Server Remote Management (DCOM-In) TCP 135 Any
File Server Remote Management (SMB-In) TCP 445 Any
File Server Remote Management (WMI-In) TCP RPC Dynamic Ports Any
AD Global Catalog  TCP 3268 Any
AD Global Catalog Secure TCP 3269 Any
AD Kerberos TCP TCP 88 Any
AD Kerberos UDP UDP 88 Any
AD DNS TCP TCP 53 Any
AD DNS UDP UDP 53 Any
AD LDAP  TCP 389 Any
AD LDAP Secure TCP 636 Any
Time Service UDP 123 Any
Remote Desktop - Shadow (TCP-In) TCP Any Any
Remote Desktop - User Mode (TCP-In) TCP 3389 Any
Remote Desktop - User Mode (UDP-In) UDP 3389 Any
Remote Service Management (NP-In) TCP 445 Any
Remote Service Management (RPC) TCP RPC Dynamic Ports Any
Remote Service Management (RPC-EPMAP) TCP RPC Endpoint Mapper Any
SMC Service UDP Any Any
SMC Service TCP Any Any
SNAC Service TCP Any Any
SNAC Service UDP Any Any
SCCM Client - Http Http 80 Any
SCCM Client - Https Https 443 Any
SCCM Client UDP UDP 135 Any
SCCM Client UDP UDP 137 Any
SCCM Client UDP UDP 138 Any
SCCM Client TCP 139 Any
SCCM Client Notification TCP 10123 Any
SCCM Remote Control TCP 2701 Any
SCOM Agent TCP 5723 Any
SQL Server Access TCP 1433 Any
Windows Firewall Remote Management (RPC) TCP RPC Dynamic Ports Any
Windows Firewall Remote Management (RPC-EPMAP) TCP RPC Endpoint Mapper Any
Windows Remote Management (HTTP-In) TCP 5985 Any
WSUS  TCP 8530 Any
WSUS  TCP 8531 Any
Windows KMS License TCP 1688 Any
Outbound Rules      
SCCM Client TCP 10123 Any
SCCM Client WSUS TCP 8530 Any
SCCM Client WSUS TCP 8531 Any
SCCM Multicast TCP 63000-64000 Any
SCCM PXE DP UDP 67-69 Any
SCCM PXE ProxyDHCP UDP 4011 Any
SCCM Client - Http Http 80 Any
SCCM Client - Https Https 443 Any
SCOM Agent TCP 5723 Any
AD Global Catalog  TCP 3268 Any
AD Global Catalog  TCP 3269 Any