[Imported] Is there a good reason that there is not a default TCP port 5481 firewall rule when you install?

sbeadle · ‎2019-11-06

>>Message imported from previous forum - Category:ClearSCADA Software<<
User: geoffpatton, originally posted: 2019-02-11 18:54:44 Id:365
I run into this every once in awhile where a customer's IT is using the Windows firewall and we have to add a rule for TCP port 5481 so that the Clients can access the Server. It always seems to be a situation where you have to request IT to add it, since they don't allow anyone to edit Firewall rules. It is a request per computer too, quite annoying.

I know you can change the port the server uses from the default, but there are other rules that are created during install, and those ports can also be changed.

sbeadle · ‎2019-11-06

>>Responses imported from previous forum

Reply From User: adamwoodland, posted: 2019-02-11 21:49:20
The installer adds a rule to the host firewall for the DBServer process to cover all the TCP ports it uses, not a specific one just for 5481, so it doesn't matter which port you change it to it should work. Check for a rule called "ClearSCADA Database Server".

Also, if you don't have the ability to modify the host firewall, good chance the ClearSCADA installer can't either. With Group Policy you can set it so that only rules that come in via Group Policy are valid, this means you can on the machine add whatever you like and they'll just be ignored.

Reply From User: geoffpatton, posted: 2019-02-11 22:33:56
Adam,
That is an inbound rule. I set an outbound rule for ViewX Clients to connect to the Server. I probably should set the outbound rule for the ViewX program on all ports, however in this instance they are on 2013 still and will be upgrading to a 2017 version. ViewX has a different executable name in 2017, so having used the port means not having to get the rule changed.
As far as rights to the firewall during installation. Somehow they did get that because the inbound rules were there. I was not there for the installation, just got the call after they tried a bit to get it to work.

I actually have not heard back yet if they got IT to apply it. This is not a common problem I have just encountered it a few times. It takes some time before I try to see if that is the problem because it is usually something else.

Reply From User: adamwoodland, posted: 2019-02-12 03:42:39
Ah, by default the Windows host firewall allows anything outbound, so the administrators are modifying the firewall logic so a rule for ViewX and many others would likely be necessary.

The ViewX rename is certainly a problem though on upgrade, I've certainly been bitten with that with firewalls and whitelisting.

Reply From User: geoffpatton, posted: 2019-02-12 14:06:34
Lucky me to get a few fringe cases that IT blocks outbound stuff. This customer is probably paranoid. They got hit by that fake ransomware that encrypted everything with no decrypt possible if they even found the actual culprit.

See Answer In Context

sbeadle · ‎2019-11-06

>>Responses imported from previous forum

Reply From User: adamwoodland, posted: 2019-02-11 21:49:20
The installer adds a rule to the host firewall for the DBServer process to cover all the TCP ports it uses, not a specific one just for 5481, so it doesn't matter which port you change it to it should work. Check for a rule called "ClearSCADA Database Server".

Also, if you don't have the ability to modify the host firewall, good chance the ClearSCADA installer can't either. With Group Policy you can set it so that only rules that come in via Group Policy are valid, this means you can on the machine add whatever you like and they'll just be ignored.

Reply From User: geoffpatton, posted: 2019-02-11 22:33:56
Adam,
That is an inbound rule. I set an outbound rule for ViewX Clients to connect to the Server. I probably should set the outbound rule for the ViewX program on all ports, however in this instance they are on 2013 still and will be upgrading to a 2017 version. ViewX has a different executable name in 2017, so having used the port means not having to get the rule changed.
As far as rights to the firewall during installation. Somehow they did get that because the inbound rules were there. I was not there for the installation, just got the call after they tried a bit to get it to work.

I actually have not heard back yet if they got IT to apply it. This is not a common problem I have just encountered it a few times. It takes some time before I try to see if that is the problem because it is usually something else.

Reply From User: adamwoodland, posted: 2019-02-12 03:42:39
Ah, by default the Windows host firewall allows anything outbound, so the administrators are modifying the firewall logic so a rule for ViewX and many others would likely be necessary.

The ViewX rename is certainly a problem though on upgrade, I've certainly been bitten with that with firewalls and whitelisting.

Reply From User: geoffpatton, posted: 2019-02-12 14:06:34
Lucky me to get a few fringe cases that IT blocks outbound stuff. This customer is probably paranoid. They got hit by that fake ransomware that encrypted everything with no decrypt possible if they even found the actual culprit.