When you’re going to perform a migration from either ConfigMgr 2007 or between two ConfigMgr 2012 environments, there’s always a bit of hassle with the Windows Firewall. The Windows Firewall should never be turned off just to work around the problem, instead you could add a set of temporary rules that can be removed once the migration has been successfully completed. This is exactly what this post will cover, create a set of temporary rules that we can remove after the migration.

On the top source hierarchy site server, we need to allow traffic from the site server that we want to migrate stuff to. Let me illustrate it a bit more clearly.

Scenario

Top source hierarchy site server
Server: CM07
Site role: ConfigMgr 2007 Primary Site server
Migration: Source

Top destination hierarchy site server
Server: CM12
Site Role: ConfigMgr 2012 R2 Primary Site server
Migration: Destination

By looking at the scenario above, we would need to allow inbound traffic on the CM07 server coming from the CM12 server. To do this, we can run a simple VBscript to add the necessary Windows Firewall rules.

Script

Dim WshShell, strRemoteIP
Set WshShell = WScript.CreateObject("WScript.Shell")
strRemoteIP = WScript.Arguments(0)

WScript.Echo "Adding firewall rule: ConfigMgr Migration - RPC Endpoint Mapper (135)"
Call WshShell.Run("netsh advfirewall firewall add rule name=""ConfigMgr Migration - RPC Endpoint Mapper (135)"" dir=IN protocol=TCP localport=RPC-EPMAP program=""%SystemRoot%\System32\svchost.exe"" remoteip=" & strRemoteIP & " action=ALLOW")
WScript.Echo "Adding firewall rule: ConfigMgr Migration - RPC Dynamic Ports"
Call WshShell.Run("netsh advfirewall firewall add rule name=""ConfigMgr Migration - RPC Dynamic Ports"" dir=IN protocol=TCP localport=RPC program=""%SystemRoot%\System32\svchost.exe"" remoteip=" & strRemoteIP & " action=ALLOW")
WScript.Echo "Adding firewall rule: ConfigMgr Migration - SMB (445)"
Call WshShell.Run("netsh advfirewall firewall add rule name=""ConfigMgr Migration - SMB (445)"" dir=IN protocol=TCP localport=445 remoteip=" & strRemoteIP & " action=ALLOW")
WScript.Echo "Adding firewall rule: ConfigMgr Migration - SQL (1433)"
Call WshShell.Run("netsh advfirewall firewall add rule name=""ConfigMgr Migration - SQL (1433)"" dir=IN protocol=TCP localport=1433 remoteip=" & strRemoteIP & " action=ALLOW")

Set WshShell = Nothing
WScript.Quit

Save this script as e.g. OpenFWConfigMgrMigration.vbs and copy it to the site server where you’ll be migration objects from (in my scenario CM07). This scripts accepts an argument for the IP address that will be populated into the RemoteIP section of the firewall rule. In this scenario, we should use the CM12 servers IP address as an argument to the script, because the migration process traffic will originate from the ConfigMgr environment that we want to migrate the objects to.

Open an elevated command prompt and run the following command:

cscript.exe OpenFWConfigMgrMigration.vbs 192.168.0.211

Once the script has executed, it should look like this:

97_1

Afterwards when we look in the Windows Firewall, we’ll see the rules that the script has added:

97_2

Now we’re set to migrate all the objects that we want! Remember that if there’s any physical or other firewall in between, those needs to configured too.

Nickolaj Andersen
Principal Consultant and Enterprise Mobility MVP. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows deployments and Automation. In 2015 Nickolaj was awarded as PowerShell Hero by the community for his script and tools contributions. Author of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService and a frequent speaker at user groups.

(115)

There are no comments.

Leave a Reply