MSEndpointMgr

Create Windows Firewall rules for Migration in ConfigMgr 2012

When you’re going to perform a migration from either ConfigMgr 2007 or between two ConfigMgr 2012 environments, there’s always a bit of hassle with the Windows Firewall. The Windows Firewall should never be turned off just to work around the problem, instead you could add a set of temporary rules that can be removed once the migration has been successfully completed. This is exactly what this post will cover, create a set of temporary rules that we can remove after the migration.
On the top source hierarchy site server, we need to allow traffic from the site server that we want to migrate stuff to. Let me illustrate it a bit more clearly.

Scenario

Top source hierarchy site server
Server: CM07
Site role: ConfigMgr 2007 Primary Site server
Migration: Source
Top destination hierarchy site server
Server: CM12
Site Role: ConfigMgr 2012 R2 Primary Site server
Migration: Destination
By looking at the scenario above, we would need to allow inbound traffic on the CM07 server coming from the CM12 server. To do this, we can run a simple VBscript to add the necessary Windows Firewall rules.

Script

Dim WshShell, strRemoteIP
Set WshShell = WScript.CreateObject("WScript.Shell")
strRemoteIP = WScript.Arguments(0)
WScript.Echo "Adding firewall rule: ConfigMgr Migration - RPC Endpoint Mapper (135)"
Call WshShell.Run("netsh advfirewall firewall add rule name=""ConfigMgr Migration - RPC Endpoint Mapper (135)"" dir=IN protocol=TCP localport=RPC-EPMAP program=""%SystemRoot%\System32\svchost.exe"" remoteip=" & strRemoteIP & " action=ALLOW")
WScript.Echo "Adding firewall rule: ConfigMgr Migration - RPC Dynamic Ports"
Call WshShell.Run("netsh advfirewall firewall add rule name=""ConfigMgr Migration - RPC Dynamic Ports"" dir=IN protocol=TCP localport=RPC program=""%SystemRoot%\System32\svchost.exe"" remoteip=" & strRemoteIP & " action=ALLOW")
WScript.Echo "Adding firewall rule: ConfigMgr Migration - SMB (445)"
Call WshShell.Run("netsh advfirewall firewall add rule name=""ConfigMgr Migration - SMB (445)"" dir=IN protocol=TCP localport=445 remoteip=" & strRemoteIP & " action=ALLOW")
WScript.Echo "Adding firewall rule: ConfigMgr Migration - SQL (1433)"
Call WshShell.Run("netsh advfirewall firewall add rule name=""ConfigMgr Migration - SQL (1433)"" dir=IN protocol=TCP localport=1433 remoteip=" & strRemoteIP & " action=ALLOW")
Set WshShell = Nothing
WScript.Quit

Save this script as e.g. OpenFWConfigMgrMigration.vbs and copy it to the site server where you’ll be migration objects from (in my scenario CM07). This scripts accepts an argument for the IP address that will be populated into the RemoteIP section of the firewall rule. In this scenario, we should use the CM12 servers IP address as an argument to the script, because the migration process traffic will originate from the ConfigMgr environment that we want to migrate the objects to.
Open an elevated command prompt and run the following command:

cscript.exe OpenFWConfigMgrMigration.vbs 192.168.0.211

Once the script has executed, it should look like this:
97_1
Afterwards when we look in the Windows Firewall, we’ll see the rules that the script has added:
97_2
Now we’re set to migrate all the objects that we want! Remember that if there’s any physical or other firewall in between, those needs to configured too.

Nickolaj Andersen

Chief Technical Architect and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences such as Microsoft Ignite, NIC Conference and IT/Dev Connections including nordic user groups.

Add comment

Sponsors