As firewall customizations are identified that could be used across multiple USGS offices, the BWTST has created custom Group Policy Objects for these rulesets that are ready to link. See below for a list of the GPOs that already exist in Enterprise Active Directory.
To suggest a new ruleset for this repository, contact GS_Help_Windows@usgs.gov
Avaya One X Agent
This firewall rule allows inbound connections to the Avaya One X Agent applications, SparkEmulator.exe and OneXAgentUI.exe (both x86 and x64 systems). The rule applies to all network profiles.
Backup Exec backup software
This firewall rule allows Backup Exec to connect to systems that already have the Backup Exec agent installed and backup or restore files. The rule included allows inbound traffic to beremote.exe (for both x86 and x64 systems). This rule applies to the Domain network profile.
Command-line FTP.exe
The Windows firewall will block command line ftp from functioning properly due to the fact that the FTP server responds on a different port than the client initiated the connection from (TCP 21 is the control port and TCP 20 is the data port). This gpo sets firewall permissions for the built in ftp.exe command line program such that any traffic associated with that process will be allowed.
Miracast Wireless Display
DI – BWTST Windows Client Miracast Wireless Display Firewall Permit. Allows UDP connections on port 67, TCP connections on port 7236 on all profiles.
Mission Planner
DI – BWTST Windows Client Mission Planner Software. Allows UDP connections on port 14550 on all profiles for Mission Planner software used by drones.
MySQL
This firewall rule allows MySQL TCP port 3306 inbound connections. The rule applies to the Domain network profile.
Retrospect backup software
These firewall rules allow Retrospect to connect to systems that already have the Retrospect agent installed and backup or restore files. The rules included are to allow inbound traffic for UDP 497 and TCP 497 to retroclient.exe (for both x86 and x64 systems). These rules apply to the Domain network profile.
Symantec Ghost Server
This firewall rule allows clients to connect to GhostCast sessions that are hosted by a Windows machine. The rules included allow inbound TCP and UDP traffic to %ProgramFiles%\Symantec\Ghost\GhostSrv.exe. This rule applies to the Domain network profile.
Ultrabac backup software
These firewall rules allow Retrospect to connect to systems that already have the Ultrabac agent installed and backup or restore files. The rules included are to allow inbound traffic for port 1910, and to allow inbound traffic to the executable files ub.exe and ubms.exe (for both x86 and x64 systems). These rules apply to the Domain network profile.
VMWare View
Windows firewall blocks unsolicited inbound traffic so when using VMWare View to connect to a Windows virtual desktop use this GPO applied to the Windows virtual machine to allow VMWare View connections. This GPO allows inbound traffic to a Windows virtual desktop using PCoIP. There are 3 inbound firewall rules in place which open TCP port 32111 and TCP and UDP traffic to c:\Program Files\Common Files\VMware\Teradici PCoIP Server\pcoip_server_win32.exe.
Windows Mobile USB Connection
This group policy is still being tested. It allows Windows machines to communicate with Windows Mobile devices that have the ‘Advanced Network’ setting enabled. The setting causes a new ‘Local Area Connection’ to be created when the device is connected via USB. This GPO opens up the IP addresses and ports that are needed for this type of connection.
Windows Remote Desktop rules
The firewall rules to allow Remote Desktop connections are included in the Windows OS STIGs.