Deployment Solution

Hi everyone

Does anyone know which firewall ports, programs or settings I need to change to allow remote control from the DS6.9 console?

I know if I disable the firewall I can instantly remote control any PC from the DS6.9 console. Turn the firewall back on and it fails.

-

Thank you,

Sean

Please here:

http://www.symantec.com/docs/HOWTO3983

This did not help me, the PDF is for DS6.5 and only discusses two ports which AClient uses. I am using DAgent.

What I need is the service(s) and or port(s) which need to be opened(Allowed pass through on the Windows Server 2012 Firewall) to allow DS6.9 SP6 to remote control from the DS console itself?

-Sean

From Appendix F of the "Altiris Deployment Solution™ 6.9 SP4 from Symantec Admin Guide" Deployment Console (Win32 Console) The Deployment Console is the Win32 user interface for Deployment Solution. You can install this Win32 console on computers across the network to view and manage resources from different locations. In addition, from this console, you can access the Deployment Database on other Deployment Server systems to manage sites across the enterprise. Note: You can remotely control an active client computer from the Win32 console. Right-click a connected client and select Remote Control. To configure the 5001 and 5002 ports 1. Open the Deployment Console and click Tools > Options. The Program Options dialog appears. 2. Click the Global tab. 3. Select the Remote control ports check box. 4. Enter port number 5001 in the Primary field. 5. Enter port number 5002 in the Secondary (Optional) field. Note: Port 5002 is the backup port in case Port 5001 is not available. 6. Click OK. Note: By default, Port 5001 is used for controlling the clients remotely.

Brian's link to the DS6.5 article isn't actually wrong as the remote control settings apply to both the DAgent and the AClient.

Andy's post details explicitly what you need to do. First you need to first fix the ports to stop them being assisgned dynamically, and then you can assign these port openings through the firewall.

Can I suggest at this point that you choose a port also for file transfers? You can then open up this port in a similar fashion in the firewall which will prevent issues later should this port be left as to be chosen dynamically.

 

 

Actually what I was looking for was the program which has to be allowed in the Windows Server 2012 firewall. It is express.exe. The ports were already enabled by default from setup. So long story short:

• To enable Remote control functionality with the DS Console you need to add the DS console program to the Windows Firewall. Express.exe is located in:

"C:\Program Files (x86)\Altiris\eXpress\Deployment Server\eXpress.exe"

Hi Sean,

Typically program exceptions are only useful in small environments as they give you no indication of the ports that are required for hardware firewalls. MS put these in just to make this easier for admins to get the server applications up and communicating quickly.

So, this is fine for testing, but as you move into a more security conscious environment having the server firewall configured by ports is better. Once you've got these pinned down, it's a sinch to get these into any hardware firewalls that you may have in place.

It is for this reason you'll be hard pushed to find enterprise firewall instructions that say simply "allow application xxx.exe to communicate through your firewall"

Kind Regards,
Ian./

 

Well, the exception has to be made in the Windows Firewall or it does not work. The ports were already setup as described above by others.

 

Thanks for the help!

-Sean

Have you tried remoting into a machine that's logged in? Limitations in the DS6.9 remote control functionality means that the remote machine must be logged into on Windows Vista and above for it to succeed.

HOWTO9430     |     What do I need to know about the limited Remote Control utility functionality of DAgent in Deployment Solution 6.x?

TECH204186     |    Unable to use Remote Control on Windows 7 or Vista systems

Edit: I'm mentioning this as if you've enabled these fixed tcp ports in the DS console, and then made exceptions for them in the Windows firewall you should be set to go.

Hi Sean,

Are you all done here? If so, can you mark up the most useful responses?

Kind Regards,
Ian./

Hi Ian

Yes, I am all set with this. I wrote above your last message you have to add the exeception to the Server firewall. Once you do that you can remote to the machine.

Like you wrote this fails with Win7 unless a user is signed in, but it has been that way for a long time under DS6.9.

-Sean

Hi Sean03839,

Connect etiquette is usually that you usually don't mark up your own final post to say this is solved as the answer. Can you remark this awarding a solution or split solution as you see fit?

As you were asking about firewall settings in your original question, it was assumed by all that once we demonstrated how to configure the port that you'd allow them through.. ;-)

Kind Regards,
Ian./