Q: We like having Windows Firewall enabled on all our workstations that run Windows XP Service Pack 2 (SP2), but we need to be able to remotely access the workstations on TCP port 2989 from a management server. Can we configure an exception in Windows Firewall that lets our management server access the workstations on any port? How can we configure all the workstations automatically?

A: You can easily configure such an exception and deploy it automatically with Group Policy. In fact, you can limit the exception to when Windows Firewall is running with its Domain profile, which means Windows detects that the computer is connected to the domain’s LAN as opposed to a public or home network.

First, create a Group Policy Object (GPO) linked to the appropriate organizational units (OUs) in Active Directory (AD) so that the GPO will be applied to all of your workstations. Then, open the GPO with the Microsoft Management Console (MMC) Group Policy Object Editor snap-in.

Maneuver to the Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile node, and double-click Windows Firewall:Define port exceptions. Select Enabled, then click Show to open the Show Contents dialog box. Click Add to enter a port exception.

The format for port exceptions is Port:Transport:Scope:Status:Name, where Port is the port number, Transport is UDP or TCP, Scope defines the source IP address(es) that the exception applies to, Status is enabled or disabled, and Name is simply a name for the exception. Let’s say the IP address of your management server is 10.59.0.32. To open port 2989 for connections from the management server, enter 2989:TCP:10.59.0.32:enabled:Management Server. Figure 1 shows what the Show Contents dialog box should look like after you've enabled your management server to connect on TCP port 2989. Click OK twice to close the dialog boxes.

As each computer re-applies Group Policy, it will pick up the new exception and Windows Firewall will begin allowing connections on port 2989—but only from your management server. When a laptop user connects to a home or public network, Windows Firewall will switch from its Domain profile to Standalone and refuse connections on port 2989, even if they come from the same IP address as that of your management server.