NLB and Windows Firewall

[JayDubb]

In addition to firewalls at our network border, we run the Windows Firewall on
all hosts as one more layer of security.

Problem is, it interferes with the NLB Administrator which apparently picks
random ports for connections (in addition to 135 RPC). Someone else mentioned
it might block the heartbeat, although I don't know if that's a valid concern.

Is there a tip to overcome the Windows Firewall dilemma, or is it just not
compatible in NLB/cluster services?

[seth]

How to use SP1 Windows Firewall on NLB configuration?
http://groups.google.com/group/microsoft.public.windows.server.clustering/browse_thread/thread/c5ec035828803b58/c7f854f5307c635f?lnk=st&q=nlb+firewall&rnum=8&hl=en#c7f854f5307c635f

"JayDubb" <j...@dubb.nowhere.org> wrote in message
news:4482394D...@dubb.nowhere.org...

[JayDubb]

Thanks, but that ain't it. I think that might refer specifically to remote
admin (which is off by default, and gives dire security warnings at setup time
if you try to enable it) rather than the NLB Manager console each NLB host
(Admin Tools menu). With NLB enabled, the system appears to listen on several
ports above 1023, apparently selected based on what's available at startup
time. I've seen it listening on ports anywhere from 1025 to 1038, and
unfortunately, the Windows Firewall is painfully primitive in not allowing a
particular port range to be opened. Gotta do each port/protocol pair
separately via the GUI, or via scripting. Other firewalls (ex. BlackIce)
allow setting that in a single rule.

[Rodney R. Fournier [MVP]]

Open the NLB Manager on each node and allow the firewall to have an
exception for it. You can also add the program (nlbmgr.exe - I think)
manually to the Exceptions list.

Cheers,

Rodney R. Fournier

MVP - Windows Server - Clustering
http://www.nw-america.com - Clustering Website
http://www.msmvps.com/clustering - Blog
http://www.clusterhelp.com - Cluster Training
ClusterHelp.com is a Microsoft Certified Gold Partner

"JayDubb" <j...@dubb.nowhere.org> wrote in message

news:4482EF35...@dubb.nowhere.org...

[JayDubb]

The problem is the NLB Manager is not running on the remote host, so a
firewall exception there would be of no value.

I dropped the firewall and watched what connections were made to the target
machine, and in this case the port was opened by svchost.exe. The Windows
firewall does not permit exceptions to be made for that executable.

Basically what appears to happen is, an RPC connection is made which (I'm
guessing) spawns an instance of svchost.exe which then listens on the next
available port above 1024. Since there is no way to predict what that port
will be, the only options so far seem to be create an exception, one by one,
for every port above 1024 (which is obviously a totally ridiculous notion) or
to drop the firewall (which is undesirable).

Anyone else run into this? I can't be the only one.

[Rodney R. Fournier [MVP]]

I don't think most people configure the software firewall from SP1 on NLB
servers.

Cheers,

Rodney R. Fournier

MVP - Windows Server - Clustering
http://www.nw-america.com - Clustering Website
http://www.msmvps.com/clustering - Blog
http://www.clusterhelp.com - Cluster Training
ClusterHelp.com is a Microsoft Certified Gold Partner

"JayDubb" <j...@dubb.nowhere.org> wrote in message

news:4484DBD5...@dubb.nowhere.org...

[JayDubb]

That's a shame. I'd never rely on it as the only defense (we use hardware
firewalls on every transit circuit at the border) but security is best when
served up in layers.
Running the Windows Firewall on each host adds one more layer of protection in
case a host inside the firewall gets compromised and tries to attack from
within. Leaving ONLY the service ports (21, 80, 443) open makes the machine
no more vulerable to inside-the-firewall attacks than it is from the rest of
the world.

[Russ Kaufmann [MVP]]

"JayDubb" <j...@dubb.nowhere.org> wrote in message

news:44860BCB...@dubb.nowhere.org...

> That's a shame. I'd never rely on it as the only defense (we use hardware
> firewalls on every transit circuit at the border) but security is best
> when
> served up in layers.
> Running the Windows Firewall on each host adds one more layer of
> protection in
> case a host inside the firewall gets compromised and tries to attack from
> within. Leaving ONLY the service ports (21, 80, 443) open makes the
> machine
> no more vulerable to inside-the-firewall attacks than it is from the rest
> of
> the world.

You can use port rules in NLB to limit traffic.

--
Russ Kaufmann

MVP - Windows Server - Clustering

ClusterHelp.com, a Microsoft Certified Gold Partner
Web http://www.clusterhelp.com
Blog http://msmvps.com/clusterhelp

[JayDubb]

> You can use port rules in NLB to limit traffic.

But that does not police traffic to the non-cluster addresses on the host.

[Russ Kaufmann [MVP]]

"JayDubb" <j...@dubb.nowhere.org> wrote in message

news:4488AF6D...@dubb.nowhere.org...

>> You can use port rules in NLB to limit traffic.
>
> But that does not police traffic to the non-cluster addresses on the host.

IP filtering works there.

[bkmonroe]

Jay,

We are running a 2 node Windows 2003 NLB cluster with the windows firewall
turned on. We have 2 nics on each node and are running the cluster in IGMP
Multicast mode. We have port rules for tcp 80 and 443 with multiple host
single afinity.

Port exceptions:
File and Printer Sharing to the LAN

Service exception:
HTTP and HTTPS

NLB Manager works fine. In Unicast mode we used a hosts file to force NLB
Manager to use the internal nic for cluster communication. In multicast
mode it is not needed.

Hope it helps,
Brian