How to add Firewall Client via Group Policy
Thanks to Chad Gross for this!
Assigning the Firewall Client to client PCs via Group Policies is pretty simple & straight-forward with SBS2k3:
1) Open Start | Administrative Tools | Group Policy Management
How to add Firewall Client via Group Policy
Thanks to Chad Gross for this!
Assigning the Firewall Client to client PCs via Group Policies is pretty simple & straight-forward with SBS2k3:
1) Open Start | Administrative Tools | Group Policy Management
2) Expand Forest | Domains | | My Business | Computers
3) Highlight SBSComputers
4) Click on Action | Create and Link a GPO here
5) Name your new GPO (e.g. ‘Microsoft Firewall Client Installation Policy’)
6) Your new GPO should now appear in the right-hand pane of the management console. Right-click on the GPO and select ‘Edit’
7) Expand Computer Configuration | Software Settings | Software Installation
8) Action | New | Package
9) Enter the UNC path to the firewall client installer file
(\\\mspclnt\ms_fwc.msi by default)
10) Select ‘Assigned’ as the deployment method & click OK.
11) Close the Group Policy Editor console
12) Back in the Group Policy Management Console, right-click on your GPO and select ‘Enforced’
That’s it – your GPO for deploying the Firewall Client is now in place. As for when this change takes place, this depends . . .
If you create & enforce this GPO before joining workstations to the domain, this GPO will be part of the overall group policies that the workstation receives upon joining the domain.
If you create & enforce this GPO after clients have been joined to the domain, you have two options:
1) touch each PC to manually update the Group Policies by running gpupdate /force at the
command prompt.
2) By default, group policies are updated every 90 minutes – so you could wait for the backgroup update to refresh the policy.
3) Reboot the machine which will update the Group Policies.
The interesting thing to remember is that when you assign an application to a Computer, the software installation actually occurs at startup before you get a logon banner. Therefore, if you create & enforce this GPO after PCs have been joined to the domain, the PCs will still have to be rebooted for the firewall client to actually be installed. As a result, to make this installation as truly efficient as possible, I create & enforce this GPO before joining PCs to the domain. This minimizes the number of reboots that have to occur when configuring client PCs.
Another little trick re: minimizing Administrator requirements at each PC – with SBS2k3, when the firewall client is installed, it configures IE to use ISA as it’s proxy. Only problem is that it only does this for the user profile that installs the firewall client. (And with a GPO install assigned to the Computer, no user gets this configured). Naturally, this means that IE needs to be configured for each user that logs into the PC. Ugh, right?
Not quite :^)
1. On your SBS, navigate to C:\Program Files\Microsoft Windows Small Business Server\ClientSetup\Clients\Setup.
2. Open the install.ins file with notepad.
3. Find the [Proxy] section and edit it so that it looks like:
[Proxy]
HTTP_Proxy_Server=http://YourServerName:8080
FTP_Proxy_Server=http://YourServerName:8080
Gopher_Proxy_Server=http://YourServerName:8080
Secure_Proxy_Server=http://YourServerName:8080
Socks_Proxy_Server=http://YourServerName:8080
Use_Same_Proxy=1
Proxy_Enable=1
Proxy_Override=””
AutoDetect=0
4. Save the file. The next time any user logs in to any PC, their IE will be properly configured to use ISA as a proxy. This is something else that is very beneficial if you do it early during your server configuration (and before you have users asking why they can’t get out to the internet :^)
—
Chad A. Gross – SBS MVP
SBS ROCKS!
www.msmvps.com/cgross
www.gosbs.org