- Network/Cloud License
- The license admits a single main product installation. All the other (license dependent) number of computers is to be controlled by remote agents. The agents are the services installed to remote computers by the main product installation automatically. The agents have no a user interface and can be installed/uninstalled/controlled from the main product installation only.
- Agent Usage
- After the agents are installed you can:
- Control the remote computers individually. Selecting Computer field in the left bottom corner of the main Windows7FirewallControl dialog allows accessing applications permissions and zones of the remote computer, so you can control the remote computer as the local one exactly.
- Create complex in-LAN security policies by determining computer mutual access permissions
- Agent Installation Scenario
- The agents can be installed by the main Windows7FirewallControl installation automatically. Windows7FirewallControl detects other computers of the same local network and populates the Agents pane list with the detected agents automatically. The Agents can be added to the list annually as well.
- The agents can be specified by computer name or by IP address. IP address takes precedence if an IP address is specified. The Agents pane list capacity is limited by the license.
- After an agent is added, Windows7FirewallControl Network/Cloud Edition is ready to install the agent to the related remote computer.
- The agent must be set to "Maintaining/Enable" state individually (see the Edit Agent dialog for the details). Pressing "InstallAll" button of the Agents pane sets the state for all the agents at once.
- Checking "Agents Processing" instructs Windows7FirewallContorl to iterate through the Agents list to perform the desired action (installation/deinstallation/monitoring).
Note: The agent installation may take 30secs-1min per agent. Windows7FirewallControl tries to detect the remote system bitness and to install the agent accordingly.
- Automatic Agent Installation
- After the scenario above is accomplished, Windows7FirewallControl start the agents processing. All the results are displayed in the Status column of the Agents pane list. "Enable" is the Status column confirms the installation process is completed successfully and the agent is ready to use. Reverting back to "Ignored" means the agent installation was monitored but failed or the agent is not available anymore.
- Descriptive error text in the Message column helps to diagnose/fix the installation problem. The error text is grabbed from the underlying system directly and should be treated "as is". The Agent installation is performed via ADMIN$ and IPC$ shares on the remote computer. The shares must exist (the default Windows installation state), available, not blocked by WindowsFirewall (or a third party) on the remote and authorized for the remote access (you must specify administrative credentials of the remote computer).
- So, any ADMIN$/IPC$ related messages are related to the shares presence/availability/accessibility. All RPC related messages are the signs of blocking the shares (probably) made by WindowsFirewall.
- Manual Agent Installation
- If automatic agent installation is not possible for a reason, you can install agent manually to every remote computer.
After the agent is installed you can access the remote computer as the local one exactly.
- Choose an agent from subfolder of Widows7FirewallContorl installation folder accordingly the remote system type/bitness. The i386 folder includes agents for 32-bit systems. The x64 folder includes agents for 64-bit systems. The "-XP" suffix designates agents for WindowsXP/2003. Other agents are to be installed on Windows 8/7/Vista/2008. 32-bit agents are operable on 64-bit systems as well.
Note: On WindowsXP/2003 .sys drivers must be copied to the remote computer as well. The amd64 folder includes the driver for XP/2003 64-bit systems.
- Copy the chosen files to remote computer via RemoteDesktop/Network/USBflash/etc. You can copy the files to any existing location on the remote computer or create a dedicated folder for that.
- Run cmd.exe (as Administrator) on the remote computer and launch consequentially.
"Windows7FirewallService(any-suffix).exe /DriverON" (for XP/2003 system only)
"Windows7FirewallService(any-suffix).exe /EnableRemoteDesktop" (for RemoteDesktop access to the remote computer).
Note: If you access the remote computer via RemoteDesktop, you have to combine all the above in a single batch (.bat) file and launch all the command lines at once. Otherwise, the remote desktop access will be disabled immediately from the start till you invoke the '/EnableRemoteDesktop" line.
- To remove the agent manually, run in cmd.exe (as Administartor)
"Windows7FirewallService(any-suffix).exe /DriverOFF" (for XP/2003 system only)
- Typical problems and Diagnostics
- All the installation/operation problems can be caused by unavailability of ADMIN$ and IPC$ share on the remote (for the agents installation/deinstallation) or by remote WindowsFirewall blocks. WindowsFirewall can be implicitly/explicitly configured to block the shares or the remote agent access. The shares are required for the agent installation/deinstallation only and can not affect the agent operability.
- The successfully installed agent appearance (on the remote computer):
All the above is made automatically by any type of the remote installation.
- The agent is listed (and optionally running) in Services.msc as Windows7FirewallService.
- W7FirewallControl local user is created (with the specific hidden password) by the installation (automatic or manual).
- "SYSTEM\\CurrentControlSet\\Control\\Lsa" forceguest = 0. The key forces the system to authenticate remote users as themselves. "As guests" is the default state. The option can be set manually in the LocalSecurityPolicy/SecurityOptions/ Network access: Sharing and security model for local accounts.
- everyoneincludesanonymous = 1 of the same registry key. LocalSecurityPolicy/SecurityOptions/Network access: Let Everyone permissions apply to anonymous users. The option allows sending firewall events back from the remote computer to the centralized control panel (the main installation). The events allow remote application detection popup and instant blocking events gathering from the remote computer. The details http://support.microsoft.com/kb/278259.
- VistaFirewallService (the base name of the agent) is available for the remote access for W7FirewallControl user in dcomcnfg.exe/ComponentService/Computers/MyComputer/DCOM config/VistaFirewallControl/RightClick/Properties/Security for Launch/Activation and Access permissions.
- WindowsFirewall must list (as allowed) the following.
- Windows7FirewallServive (if installed manually with the correct suffix).
- WindowsFirewallControl (if any installed on the remote system, not required for the agent remote operabity).
- File and Printer Sharing.
- If the agent is unavailable ("Can't connect" message is shown by the centralized panel when the remote computer is chosen) in spite of the agent is installed and the steps above are verified, the most probable reason of the problem is WindowsFirewall. Formally the remote agent connection is based on DCOM. So, WindowsFirewall must enable Windows7FirewallService (the agent itself) and port 135 (in any form) as the access DCOM/RPC coordinator.