Using Application as Service with Windows Firewall

Since Application as Service is capable of connecting to remote computers and managing services on them, this may cause a conflict with Windows Firewall that will attempt to block unauthorized incoming connections on them. As a rule, this problem can be fixed in one of the following two ways:

1. The most obvious and straightforward option is to completely disable Windows Firewall, thus allowing Application as Service to establish connections without any restrictions. However, this is not a perfect decision in terms of the overall security of the system and your data. Use this option as a temporary solution for a short period of time only and in situations when you are 100% sure that there are no threats to your confidential information.

To disable Windows Firewall on a computer you plan to connect to, go to Control Panel – Windows Firewall – Turn Windows Firewall on or off and disable it for the corresponding networks. Once done, you will be able to use Application as Service to access this computer and control services running on it.

2. A more flexible and technically correct way is to add Application as Service and the computer it will be running on to the white list of Windows Firewall (as an exception) on the destination computer (computers you will connect to remotely). In this case, the program will be allowed to connect to these systems without triggering a Windows Firewall notification and being denied access. This simple task is accomplished slightly differently in the most popular operating systems, so please refer to one of the guides below for assistance.

Windows XP

By default, the Windows XP version of Windows Firewall, Internet Connection Firewall (ICF), blocks all unauthorized incoming connections, thus making it impossible to use Application as Service without configuring the target system first. Due to some functional limitations of this early version of Windows Firewall, blocking of incoming connections cannot be disabled as easily as in Windows Vista/7. There are two methods of solving this problem: using a local group policy and using the system network shell.

Group Policy
A local group policy allowing remote service management connection must be configured on all computers you plan to connect to using Application as Service.

This task can be accomplished in the following way:
1. Click Start -> Run, type “gpedit.msc” (without quotes) and then press Enter or click OK. The Local Group Policy Editor will start.
2. Use the navigation tree on the left hand side panel to browse to Local Computer Policy – Computer Configuration – Administrative Templates – Network – Network Connections – Windows Firewall. Double-click the tree nodes to expand or fold them (or click the small triangles to the left of tree nodes). Clicking a node will display its contents in the right hand panel.
3. Click on “Standard Profile” to see a list of existing network rules.
4. Locate a rule called “Windows Firewall: Allow inbound remote administration exception” and double click-it.
5. Enable the exception by selecting the corresponding radio button.
6. Enter the IP address of the source PC (where Application as Service will be installed) into the “Allow unsolicited incoming messages from these IP addresses”. If you don’t know your IP address, please contact your network administrator or use the ipconfig.exe utility to determine it. You can also enter network names and IP ranges to define the set of PC’s that will have access to remote service management on this computer. Click OK to finish the process.
7. Make the same changes (#4-6) in the “Domain Profile” section.
8. This system is now ready to accept incoming connections from the specified address or range of addresses.

System network shell
Another method of enabling remote service management involves the use of the system network console:
1) Click Start -> Run, type “cmd” (without quotes) and then press Enter or click OK. This will bring up the system console.
2) Type “netsh firewall set service remoteadmin enable custom” (without quotes) and add the IP address(es) of the computer(s) with Application as Service installed that will be used to control services on this PC. Complete the operation by pressing Enter.
3) The system will now accept remote administration connections from the specified IP addresses.

Windows Vista/7

Windows Vista and 7 allow you to configure exceptions easier. To add an IP-based exception, do the following:

1) Open the Control Panel (Start -> Control Panel) and click Windows Firewall – Advanced Settings. This will open the Windows Firewall with Advanced Security window.
2) Click “Inbound Rules” on the left hand side panel. This will show a list of preconfigured rules in the central panel of the window.
3) Locate the “Remote Service Management (RPC)” rule and double-click it for editing.
4) Tick the “Enabled” checkbox on the first page, then open the “Scope” tab and select the “These IP addresses” option.
5) Click the “Add” button to open a window that allows you to specify the IP address(es) that will be granted access to remote service management on this computer.
6) Enter the necessary values and click Apply to apply the changes or OK to apply the changes and close the rule configuration window.
7) The system is now ready to accept connections from the specified IP addresses.