How To Create A Firewall In Java
- Home
- Windows
- Active Directory & GPO
We are switching to a softphone solution and despite being installed in Program Files the app seems to actually run from the logged in users appdata folder. The issue is that it wants to allow a firewall rule for the app, prompting for admin credentials. The firewall gpo is computer level and doesn't accept %userprofile% or %localappdata% variables. Is there any other way to go about pushing this rule outside of creating a rule for each users appdata path?
The help desk software for IT. Free.
Track users' IT needs, easily, and with only the features you need.
25 Replies
C:\Users\%Username%\AppData
Mark0923 wrote:
Try this:C:\Users\%Username%\AppData
As noted in the post, (if it was even read) %username% doesn't exist in the context of a computer (or, to be more accurate, the username would be COMPUTER$). As confirmed by Microsoft, "we recommend that you do not use environment variable strings that resolve only in the context of a certain user (for example, %USERPROFILE%). When these strings are evaluated by the service at runtime, the service is not running in the context of the user. The use of these strings can produce unexpected results."
The solution would be to change the installation path of the program; however, that may be unlikely.
I wonder if a GPO-deploy scheduled task that runs once at user logon (under the system account) that creates the necessary firewall exception. Lord, that's convoluted.
Really, I'm thinking you should just create a custom rule that allows traffic between the computer to the endpoint and restrict it to the necessary ports on the destination computer. I mean as long as you control the endpoint, its not like anything else is going to be able to leverage that socket for anything other than the softphone (generally).
I don't have control of the endpoint. It is a hosted cloud service.
Did you try contacting the vendor? This does not seem to be correct behavior.
Also you can just open the port without restricting to a particular application while you figure it out.
Yes I voiced much displeasure with the vendor. Unfortunately they tell me this is just how it is. Five9 for anyone who is curious who it is.
Firewall rules cannot use environment variables that resolve to a user account - at all.
This means you cannot use these:
%APPDATA%
%LOCALAPPDATA%
%USERNAME%
%HOMEPATH%
%TEMP% / %TMP%
%USERPROFILE%
The best option you have is to restrict it to the ports you need (in and outbound), and the target IP address it connects to.
Be that as it may, i believe opening up traffic to that socket is the appropriate option here. Since its external (I was unaware), you may be able to leverage your perimeter firewall to ensure traffic is what it should be.
Five9?
If your using it for a support call center, good luck!
;)
Yes it is for support. Why good luck? Poor experience?
Shad0wguy wrote:
Yes it is for support. Why good luck? Poor experience?
No. Im sure its fine; I was sincere -- as opposed to if you were using it for robo- or unsolicited sales calls.
I'm looking for the same solution.
It's for Five9 too! :/
They require every user to be local admins, that's just nuts!
We had the same problem with the firewall settings for MS Teams,
We used the user loginscript to run a powershell script to add the firewall rules
<Firewall-Rules-Teams.ps1> :
new-netfirewallRule -name ${UserName}-Teams.exe-tcp -Displayname ${UserName}-Teams.exe-tcp -enabled:true -Profile Any -Direction Inbound -Action Allow -program ${LocalAppData}\microsoft\teams\current\teams.exe -protocol TCP
new-netfirewallRule -name ${UserName}-Teams.exe-udp -Displayname ${UserName}-Teams.exe-udp -enabled:true -Profile Any -Direction Inbound -Action Allow -program ${LocalAppData}\microsoft\teams\current\teams.exe -protocol UDP
spicehead-cxo33 wrote:
We had the same problem with the firewall settings for MS Teams,
We used the user loginscript to run a powershell script to add the firewall rules<Firewall-Rules-Teams.ps1> :
new-netfirewallRule -name ${UserName}-Teams.exe-tcp -Displayname ${UserName}-Teams.exe-tcp -enabled:true -Profile Any -Direction Inbound -Action Allow -program ${LocalAppData}\microsoft\teams\current\teams.exe -protocol TCP
new-netfirewallRule -name ${UserName}-Teams.exe-udp -Displayname ${UserName}-Teams.exe-udp -enabled:true -Profile Any -Direction Inbound -Action Allow -program ${LocalAppData}\microsoft\teams\current\teams.exe -protocol UDP
User login script runs as an admin?
So far what I have, is
new-netfirewallrule -displayname "RingCentral" -direction inbound -program $Env:USERPROFILE\appdata\local\ringcentral\softphoneapp\softphone.exe
I Also tried to use that $Env:USERPROFILE to add to the displayname but that doesn't work at all unfortunately.
This created the firewall exception under the admin. It's some progress, hopefully we can work this out, because I'm in the same boat.
Also, it seems that Logon Scripts run from the Computer Configuration run as Admin, but User Configuration, it runs as the user, just from what I've seen here.
https://social.technet.microsoft.com/Forums/en-US/81dcc090-412d-4a7c-abc4-ab674f4054df/gpo-startup-a...
Has anyone figured this out yet? I'm in the same boat.
I put in a few days figuring this one out, but I eventually got it. The main purpose was for Teams, but there's no reason why it shouldn't work for any application.
Summed up, I created a GPO that copies a Powershell script which is triggered by someone logging in. The script reads the scheduled task log to find out who triggered it, then builds the appropriate path and makes a firewall rule. The whole script is a little large to post here, but if someone wants it, I can shoot them a copy.
sameersheikh wrote:
The whole script is a little large to post here, but if someone wants it, I can shoot them a copy.
Spiceworks Script Center? https://community.spiceworks.com/scripts/
Github?
https://github.com/shsheikh/PowerShell/blob/master/Add_Teams_Firewall_Exceptions.ps1
I'm interested in any feedback on how to make it better. Reliably getting the correct user was probably the biggest challenge and the method I chose only works if the script as run as a scheduled task.
Note that it was created for Microsoft Teams but the variables can be changed to fit any program that has similar requirements.
Edited Nov 6, 2020 at 22:12 UTC I am just now running into this issue with Teams and users who are not local admins. Oddly enough, on the same domain, my path differs from my wife's path.
Mine:
C:\Users\ME\AppData\Local\Microsoft\Teams\current
Her path:
C:\ProgramData\HER\Microsoft\Teams\current
I am working on the changes to your script to at least try to get it working for the path you have that matches mine. You said that you used a GPO to push the script and set the task: "With the changes made, copy the script somewhere local on the machine, then create a Scheduled Task that triggers on user logon and executes this script.
## I do the above with a GPO,..."
How did you do that?
THANK YOU for the script, too! I have tried a few others, but my SRP for ransomware keeps stopping them or they won't run as standard users.
Gregg
Hi!
To deploy it, I have a single GPO configured with the following:
Computer > Preferences > Windows Settings > Files > File/Target Path: C:\Users\Public\Add_Teams_Firewall_Exceptions.p1, copied from a local share everyone can access
Computer > Preferences > Control Panel Settings > Scheduled Tasks > Win7 Task called Teams_Firewall_Rules_All_Users
-Action: Update
-RunAs: SYSTEM / run whether the user is logged on or not / Run with highest privileges
-Triggered at log on of any users
-Actions, Start a Program > -executionpolicy bypass -file "C:\Users\Public\Add_Teams_Firewall_Exceptions.ps1"
Then I applied it to an OU where all of the computer objects are located.
Finally, I did end up setting up GitHub and put the script there: https://github.com/shsheikh/PowerShell/blob/master/Add_Teams_Firewall_Exceptions.ps1
Sheikhs thanks for your great idea. I have adopted the way of copying the script and set up a scheduled task via GPO for our problem with MS Teams. I only used not your script I haves used the MS example script from https://docs.microsoft.com/en-us/microsoftteams/get-clients#sample-powershell-script---inbound-firew... and changed theirs to match all net profiles. I also modfified the triggers for the task and added lock and unlock of workstation to get the rule out as fast as possible.
This solution works perfectly also for our users via VPN because no reboot or log off and log on is involved where the vpn would be disconnected in our case.
How To Create A Firewall In Java
Source: https://community.spiceworks.com/topic/2148186-gpo-to-create-firewall-rule-for-app-in-userprofile
Posted by: mcneillween1992.blogspot.com
0 Response to "How To Create A Firewall In Java"
Post a Comment