Monday, September 14, 2009

Forefront for Exchange and Windows built-in Firewall on a CCR cluster

Are you running Exchange 2007 in a CCR configuration with Windows firewall tuned on?

Then you have probably encounter the problem “ERROR: cannot connect to service” when starting Forefront for Exchange administrator.

The solution is to allow some traffic through the Windows firewall as stated in KB929073.
This will allow you to start Forefront admin tool on the node running the Exchange Clustered Mailbox Server (CMS).
But you will still get an error when launching Forefront admin on the passive node and connect over the network to CMS.

The solution is to create two firewall rules that allows the traffic. These can be created with the GUI but its easier to describe

netsh advfirewall firewall add rule name="Forefront for Exchange Controller Service" dir=in action=allow program="C:\Program Files (x86)\Microsoft Forefront Security\Exchange Server\FSCController.exe" description="Allow connection to Forefront for Exchange controller service" enable=yes profile=any localport=RPC protocol=TCP security=notrequired

and the second rule

netsh advfirewall firewall add rule name="Forefront for Exchange Admin tool" dir=in action=allow program="C:\Program Files (x86)\Microsoft Forefront Security\Exchange Server\FSSAClient.exe" description="Allow connection to Forefront for Exchange admin tool" enable=yes profile=any localport=RPC protocol=TCP security=notrequired

You need to do this on both nodes and also restart the Forefront Controller service, but this will also restart several other services.

You have to change the path in the commands if you have installed Forefront in a different location than default.

You can also narrow down from where connections can be executed with the remoteIP parameter and the network classification with profile parameter.

netsh advfirewall firewall add rule name="Forefront for Exchange Admin tool" dir=in action=allow program="C:\Program Files (x86)\Microsoft Forefront Security\Exchange Server\FSSAClient.exe" description="Allow connection to Forefront for Exchange admin tool" enable=yes profile=domain localport=RPC protocol=TCP security=notrequired remoteip=localsubnet

or

netsh advfirewall firewall add rule name="Forefront for Exchange Admin tool" dir=in action=allow program="C:\Program Files (x86)\Microsoft Forefront Security\Exchange Server\FSSAClient.exe" description="Allow connection to Forefront for Exchange admin tool" enable=yes profile=domain localport=RPC protocol=TCP security=notrequired remoteip=10.10.10.0/24

Another thing that is important when running Forefront for Exchange in a CCR environment is to have the checkbox ‘Redistribution server” on “General Options” checked, otherwise the passive node will not be able to get updates from the active node.