When you’re going to perform a migration from either ConfigMgr 2007 or between two ConfigMgr 2012 environments, there’s always a bit of hassle with the Windows Firewall. The Windows Firewall should never be turned off just to work around the problem, instead you could add a set of temporary rules that can be removed once the migration has been successfully completed. This is exactly what this post will cover, create a set of temporary rules that we can remove after the migration.
On the top source hierarchy site server, we need to allow traffic from the site server that we want to migrate stuff to. Let me illustrate it a bit more clearly.
Scenario
Top source hierarchy site server
Server: CM07
Site role: ConfigMgr 2007 Primary Site server
Migration: Source
Top destination hierarchy site server
Server: CM12
Site Role: ConfigMgr 2012 R2 Primary Site server
Migration: Destination
By looking at the scenario above, we would need to allow inbound traffic on the CM07 server coming from the CM12 server. To do this, we can run a simple VBscript to add the necessary Windows Firewall rules.
Script
Dim WshShell, strRemoteIP Set WshShell = WScript.CreateObject("WScript.Shell") strRemoteIP = WScript.Arguments(0) WScript.Echo "Adding firewall rule: ConfigMgr Migration - RPC Endpoint Mapper (135)" Call WshShell.Run("netsh advfirewall firewall add rule name=""ConfigMgr Migration - RPC Endpoint Mapper (135)"" dir=IN protocol=TCP localport=RPC-EPMAP program=""%SystemRoot%\System32\svchost.exe"" remoteip=" & strRemoteIP & " action=ALLOW") WScript.Echo "Adding firewall rule: ConfigMgr Migration - RPC Dynamic Ports" Call WshShell.Run("netsh advfirewall firewall add rule name=""ConfigMgr Migration - RPC Dynamic Ports"" dir=IN protocol=TCP localport=RPC program=""%SystemRoot%\System32\svchost.exe"" remoteip=" & strRemoteIP & " action=ALLOW") WScript.Echo "Adding firewall rule: ConfigMgr Migration - SMB (445)" Call WshShell.Run("netsh advfirewall firewall add rule name=""ConfigMgr Migration - SMB (445)"" dir=IN protocol=TCP localport=445 remoteip=" & strRemoteIP & " action=ALLOW") WScript.Echo "Adding firewall rule: ConfigMgr Migration - SQL (1433)" Call WshShell.Run("netsh advfirewall firewall add rule name=""ConfigMgr Migration - SQL (1433)"" dir=IN protocol=TCP localport=1433 remoteip=" & strRemoteIP & " action=ALLOW") Set WshShell = Nothing WScript.Quit
Save this script as e.g. OpenFWConfigMgrMigration.vbs and copy it to the site server where you’ll be migration objects from (in my scenario CM07). This scripts accepts an argument for the IP address that will be populated into the RemoteIP section of the firewall rule. In this scenario, we should use the CM12 servers IP address as an argument to the script, because the migration process traffic will originate from the ConfigMgr environment that we want to migrate the objects to.
Open an elevated command prompt and run the following command:
cscript.exe OpenFWConfigMgrMigration.vbs 192.168.0.211
Once the script has executed, it should look like this:
Afterwards when we look in the Windows Firewall, we’ll see the rules that the script has added:
Now we’re set to migrate all the objects that we want! Remember that if there’s any physical or other firewall in between, those needs to configured too.
Add comment