Firewall exceptions not honored after cluster failover

Symptoms

Consider the following scenario:
 
•         You have a computer that is running Windows Server 2008 or Windows Server 2008 R2.  
•         You install the Failover Clustering feature 
•         You install an application to a shared cluster drive
•         You create a Firewall application exception rule for the application


In this scenario, when the resources fail over to another node, the Firewall service blocks network traffic to the application.

Cause

This issue occurs because the volume ID portion of the path to the application in the Firewall rule is different than when the Firewall rule was added. Thus, the Firewall service does not find the matching rule and blocks the traffic.
To work around the issue, write a script that utilizes the Firewall service script INetFwRule Interface to delete and recreate the appropriate rules.  
Then create a scheduled task that is triggered by the Event ID 1201 (The Cluster service successfully brought the clustered service or application '{name}' online.)

More information on the INetFwRule interface can be found below:
http://msdn.microsoft.com/en-us/library/aa365344(v=VS.85).aspx


More Information

Here is an example of such a script:
' Sample Code is provided for the purpose of illustration only and is not intended to be 
' used in a production environment. THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED
' "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
' TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. We
' grant You a nonexclusive, royalty-free right to use and modify the Sample Code and to
' reproduce and distribute the object code form of the Sample Code, provided that.
' You agree:
' (i) to not use Our name, logo, or trademarks to market Your software product in
' which the Sample Code is embedded;
' (ii) to include a valid copyright notice on Your software product in which the Sample Code
' is embedded; and
' (iii) to indemnify, hold harmless, and defend Us and Our suppliers from and against
' any claims or lawsuits, including attorneys’ fees, that arise or result from the
' use or distribution of the Sample Code
Option Explicit
Dim rule
Dim success
success = FALSE
' Add your application path and name below,
' NOTE: Case Sensitive
Const AppPath = "C:\temp\myapp.exe"

' Create the FwPolicy2 object.
Dim fwPolicy2
Set fwPolicy2 = CreateObject("HNetCfg.FwPolicy2")
' Get the Rules object
Dim RulesObject
Set RulesObject = fwPolicy2.Rules
For Each rule In Rulesobject
if (rule.ApplicationName = AppPath) then

Dim newApplication

Set newApplication = CreateObject("HNetCfg.FWRule")

' Copy the Firewall Rule
newApplication.Action = rule.Action
newApplication.ApplicationName = rule.ApplicationName
newApplication.Description = rule.Description
newApplication.Direction = rule.Direction
newApplication.EdgeTraversal = rule.EdgeTraversal
newApplication.Enabled = rule.Enabled
newApplication.Grouping = rule.Grouping
newApplication.Interfaces = rule.Interfaces
newApplication.LocalAddresses = rule.LocalAddresses
newApplication.Name = rule.Name
newApplication.Profiles = rule.Profiles
newApplication.RemoteAddresses = rule.RemoteAddresses
newApplication.ServiceName = rule.ServiceName

'Remove the Firewall Rule
RulesObject.Remove(rule.Name)

WScript.Echo "Removed application """ & newApplication.Name & """"

'Add back the Firewall Rule
RulesObject.Add(newApplication)

WScript.Echo "Added application """ & newApplication.Name & """"
success = TRUE
end if
Next
If success = FALSE Then
WScript.Echo "FAIL: Did not perform the remove/add operation to the application. Perhaps the AppPath does not exist"
End If
'---References
' [1] http://msdn.microsoft.com/en-us/library/aa365344(v=VS.85).aspx


Properties

Article ID: 2568645 - Last Review: Jun 20, 2011 - Revision: 1

Feedback