You are currently offline, waiting for your internet to reconnect

Firewall exceptions not honored after cluster failover

Consider the following scenario:
•         You have a computer that is running Windows Server 2008 or Windows Server 2008 R2.  
•         You install the Failover Clustering feature 
•         You install an application to a shared cluster drive
•         You create a Firewall application exception rule for the application

In this scenario, when the resources fail over to another node, the Firewall service blocks network traffic to the application.

This issue occurs because the volume ID portion of the path to the application in the Firewall rule is different than when the Firewall rule was added. Thus, the Firewall service does not find the matching rule and blocks the traffic.
To work around the issue, write a script that utilizes the Firewall service script INetFwRule Interface to delete and recreate the appropriate rules.  
Then create a scheduled task that is triggered by the Event ID 1201 (The Cluster service successfully brought the clustered service or application '{name}' online.)

More information on the INetFwRule interface can be found below:

Here is an example of such a script:
' Sample Code is provided for the purpose of illustration only and is not intended to be ' used in a production environment. THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED ' "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED ' TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. We ' grant You a nonexclusive, royalty-free right to use and modify the Sample Code and to ' reproduce and distribute the object code form of the Sample Code, provided that. ' You agree: ' (i) to not use Our name, logo, or trademarks to market Your software product in ' which the Sample Code is embedded; ' (ii) to include a valid copyright notice on Your software product in which the Sample Code ' is embedded; and ' (iii) to indemnify, hold harmless, and defend Us and Our suppliers from and against ' any claims or lawsuits, including attorneys’ fees, that arise or result from the ' use or distribution of the Sample CodeOption ExplicitDim ruleDim successsuccess = FALSE' Add your application path and name below, ' NOTE:  Case SensitiveConst AppPath = "C:\temp\myapp.exe"' Create the FwPolicy2 object.Dim fwPolicy2Set fwPolicy2 = CreateObject("HNetCfg.FwPolicy2")' Get the Rules objectDim RulesObjectSet RulesObject = fwPolicy2.RulesFor Each rule In Rulesobject    if (rule.ApplicationName = AppPath) then                Dim newApplication            Set newApplication = CreateObject("HNetCfg.FWRule")            ' Copy the Firewall Rule        newApplication.Action = rule.Action        newApplication.ApplicationName = rule.ApplicationName        newApplication.Description = rule.Description        newApplication.Direction = rule.Direction        newApplication.EdgeTraversal = rule.EdgeTraversal        newApplication.Enabled = rule.Enabled        newApplication.Grouping = rule.Grouping        newApplication.Interfaces = rule.Interfaces        newApplication.LocalAddresses = rule.LocalAddresses        newApplication.Name = rule.Name        newApplication.Profiles = rule.Profiles        newApplication.RemoteAddresses = rule.RemoteAddresses        newApplication.ServiceName = rule.ServiceName                'Remove the Firewall Rule        RulesObject.Remove(rule.Name)                WScript.Echo "Removed application """ & newApplication.Name & """"                'Add back the Firewall Rule        RulesObject.Add(newApplication)                WScript.Echo "Added application """ & newApplication.Name & """"        success = TRUE    end ifNextIf success = FALSE Then    WScript.Echo "FAIL: Did not perform the remove/add operation to the application.  Perhaps the AppPath does not exist"   End If'---References' [1]

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Article ID: 2568645 - Last Review: 06/20/2011 13:51:00 - Revision: 1.0

  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 Enterprise
  • KB2568645