Windows Firewall / Internet Connection Firewall

The information in this article applies to the following products:

• Prism Deploy, all versions


Activation of the Windows Firewall on Windows XP Workstation (automatically turned on with Service Pack 2) or the Internet Connection Firewall on Windows 2003 Server may affect the communication between Prism clients and the Prism Channel Server.


Certain ports must be opened in the firewall in order for communication to be possible between the Prism Channel Server and the managed clients. In most cases File and Printer Sharing ports (comprised of ports 137/UDP, 138/UDP, 139/TCP, 445/TCP) are all that need to be opened, and in many cases they are open by default.

Explanation:  Windows XP Pro systems that have one or more shares configured before SP2 will have File and Printer Sharing enabled by default when the Windows Firewall is installed. See Figure 1. The Internet Connection Firewall that is part of Windows 2003 Server does not have any ports opened by default.

·         If you want to be able to install the Prism client on computers using the direct method through the Console, the firewall on the target computers must allow File and Printer Sharing. Note that the subscription method of installing the client is not affected by the firewall settings. If your Prism client PCs are polling correctly before SP2, they will still poll correctly after SP2 is installed – you don’t need to do anything unless you wish to direct install again and if File and Printer Sharing is not already enabled.

Figure 1

·         If you want to be able to deploy Tasks (Prism Packages, Scripts or other executables) that reside on a system with the firewall activated, you need to allow File and Printer Sharing on that system. For example, if you have a Package Task pointing to \\Server1\Prism\ and if  Server1 is a Windows 2003 Server with the firewall enabled, you will have to open the File and Printer sharing ports on Server1.

·         If your Prism Channel Server resides on a system with the firewall enabled (for example, Windows 2003 Server), you need to open port 3133/TCP to allow the Prism clients to communicate with the server. If your Task files (Prism Packages, Scripts, etc.) reside on the same server, you’ll also have to enable File and Printer Sharing if it isn’t already enabled by default. See Figures 2 and 3. Note: We do not recommend running the Prism Channel Server on a Windows XP workstation, because workstations have a 10 concurrent connection limit.

Figure 2           

Figure 3

·         It’s possible to use a Prism Package to enable File and Printer Sharing on the firewall. Figure 4 shows the necessary settings. This Package was created by taking a baseline Picture on an XP Pro SP2 system with only Remote Assistance enabled, opening up File and Printer Sharing ports, adding the Prism port, then finding changes. The Package could be installed to temporarily open up the necessary ports on a target machine, for example if you were planning to use the Direct method to upgrade the client. After the upgrade, the Package could be uninstalled to close the ports again.

Figure 4