Allow Remote Desktop Services and Ping Through Firewall on Windows Server 2008 R2 or Windows 7
This post in in response to questions on how to turn maintain remote connectivity to a server running Hyper-V with the firewall enabled. The first thing to consider is what inbound traffic you want to enable on the server. If it is a Hyper-V server you should consider if you are just going to use Remote Desktop (RDP / mstsc), SCVMM or Remote management to connect to it. There are white papers written on how to enable remote administration and how to setup SCVMM to remotely connect to a Hyper-V server so I will just leave you with a reference to those and give you the step-by-step for establishing connectivity to the server using PING and Remote Desktop Client.
I am a fan of having ICMP (ping) enabled on all servers so the first thing I will cover is adding the ICMP allow rule. We will then just enable the existing rule for Remote Desktop.
To create a firewall rule for a server Create Firewall Rules in Windows Server 2008 or Windows Server 2008 R2 to allow RDP and ICMP traffic for your servers (same procedure for Windows 7) you have to open “Windows Firewall with Advanced Security” control panel applet. You can get here by typing “firewall” in the search box near the start button and selecting it from the list (likely on top) or you can go to control panel.
Start – Control Panel – System and Security – Windows Firewall – Advanced Settings
This will bring up the Windows Firewall with Advanced Security Screen.
Click on Inbound Rules
The easy way to allow Ping is to enable the existing ICMP rules.
Enable ICMP (PING) Existing Rule(s)
You could scroll down and select File and Printer Sharing (Echo Request – ICMPv4-in) – Right Click and Select Enable Rule (Notice you will have one for multiple networks, you can enable the only the Domain network if you are in a domain environment or enable both if you want to enable on private networks also.
Notice there are ICMPv4 and ICMPv6. If you are using (or plan on using) IPv6 on your network, I would encourage you to “enable” the IPv6 rules as well.
You could also Create a Rule from Scratch but if you do that the default action will be to enable all ICMP traffic instead of just enabling echo requests. If you want to do that… Create a new rule click on New Rule in the Actions pane (upper right corner) or right click on Inbound Rule and select New Rule. Select Custom – All Programs – for Protocol select ICMPv4. If you only want to do Echo Requests you will have to click on Customize, select Specific ICMP Types and Enable only Echo Request. Scope leave at Any Action Leave at Allow the connection. Profile Select the networks you want to have it enabled (usually Domain) and turn off the ones you do not want to have (usually public). Finally on the Name page of the wizard give it a name like (Allow Ping) and click Finish. If you scroll to the top of the inbound rules, you should see your new rule there.
Enable Remote Desktop (mstsc) Existing Rule
You could scroll down and select Remote Desktop (TCP-In) – Right Click and Select Enable Rule (Notice you will have one for multiple networks, you can enable the only the Domain network if you are in a domain environment or enable both if you want to enable on private networks also.
If you want to manually create your own rule, you would use the Predefined: Remote Desktop application or open the TCP Port 3389.
If you want to do Remote Administration on your Hyper-V Server you might also want to check out
Install and Configure Hyper-V Tools for Remote Administration.
If you have System Center Virtual Machine Manager (SCVMM) and you want to enable management of that the easy way to do it is to mount the SCVMM ISO or insert the DVD and run the client application. It can enable Hyper-V if needed and it can also setup all your firewall rules for you.
If your box is actually the SCVMM machine it is far more complicated. Check out SCVMM and Network Ports We Use for Communication