none
Set-HpcNetwork -EnterpriseFirewall $Null RRS feed

  • Question

  • Hello

    I have a requirement to lock down access through the Enterprise connection of a Windows HPC Server Hednode (Topology 1). I really need to be able to script this configuration, and the Set-HpcNetwork -EnterpriseFirewall $Null powershell command looked like it could be my friend for the HPC part. The docs claim that "A $null value maintains the current firewall settings for the Enterprise across the HPC cluster"

    So, I use netsh to set up the firewall as required, allowing only http/https and a couple of other required things through, then run the Set-HpcNetwork commandlet with appropriate settings expecting the -EnterpriseFirewall $Null setting to leave my lovingly crafted enterprise firewall configuration well alone. Unfortunately this is not what happened. At first everything was as expected, but then the firewall state for all profiles was set to off, I guess when the HPC Management Service next did it's thing.

    I'd like to know if anyone can suggest a workaround for this behaviour please, as the Public HPC Firewall rule group allows through services and ports which are undesirable in our environment.

    For info I've repeated the test using Windows HPC Server 2008 R2 Beta 2 with similar results.

    Any assistance gratefully received

    Dan

    Wednesday, March 31, 2010 3:19 PM

All replies

  • Hi Dan,

    Do I understand correctly that you have observed this behavior with both V2(SP1?) and V3-beta2?

    Which firewall profile does your HPC "Enterprise" network interface get categorized (Domain/Public/Private)?  You can see this by running 'ncpa.cpl' with "Details" view and look at the "Network Category" column...

    Thanks,
    --Brian

    Thursday, April 1, 2010 2:14 AM
  • Hello Brian, thanks for the reply.

    To answer your questions... yes, I have seen this behaviour with both V2(SP1) and V3-beta2. The Enterprise network interface is categorised with the Domain firewall profile on both versions, but the Private interface is Domain profile on my V2 rig, Public profile on the V3Beta2 rig.

    The headnode is configured as the host Domain Controller for the cluster.

    One extra piece of info is that If I use the Network Config Wizard gui to set 'Do not manage firewall settings' everything stays as it should. I would expect Set-HPCNetwork  -EnterpriseFirewall $Null -PrivateFirewall $Null to do the same but this command disables the firewall completely. Of course I can work around the issue by using the gui, but that's not really what I'm after.

    Thanks again for your help.

    Dan

    Thursday, April 1, 2010 12:53 PM
  • Thanks Dan, you've provided some valuable information here and I'll get back to you if I have further questions or confirmed a fix.

    In our NetWiz UI we say 'yes' or 'no' on firewall control for all interfaces at once but it can be 'fine-tuned' per interface via PSH.  I'm guessing we need to investigate the 'fine-tuning' part. ;-)

    --Brian

    PS:  I like the start of your MAD blog at http://windowshpcmad.blogspot.com/.  Hopefully we can work with you to minimize the madness. ;-)

    • Edited by Brian Broker Friday, April 2, 2010 3:58 AM postscript
    Friday, April 2, 2010 3:49 AM
  • Hello Brian

    Thanks very much for the information, much appreciated. If you have more questions feel free to ask.

    Dan

    P.S. New to the blogging game, so my writing style should improve with practise! Hopefully it will be useful to someone somewhere, even if it's just to me as a reminder of something useful I didn't document elsewhere ;)

     

    Tuesday, April 6, 2010 9:20 AM