Windows XP Service Pack 2 with IP Office
Applications
Via
Active Directory Group Policy
Introduction
Avaya provides a well written Technical Tip (Bulletin no:
49) that describes how to configure the new Windows Firewall for IP Office
Applications. A batch file script is
included that makes most of the changes for you. You can find this Bulletin here: http://support.avaya.com/elmodocs2/ip_office/emea/emea_techtip_049_Windows_XP_service_pack_2.pdf
My goal of this article is to show you how to make these same settings one time at a global level, and then automatically push the configuration to every client in your Active Directory Domain.
Requirements:
- Windows
Active Directory Domain (Windows 2000 or 2003). NT
3.x or 4.x Domains are not applicable.
- Windows XP w/ Service Pack 2 “Admin Workstation” with the following installed:
- Active Directory Users and Computers
- Group Policy Management Console
Note that you cannot create the Group Policy from a Domain Controller unless you update the ADM files on the server. My advice is to use the “Admin Workstation” as described above. Doing so will ensure than the Group Policy has the new ADM files from Service Pack 2. (without the updated ADM files, the Windows Firewall settings described below will not be available)
Network:
In this article there are three network devices that we have to let through the Windows Firewall. Your network may be setup different.
Exchange 2003 Server: 10.0.10.4
IP Office: 10.0.40.1
IMS Server (Win2k3): 172.16.40.9
Create the Group
Policy
Start the Group Policy Management Console (ensure that your account has the proper permissions)
Right click on the Organizational Unit that contains the PC’s you want to configure and choose “Create and Link a GPO Here…”
Give you Group Policy a smart name.
Now Right Click on the Policy and choose “Edit”
Navigate to the Domain Profile.
Notice that you will be configuring the “Computer Configuration”. THIS IS IMPORTANT. You MUST have computers in the Organizational Unit, not users.
Define Program
Exceptions
Double-click on Define program exceptions
Enable the Policy, and click “Show”
Next, click “Add…” to add the IP Office programs to the exception list.
Add the following
entries:
C:\Program Files\Avaya\IMS Client\UMSForm.exe:172.16.40.9:enabled:MS Exchange Form Server (Avaya IMS)
C:\Program Files\Avaya\IP Office\Phone Manager\PhoneManager.exe:10.0.40.1:enabled:Avaya IPOffice - Phone Manager
C:\Program Files\Avaya\IP Office\Phone Manager\iClaritySvr.exe:10.0.40.1:enabled:Avaya IPOffice - Phone Manager VOIP Server
Note that you will probably need to change the ip addresses to reflect your network
Click OK > OK
You may need additional Program Exceptions. Here is a list possible IP Office applications that you may have installed:
C:\Program Files\Avaya\IP Office\Manager\manager.exe"
C:\Program Files\Avaya\IP Office\Manager\upgradewiz.exe"
C:\Program Files\Avaya\IP Office\CallStatus\callstatus.exe"
C:\Program Files\Avaya\IP Office\KeyServe\keyserve.exe"
C:\Program Files\Avaya\IP Office\Monitor\sysmonitor.exe"
C:\Program Files\Avaya\IP Office\Voicemail Server\VMLite.exe"
C:\Program Files\Avaya\IP Office\Phone Manager\PhoneManager.exe"
C:\Program Files\Avaya\IP Office\Phone Manager\iClaritySvr.exe"
C:\Program Files\Avaya\Interaction Manager\iContact\icontact.exe"
C:\Program Files\Avaya\IMS Client\UMSForm.exe"
C:\Program Files\Avaya\IP Office\SoftConsole\SoftConsole.exe"
C:\Program Files\Avaya\IP Office\CCC\DeltaServer\DeltaServer.exe"
C:\Program Files\Avaya\IP Office\CCC\DeltaServer\DeltaServerService.exe"
C:\Program Files\Avaya\IP Office\CCC\DeltaServer\DeltaServerManagementAssistant.exe"
These programs should only be added to the Exception List if they are installed. Every environment is different.
Define Port
Exceptions
Double-click on Define port exceptions
Enable the Policy, and click “Show”
Next, click “Add…” to add the specific Ports to the exception list.
Add the following
entries:
67:UDP:172.16.40.9:enabled:IMS
UDP Port 67
69:UDP:172.16.40.9:enabled:IMS
UDP Port 69
135:TCP:172.16.40.9:enabled:IMS
TCP Port 133
2000:TCP:172.16.40.9:enabled:IMS
TCP Port 2000
50791:UDP:172.16.40.9:enabled:
50799:UDP:172.16.40.9:enabled:
4102:UDP:10.0.40.1:enabled:IP OFFICE UDP Port 4102
1184:UDP:10.0.10.4:enabled:Emailserver
(IMS)
Relax COM Objects
Security
This is also done through Group Policy. Create a NEW Group Policy using the methods above. Give it a smart name like “COM Settings for IMS (Avaya)”.
Edit the Policy by Right-clicking on it and choosing “Edit”
Navigate to “Security Options”
Find the two DCOM Policies and double click on DCOM: Machine Access Restrictions in Security…...
Click “Define this policy setting” and choose Edit Security
Ensure that ANONYMOUS LOGON has the following settings:
Click OK > OK
In the same way, edit DCOM: Machine Launch Restrictions in Security….
Ensure that the Everyone group has all of the permissions below:
Click OK > OK when you are done. Close the Group Policy.
Even though these changes have been made at the Domain Level (via Group Policy), the Windows XP machine may not see the changes right away. Windows 2003 Domains replicate pretty quickly. However, you may have to wait 5 to 15 minutes before the Policy has completely replicated in Windows 2000 Domains. Network topology and geographic location may also affect replication.
In addition to DC to DC replication, the XP Workstation also needs to receive the new Group Policy settings. You can speed things along by forcing an update by running the command: gpupdate /force at the command line. While not always necessary, it is recommended that you reboot when prompted.
After you reboot, you should be able to use Integrated Messaging, and the other IP Office applications.
Final tip: When configuring the Windows Firewall Policy, you may want to enable logging. This can be helpful when trying to determine why a program is not working.
If you have any questions, or would like to add to this HOW_TO, please feel free to email me at: ebrux@mvps.org