[dev.icinga.com #12925] Open firewall during Icinga 2 Windows agent

[icinga-migration]

This issue has been migrated from Redmine: https://dev.icinga.com/issues/12925

Created by twidhalm on 2016-10-14 11:40:40 +00:00

Assignee: elippmann
Status: New
Target Version: (none)
Last Update: 2016-10-17 13:01:25 +00:00 (in Redmine)

Backport?: Not yet backported
Include in Changelog: 1

---

Hi,

I just learned from a Windows admin at a customers that it's best practice that Windows install routines should open firewall ports and bind them to the corresponding .exe file no matter if the firewall is running on the host or not.

It might be a good idea to make the Windows install routine accord to the Microsoft best practices.

Cheers,
Thomas

[icinga-migration]

Updated by twidhalm on 2016-10-14 12:03:24 +00:00

I'm sorry I have to rephrase request to make it a bit more precise. We did not find a official best practice guide from Microsoft that says that an installer should open the firewall ports. But we can not verify what Microsoft want installers to do.

What we have:

• A document (for game developers) that shows how an installer can open a firewall port
• An experienced Windows admin who tells me that it is common practice for installers from big vendors (and Microsoft themself) to open ports automatically.

As a *nix admin I wouldn't want any installer messing with my firewall but maybe life's different in a Windows world.

Maybe we should check if someone in the team has connections to Microsoft developers that could verify whether this is a best or just a common practice.

[icinga-migration]

Updated by twidhalm on 2016-10-14 12:24:37 +00:00

I just talked to @cstein and he said that many Windows installers offer an option to set a firewall exception.

So maybe it would be nice to have a checkbox / cli flag to add a firewall exception. Either during installation ( icinga2.msi /q /firewall ) or during the first-run-wizard. The later would offer the possibility to open the firewall not to the world but only to the masters / slaves the agent should connect to.

[icinga-migration]

Updated by twidhalm on 2016-10-17 13:01:25 +00:00

• Assigned to set to elippmann

I talked to @cstein again about making this configurable.

While we don't know what Microsoft best practices say we both think an optional firewall configuration might be the best way to go. Some things to consider:

• using a checkbox during graphical installation and a commandline option during silent installation to open the default port for the icinga2.exe file to the world might be enough for most users
• setting the firewall during the first run wizard or @cstein s kickstart script would allow to open the firewall connection just for the icinga 2 masters or slaves and maybe use a custom port might be better. I don't know if Windows permissions allow doing so.
• If we restrict the connection from/to the masters then we should use a prominent info for the user because new masters will not be allowed to connect to the agent.

@ELippmann , could you consider including this feature into to msi installer or the first run wizard?

[dnsmichi]

Ask @lippserd directly for a raised priority on this.

[dnsmichi]

wixtoolset/issues#5869

[dnsmichi]

With the new Icinga for windows package developed by @LordHepipud this won't be taken into account for future development iterations. Learn more about this new project here: https://icinga.com/2019/11/05/icinga-for-windows-rc-available/