Sophos Client Firewall: installation with PureMessage for Windows/Exchange
PureMessage for Windows/Exchange has particular network access requirements which are not supported by the default configuration of Sophos Client Firewall.
This article describes the firewall rules that you must use when you install PureMessage for Windows/Exchange on a non-server Windows platform (Windows 2000 Professional and later) with Sophos Client Firewall. As Sophos Client Firewall does not support server platforms, settings for Exchange, NNTP and POP3 are not described here.
What to do
See the Sophos Client Firewall user manual for details on how to configure the Sophos Client Firewall.
1. Before you start
- It is assumed that Sophos
Anti-Virus and Sophos Client Firewall are already installed on the target computer, and that Sophos Client Firewall has default installation settings (default rules). - In cases where PureMessage for Windows/Exchange (console only) will be installed on a system with Internet Information Services (IIS), all rules described here must be applied. This is regardless of whether IIS is being used.
- It is recommended that you run Sophos Client Firewall in interactive mode.
Note: If you are running a full PureMessage for Windows/Exchange installation with local database option, you must use interactive mode unless SQL server (or MSDE) is already present on the system.
2. Applying rules
When you install PureMessage for Windows/Exchange on a computer with Sophos Client Firewall in interactive mode (with default rules), several applications may be reported as requesting access to the network. You can ignore (block) the requests from all of them, except for the InstallShield program IDriver.exe where a full installation of PureMessage for Windows/Exchange with a remote database was selected in the installer (see below).
- The common settings apply to all types of installations, including console-only installations.
- Instructions for local and remote databases follow.
The steps below must be performed before the installation process.
3. Common settings
Do as follows before installing PureMessage for Windows/Exchange. Use the tabbed pages in the Sophos Client Firewall configuration editor. For details on editing, see the user manual.
- Check that DNS is correctly configured
- If name resolution is correctly configured (i.e. you can ping other computers in the domain), use the LAN tab in the Sophos Client Firewall configuration editor to enable NetBIOS for the following:
- the domain controller's address, e.g. 192.168.1.1
- the address of the computer where PureMessage for Windows/Exchange is to be installed, e.g. 192.l68.1.2
- If name resolution does not work properly (i.e. you cannot ping other computers in the domain), set a rule in the LAN tab of the Sophos Client Firewall configuration editor. For example, add 192.168.1.0 (255.255.255.0) where 192.168.1.1 is the domain controller's IP address and 255.255.255.0 is the subnet mask.
- If name resolution is correctly configured (i.e. you can ping other computers in the domain), use the LAN tab in the Sophos Client Firewall configuration editor to enable NetBIOS for the following:
- In the Applications tab, add rules for:
- svchost.exe (usual location C:\[Windows]\system32)
Add the following custom rule to any existing rules for svchost.exe:Where the protocol is TCP
and the direction is Outbound
and the local port is 1030
Allow it - mmc.exe (usual location C:\[Windows]\system32)
Add the following custom rule:Where the protocol is TCP
and the direction is Outbound
and the local port is 1711, 135 (DCOM)
Allow it
- inetinfo.exe (usual location C:\[Windows]\system32\inetsrv)
Add the custom rule: TCP, outbound, local port 1123.
- svchost.exe (usual location C:\[Windows]\system32)
- In the Processes tab (allow hidden processes launch), add:
- svchost.exe
- If SMTP is in use, also add a custom rule in the Applications tab for inetinfo.exe: TCP, inbound, local port SMTP
- Apply your rules.
- If IIS is installed on the computer, restart it. (Open a command prompt and type 'iisreset'.)
If you are running a full installation of PureMessage for Windows/Exchange (rather than a console-only installation), you will also need to do one of the following.
4. Full PureMessage for Windows/Exchange (local database)
If there is no instance of SQL Server (or MSDE) on the system, put Sophos Client Firewall into interactive mode before installation. During installation SQL Server will require network access. Access must be enabled in a pop-up dialog (either 'Add to checksums' or 'Replace existing checksum').
If an instance of SQL Server is already present, add the following rules:
- In the Applications tab, add sqlserver.exe (or the equivalent program) and then add the following rules for it:
- TCP, outbound, local ports 1026, DCOM (or 135)
- UDP, outbound, local port MS_SQL_M (or 1434)
- Apply the rule.
5. Full PureMessage for Windows/Exchange (remote database)
In this case, Sophos Client Firewall must be configured to allow internet access for the InstallShield program IDriver.exe. However, if IDriver.exe is not already present on the computer, rules cannot be configured for it. As a workaround:
- Run the PureMessage for Windows/Exchange installer and when it reaches the 'Welcome' screen, abort the installation. IDriver.exe should now be in the following path:
%programfiles%\Common Files\InstallShield\Driver\7\Intel32\IDriver.exe - In the Applications tab, add sqlserver.exe (or the equivalent program).
- Add the following rules for this program:
- TCP, outbound, remote port 2251
- UDP, outbound, remote port MS_SQL_M (or 1434)
- Apply the rule.
If you need more information or guidance, then please contact technical support.
- Article ID: 15326
- Created: 8 Jun 2006
- Last updated: 3 Nov 2006
