HP Systems Insight Manager Firewall Rules

As part of a deployment of HP Systems Insight Manager (HP SIM) onto Windows Server 2012, it was necessary to allow the required ports through the Windows Firewall to pass the pre-requisites check.

Unfortunately, HP SIM seems to be somewhat annoying and has a list of 52 (yes, you read that right!) ports that need opening. What’s more, you can’t use ranges as this causes the pre-requisites checker to fail. HP’s solution is to disable the firewall (they also tell you to disable UAC – which is similarly mad but that’s another rant) but obviously this isn’t good enough for any half-way secure infrastructure.

The solution is to use netsh to create the required rules. With a bit of magic, here are the commands you need to run to add all 52 rules in one easy copy and paste:

netsh advfirewall firewall add rule name="HP SIM - FTP (TCP 21)" dir=in protocol=tcp localport=21 action=allow
netsh advfirewall firewall add rule name="HP SIM - SSH (TCP 22)" dir=in protocol=tcp localport=22 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 67)" dir=in protocol=tcp localport=67 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 68)" dir=in protocol=tcp localport=68 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 69)" dir=in protocol=tcp localport=69 action=allow
netsh advfirewall firewall add rule name="HP SIM - HTTP (TCP 80)" dir=in protocol=tcp localport=80 action=allow
netsh advfirewall firewall add rule name="HP SIM - SNMP (TCP 161)" dir=in protocol=tcp localport=161 action=allow
netsh advfirewall firewall add rule name="HP SIM - SNMP Trap (TCP 162)" dir=in protocol=tcp localport=162 action=allow
netsh advfirewall firewall add rule name="HP SIM - Web server for HP Systems Insight Manager; Web agent auto-start port (TCP 280)" dir=in protocol=tcp localport=280 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 401)" dir=in protocol=tcp localport=401 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 402)" dir=in protocol=tcp localport=402 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 405)" dir=in protocol=tcp localport=405 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 406)" dir=in protocol=tcp localport=406 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 407)" dir=in protocol=tcp localport=407 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 415)" dir=in protocol=tcp localport=415 action=allow
netsh advfirewall firewall add rule name="HP SIM - Harris Stat Scanner Engine (TCP 443)" dir=in protocol=tcp localport=443 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 505)" dir=in protocol=tcp localport=505 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control server migration (TCP 1080)" dir=in protocol=tcp localport=1080 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control virtual machine management Control (TCP 1124)" dir=in protocol=tcp localport=1124 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control virtual machine management Agent (TCP 1125)" dir=in protocol=tcp localport=1125 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control virtual machine management Agent (TCP 1126)" dir=in protocol=tcp localport=1126 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 1758)" dir=in protocol=tcp localport=1758 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 1759)" dir=in protocol=tcp localport=1759 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Migration (TCP 1779)" dir=in protocol=tcp localport=1779 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP ProLiant agents (TCP 2301)" dir=in protocol=tcp localport=2301 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP SIM RMI connection (TCP 2367)" dir=in protocol=tcp localport=2367 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP ProLiant agents (TCP 2381)" dir=in protocol=tcp localport=2381 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 4011)" dir=in protocol=tcp localport=4011 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 5001)" dir=in protocol=tcp localport=5001 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 5002)" dir=in protocol=tcp localport=5002 action=allow
netsh advfirewall firewall add rule name="HP SIM - WBEM Service (TCP 5988)" dir=in protocol=tcp localport=5988 action=allow
netsh advfirewall firewall add rule name="HP SIM - WBEM Service (TCP 5989)" dir=in protocol=tcp localport=5989 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 8080)" dir=in protocol=tcp localport=8080 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Server Deployment (TCP 8081)" dir=in protocol=tcp localport=8081 action=allow
netsh advfirewall firewall add rule name="HP SIM - Matrix Operating Environment (TCP 9143)" dir=in protocol=tcp localport=9143 action=allow
netsh advfirewall firewall add rule name="HP SIM - Matrix Operating Environment (TCP 9617)" dir=in protocol=tcp localport=9617 action=allow
netsh advfirewall firewall add rule name="HP SIM - Matrix Operating Environment (TCP 9618)" dir=in protocol=tcp localport=9618 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Matrix infrastructure orchestration (TCP 16443)" dir=in protocol=tcp localport=16443 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control Virtual Machine Management (TCP 40420)" dir=in protocol=tcp localport=40420 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP ProLiant agents (TCP 49400)" dir=in protocol=tcp localport=49400 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Systems Insight Manager web server (TCP 50000)" dir=in protocol=tcp localport=50000 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Systems Insight Manager SOAP (TCP 50001)" dir=in protocol=tcp localport=50001 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Systems Insight Manager SOAP with client certificate authentication (TCP 50002)" dir=in protocol=tcp localport=50002 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Systems Insight Manager SOAP (TCP 50003)" dir=in protocol=tcp localport=50003 action=allow
netsh advfirewall firewall add rule name="HP SIM - WBEM event receiver (configurable) (TCP 50004)" dir=in protocol=tcp localport=50004 action=allow
netsh advfirewall firewall add rule name="HP SIM - WBEM Events (TCP 50005)" dir=in protocol=tcp localport=50005 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control virtual machine management Web Service (TCP 50010)" dir=in protocol=tcp localport=50010 action=allow
netsh advfirewall firewall add rule name="HP SIM - Matrix Operating Environment (TCP 51001)" dir=in protocol=tcp localport=51001 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control server migration (TCP 51124)" dir=in protocol=tcp localport=51124 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control server migration (TCP 51125)" dir=in protocol=tcp localport=51125 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Insight Control server migration (TCP 51126)" dir=in protocol=tcp localport=51126 action=allow
netsh advfirewall firewall add rule name="HP SIM - HP Matrix infrastructure orchestration (TCP 51443)" dir=in protocol=tcp localport=51443 action=allow

Add those and the pre-requisites checker should no longer fail on the firewall step.