Open RDP or UltraVNC firewall ports after sysprep

[vadnick]

We have a working "gold" image that works across all of our machines. Now we want to modify the image so that any time we push the image to a machine, we can immediately remote control that machine. In other words, we want to do the whole reimaging process without ever having anyone touch the machine.

I'm not sure what details would be most helpful, but here are a few: We are imaging XP Pro SP3 machines. Our image was created using sysprep with mini setup, so we have the sysprep.inf file to work with. Our preference was to reopen ports 5862 and 5962 after reimaging for UltraVNC, but we'd also be fine with the ability to RDP to the machine instead.

Here's the drawn out solution to opening ports 5862 and 5962 that we found that seemed to have the most promise, but of course, didn't (you can skip the rest of this if you already know exactly what we should do).

First, before running sysprep and taking an image, we modified C:\WINDOWS\inf\netfw.inf by adding the necessary ports to the [iCF.AddReg.StandardProfile] section:

[version]
Signature	  = "$Windows NT$"
DriverVer	  =07/01/2001,5.1.2600.5512

[DefaultInstall]
AddReg=ICF.AddReg.DomainProfile
AddReg=ICF.AddReg.StandardProfile

[ICF.AddReg.DomainProfile]
HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List","%windir%\system32\sessmgr.exe",0x00000000,"%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[ICF.AddReg.StandardProfile]
HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List","%windir%\system32\sessmgr.exe",0x00000000,"%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List","5862:TCP",0x00000000,"5862:TCP:LocalSubnet:enabled:UltraVNC_1"
HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List","5962:TCP",0x00000000,"5962:TCP:LocalSubnet:enabled:UltraVNC_2"

We tested this change by running "netsh firewall reset" and it worked. The ports were created and opened.

Next, we modified the [unattended] section of C:\sysprep\sysprep.inf to include the following line:

InstallFilesPath=C:\i386

Next, we created C:\i386\$oem$\Cmdlines.txt which contains only the following code:

[Commands]
"C:\i386\$oem$\Build.cmd"

And finally, we created C:\i386\$oem$\Build.cmd which contains only the following code:

netsh firewall reset

Running Build.cmd on it's own works fine. But again, in the context of sysprep, all the above changes aren't adding up to solve the issue of reopening the firewall ports. Any ideas?

[strel]

I'd try to run netsh firewall reset later, after mini-setup ends and settings were saved.

[vadnick]

How do we do that?

[strel]

Add this to sysprep.inf:

[GuiRunOnce]
Command0=netsh firewall reset

[vadnick]

That command did not kick off until after I logged into the imaged computer. It would need to run before login so that we can remote into the computer before it's ever been logged into.

[strel]

This inf file modifies the registry to open these ports and cmdlines.txt is executed on a limited environment so probably netsh command are not available. Try to import these keys with a reg or regedt32 regfile.reg command that should be available at that time.

[vadnick]

I got the ports to reopen!! Thank you for all your help.

For anyone interested, here's what I did:

1. Modified C:\WINDOWS\inf\netfw.inf to include the two ports I need reopened. I added the ports to the Domain and Standard profiles.

2. Created C:\i386\$oem$\Cmdlines.txt to kick off a .cmd file.

3. Created a .cmd file called C:\i386\$oem$\Build.cmd that runs "netsh firewall reset" to enable the ports defined in netfw.inf

4. Added a pointer to the Cmdlines.txt directory in sysprep.inf in the Unattended section.

5. Added the command in sysprep to have the Administrator auto-login once. It's only after logging in that the Cmdlines.txt file is run and the ports are opened.

So, now that that's out of the way, I have one other thing to do... Enable "File and Printer Sharing" in the firewall after sysprep. I'm guessing it's just going to be another command in netfw.inf or somewhere along the process I just described. But, we'll see. I may post another thread as that is someone unrelated, if I can't find a solution soon.

[vadnick]

Found it! The solution is another netsh command: "netsh firewall set service type = fileandprint mode = enable"

It works!!