Beginning with Service Pack 2 Windows XP included a built-in software firewall which is enabled by default. This firewall restricts all inbound communication, greatly improving the security of Windows XP, but also hindering certain legitimate operations. This article discusses changes required to allow the proper operation of Alter-Ego with the built-in XP firewall, though the exceptions would apply to any software firewall in use on the console or client PCs.
Most network communcation involving the console is outbound, meaning it is unaffected by most software firewalls. However, in the final stages of each migration, the console receives a simple update from each client. A firewall exception must be configured on the console PC to accept this communication. If notification of blocked programs is enabled (default) the exception can be easily configured by running a network test which will simulate the communication. When the server attempts to accept the communication, a messagebox will appear notifying the user that the firewall has blocked access for Alter-Ego. Clicking the Unblock button will set a firewall exception to allow the console to receive the network notifications.
Alter-Ego requires a valid network share on each client computer to complete a migration. This share is used to authenticate, copy Alter-Ego data files, install and remove the client services, monitor progress, and retrieve client-side logs from each client. For this reason, a firewall exception must be configured for the File and Print Sharing service to allow network connections from the console PC. This exception can be configured manually, or through a number of automated means.
Special consideration must be given to computers which are joining a domain as part of the migration. When joining a domain, Group Policies of the destination domain may alter the firewall exceptions and rules. Therefore it is important that any Group Policies which may apply to the migrated client are configured to allow the same File and Print Sharing exception for post-migration clients. Failing to do this will result in the PCs being unable to report their status to the console, and the console will be unable to clean up the client-side files and services.
IMPORTANT: Our testing has shown that File and Print Sharing may be blocked by the XP firewall through the application of a domain policy when joining a new domain, even if the policy's firewall options are not configured (i.e. set to "Not Defined"). Therefore it is critical that any policies in the destination domain are created and/or configured with firewall exceptions to allow File and Print Sharing before performing any domain join involving Windows XP clients. More information on setting firewall exceptions through Group Policies can be found here.
In this situation it is likely that the client migration would complete successfully, however the console will report errors for each client for which it is unable to determine the actual client status. Obviously, in the event of a real error, the console will be unable to take appropriate action, which could also result in a corrupt or incomplete migration.