Some people don’t like to enable the Windows Firewall on Windows Server 2008 (R2) servers, because of the (little) extra server administration or other undefinable reasons 😉 . I think a wrong decision because the Windows Firewall will give you extra protection against attacks from the LAN or such.

More and more you see that applications need the Windows Firewall enabled, like during the installation of Exchange 2010. The Windows Firewall cannot be disabled because the setup procedure wants to create firewall rules.

If you disable the Windows Firewall on for instance a Configuration Manager Primary Site server with SQL Server installed, you will never get your site in an healthy state. Configuration Manager 2012 wants to be able  to check if port 1433 and 4022 are open so that Configuration Manager database on the SQL server is reachable.

When you look at the SMS_HIERARCHY_MANAGER component status you will see the following error messages.


Hierarchy Monitor detected that ConfigMgr SQL Server …. ports 1433, 4022, are not active on Firewall exception.

To fix this you need to enable the Windows Firewall on the server. If you really don’t want to use the Windows Firewall, which you should not, you can always disable the Domain Profile in the Windows Firewall.

Domain profile disabled

But if you ask me, just use the recommended settings and create firewall exception rules for the (in this case) TCP ports 1433 and 4022.

Service: The way we like it...

Firewall Profiles: The way we like it...

Firewall exception rules: The way we like it...