Using the following code I was able to push Firewall settings to multiple machines.

#https://gallery.technet.microsoft.com/scriptcenter/xNetworking-Module-818b3583
Configuration ScriptTest
{
    param
    (
        [string[]] $NodeName = 'Localhost'
    )

    Import-DscResource –ModuleName 'PSDesiredStateConfiguration'
    Node $NodeName
    {
        Script EnableFirewall            
        {            
            # Must return a hashtable with at least one key            
            # named 'Result' of type String            
            GetScript = {            
                Return @{            
                    Result = [string]$(netsh advfirewall show allprofiles)            
                }            
            }            

            # Must return a boolean: $true or $false            
            TestScript = {            
                If ((netsh advfirewall show allprofiles) -like "State*off*") {            
                    Write-Verbose "One or more firewall profiles are off"            
                    Return $false            
                } Else {            
                    Write-Verbose "All firewall profiles are on"            
                    Return $false #return false as well to always run the SetScript on the remote server            
                }            
            }            

            # Returns nothing            
            SetScript = {            
                Write-Verbose "Setting all firewall profiles to on"            
                #netsh advfirewall set allprofiles state on
                Remove-NetFirewallRule -All            
            }            
        }            
    }      

    }
}

Configuration DSCFirewallRule
{
    param
    (
        [string[]] $NodeName = 'Localhost'
    )

    Import-DSCResource -ModuleName xNetworking

    Node $NodeName
    {
        xFirewall Firewall1 
        {
            Access      = 'Block'
            Name        = 'NotePadFirewallRule'
            DisplayName = 'Firewall Rule for Notepad.exe'
            Ensure      = 'Present'
            Profile     = ('Domain', 'Private')
            Direction   = 'OutBound'
            RemotePort  = ('8080', '8081')
            LocalPort   = ('9080', '9081')
            Protocol    = 'TCP'
            Description = 'Firewall Rule for Notepad.exe'
            Service = 'WinRM'
            State = 'Enabled'
        }

        xFirewall Firewall2 
        {
            Access      = 'Allow'
            Name        = 'NotePad++FirewallRule'
            DisplayName = 'Firewall Rule for Notepad++.exe'
            Ensure      = 'Present'
            Profile     = ('Domain', 'Private')
            Direction   = 'OutBound'
            RemotePort  = ('8082', '8084')
            LocalPort   = ('9086', '9085')
            Protocol    = 'TCP'
            Description = 'Firewall Rule for Notepad++.exe'
            Service = 'WinRM'
            State = 'Enabled'
        }

    }

}

#You only need to create checksums for PULL HTTP(s) methods
New-DSCCheckSum –ConfigurationPath .\SimpleMetaConfigurationForPull –OutPath .\ScriptTest -Verbose -Force
New-DSCCheckSum –ConfigurationPath .\SimpleMetaConfigurationForPull –OutPath .\DSCFirewallRule -Verbose -Force
ScriptTest –nodename ‘LocalHost’,‘server1’,’server2’,’server3’ #Creates a folder with that name
DSCFirewallRule –nodename ‘LocalHost’,‘server1’,’server2’,’server3’ #Creates a folder with that name

#Push the configuration to the Target nodes, Comment this out if your just generating the MOF(s) for a pull method.
Start-DscConfiguration -Path .\ScriptTest -Wait -Force -Verbose #Clears Firewall Rules
Start-DscConfiguration -Path .\DSCFirewallRule -Wait -Force -Verbose #Sets them

Now the following script above will create .MOF files that will then Now we have to create a Pull Server. Well have to do it like this for Server 2008R2

Src: https://davewyatt.wordpress.com/2014/06/07/how-to-install-a-dsc-pull-server-on-windows-2008-r2/

Or for Server 2012

configuration CreatePullServer
{
    param
    (
        [string[]]$ComputerName = 'localhost'
    )


Import-DSCResource -ModuleName xPSDesiredStateConfiguration


Node $ComputerName
{
    WindowsFeature DSCServiceFeature
    {
        Ensure = "Present"
        Name   = "DSC-Service"
    }


    xDscWebService PSDSCPullServer
    {
        Ensure = "Present"
        EndpointName = "PSDSCPullServer" 
                Port = 8080 
                PhysicalPath = "$env:SystemDrive\inetpub\wwwroot\PSDSCPullServer" 
                CertificateThumbPrint = "AllowUnencryptedTraffic" 
                ModulePath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules" 
                ConfigurationPath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration" 
                State = "Started" 
                DependsOn = "[WindowsFeature]DSCServiceFeature" 
        } 

    xDscWebService PSDSCComplianceServer 
        { 
            Ensure = "Present" 
            EndpointName = "PSDSCComplianceServer" 
            Port = 9080 
            PhysicalPath = "$env:SystemDrive\inetpub\wwwroot\PSDSCComplianceServer" 
            CertificateThumbPrint = "AllowUnencryptedTraffic" 
            State = "Started"
            IsComplianceServer = $true 
            DependsOn = ("[WindowsFeature]DSCServiceFeature", 
                                       "[xDSCWebService]PSDSCPullServer") 
        } 
    } 
}

CreatePullServer

After the pull server is created I also had to make an adjustment to fix a 500 internal error I was getting from the above script on Server 2012 R2 https://stackoverflow.com/questions/24252635/powershell-dsc-pull-server-throws-internal-error-microsoft-isam-esent-interop

Now the last step is to push the configuration to each machine to tell each machine to check in to the web server hosting the MOF configuration files..

Configuration SimpleMetaConfigurationForPull
{
    param
    (
        [string[]] $NodeName = 'Localhost'
    )
    Node $NodeName
    {
        LocalConfigurationManager
        {
            RefreshMode = “PULL”;
            DownloadManagerName = “WebDownloadManager”;
            RebootNodeIfNeeded = $true;
            RefreshFrequencyMins = 10;
            ConfigurationModeFrequencyMins = 15;
            ConfigurationMode = “ApplyAndAutoCorrect”;
            ConfigurationID = $NodeName
            DownloadManagerCustomData = @{ServerUrl = “http://VM1198:8080/PSDSCPullServer/psdscpullserver.svc”; AllowUnsecureConnection = “TRUE”}
        }
    }
} 
SimpleMetaConfigurationForPull -Output .\SimpleMetaConfigurationForPull –nodename ‘LocalHost’,‘server1’,’server2’,’server3’
New-DSCCheckSum –ConfigurationPath .\SimpleMetaConfigurationForPull –OutPath .\SimpleMetaConfigurationForPull -Verbose -Force
Set-DSCLocalConfigurationManager -Path .\SimpleMetaConfigurationForPull –Verbose

As you can see the machine is checking in every 15 minutes per our script.

Leave a Reply

Your email address will not be published. Required fields are marked *

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax