Using the following code I was able to push Firewall settings to multiple machines.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 |
#https://gallery.technet.microsoft.com/scriptcenter/xNetworking-Module-818b3583 Configuration ScriptTest { param ( [string[]] $NodeName = 'Localhost' ) Import-DscResource –ModuleName 'PSDesiredStateConfiguration' Node $NodeName { Script EnableFirewall { # Must return a hashtable with at least one key # named 'Result' of type String GetScript = { Return @{ Result = [string]$(netsh advfirewall show allprofiles) } } # Must return a boolean: $true or $false TestScript = { If ((netsh advfirewall show allprofiles) -like "State*off*") { Write-Verbose "One or more firewall profiles are off" Return $false } Else { Write-Verbose "All firewall profiles are on" Return $false #return false as well to always run the SetScript on the remote server } } # Returns nothing SetScript = { Write-Verbose "Setting all firewall profiles to on" #netsh advfirewall set allprofiles state on Remove-NetFirewallRule -All } } } } } Configuration DSCFirewallRule { param ( [string[]] $NodeName = 'Localhost' ) Import-DSCResource -ModuleName xNetworking Node $NodeName { xFirewall Firewall1 { Access = 'Block' Name = 'NotePadFirewallRule' DisplayName = 'Firewall Rule for Notepad.exe' Ensure = 'Present' Profile = ('Domain', 'Private') Direction = 'OutBound' RemotePort = ('8080', '8081') LocalPort = ('9080', '9081') Protocol = 'TCP' Description = 'Firewall Rule for Notepad.exe' Service = 'WinRM' State = 'Enabled' } xFirewall Firewall2 { Access = 'Allow' Name = 'NotePad++FirewallRule' DisplayName = 'Firewall Rule for Notepad++.exe' Ensure = 'Present' Profile = ('Domain', 'Private') Direction = 'OutBound' RemotePort = ('8082', '8084') LocalPort = ('9086', '9085') Protocol = 'TCP' Description = 'Firewall Rule for Notepad++.exe' Service = 'WinRM' State = 'Enabled' } } } #You only need to create checksums for PULL HTTP(s) methods New-DSCCheckSum –ConfigurationPath .\SimpleMetaConfigurationForPull –OutPath .\ScriptTest -Verbose -Force New-DSCCheckSum –ConfigurationPath .\SimpleMetaConfigurationForPull –OutPath .\DSCFirewallRule -Verbose -Force ScriptTest –nodename ‘LocalHost’,‘server1’,’server2’,’server3’ #Creates a folder with that name DSCFirewallRule –nodename ‘LocalHost’,‘server1’,’server2’,’server3’ #Creates a folder with that name #Push the configuration to the Target nodes, Comment this out if your just generating the MOF(s) for a pull method. Start-DscConfiguration -Path .\ScriptTest -Wait -Force -Verbose #Clears Firewall Rules Start-DscConfiguration -Path .\DSCFirewallRule -Wait -Force -Verbose #Sets them |
Now the following script above will create .MOF files that will then Now we have to create a Pull Server. Well have to do it like this for Server 2008R2
Src: https://davewyatt.wordpress.com/2014/06/07/how-to-install-a-dsc-pull-server-on-windows-2008-r2/
Or for Server 2012
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
configuration CreatePullServer { param ( [string[]]$ComputerName = 'localhost' ) Import-DSCResource -ModuleName xPSDesiredStateConfiguration Node $ComputerName { WindowsFeature DSCServiceFeature { Ensure = "Present" Name = "DSC-Service" } xDscWebService PSDSCPullServer { Ensure = "Present" EndpointName = "PSDSCPullServer" Port = 8080 PhysicalPath = "$env:SystemDrive\inetpub\wwwroot\PSDSCPullServer" CertificateThumbPrint = "AllowUnencryptedTraffic" ModulePath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Modules" ConfigurationPath = "$env:PROGRAMFILES\WindowsPowerShell\DscService\Configuration" State = "Started" DependsOn = "[WindowsFeature]DSCServiceFeature" } xDscWebService PSDSCComplianceServer { Ensure = "Present" EndpointName = "PSDSCComplianceServer" Port = 9080 PhysicalPath = "$env:SystemDrive\inetpub\wwwroot\PSDSCComplianceServer" CertificateThumbPrint = "AllowUnencryptedTraffic" State = "Started" IsComplianceServer = $true DependsOn = ("[WindowsFeature]DSCServiceFeature", "[xDSCWebService]PSDSCPullServer") } } } CreatePullServer |
After the pull server is created I also had to make an adjustment to fix a 500 internal error I was getting from the above script on Server 2012 R2 https://stackoverflow.com/questions/24252635/powershell-dsc-pull-server-throws-internal-error-microsoft-isam-esent-interop
Now the last step is to push the configuration to each machine to tell each machine to check in to the web server hosting the MOF configuration files..
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
Configuration SimpleMetaConfigurationForPull { param ( [string[]] $NodeName = 'Localhost' ) Node $NodeName { LocalConfigurationManager { RefreshMode = “PULL”; DownloadManagerName = “WebDownloadManager”; RebootNodeIfNeeded = $true; RefreshFrequencyMins = 10; ConfigurationModeFrequencyMins = 15; ConfigurationMode = “ApplyAndAutoCorrect”; ConfigurationID = $NodeName DownloadManagerCustomData = @{ServerUrl = “http://VM1198:8080/PSDSCPullServer/psdscpullserver.svc”; AllowUnsecureConnection = “TRUE”} } } } SimpleMetaConfigurationForPull -Output .\SimpleMetaConfigurationForPull –nodename ‘LocalHost’,‘server1’,’server2’,’server3’ New-DSCCheckSum –ConfigurationPath .\SimpleMetaConfigurationForPull –OutPath .\SimpleMetaConfigurationForPull -Verbose -Force Set-DSCLocalConfigurationManager -Path .\SimpleMetaConfigurationForPull –Verbose |
As you can see the machine is checking in every 15 minutes per our script.