1. Home
  2. KBAs
  3. Configuring Windows Firewall via Group Policy for Goverlan

Configuring Windows Firewall via Group Policy for Goverlan


Windows Firewall can cause the Goverlan Agent not to function properly.

This article explains how to configure Windows Firewall via GPO for Goverlan’s optimal functionality.


The communication protocol used between Goverlan and the Goverlan client agents is Windows Socket through TCP/IP.  Goverlan version 9 uses TCP Port 22000 and Goverlan version 8 uses TCP Port 21158. This port number can be changed. For remote installation of the Goverlan Agent, File and Print Sharing must be enabled and allowed through the Windows Firewall. TCP Port 445 (SMB).

You must have the Windows Remote Server Administration Tools installed on your machine which includes the Group Policy Management Console where we will be configuring the GPO. (Windows Server’s have this installed by default, for Windows workstation operating systems you must download RAS tools from Microsoft.com for your corresponding operating system )

Both methods can be configured in the same location:

1. Launch the Group Policy Management Console.

2. Expand the Default Domain policy, right click and choose Edit to launch the Group Policy Management Editor (GPME).

3. In the GPME expand:

Computer Configuration > Policies >  Administrative templates > Network > Network Connections > Windows Firewall > Domain Profile

Using Group Policy Management Console to create a GPO for adding ports to Windows Firewall

1. In the Right pane, double click on Windows Firewall: Define inbound port exceptions

2. Click on Enabled and Show.

3. The Show Contents window will appear, enter the following Values:

445:TCP:localsubnet:Enabled:File and Print Sharing (SMB-In) (Set on all machines that will have the Goverlan Agent installed. Used by Goverlan Consoles to push Agent to machines.)

For Goverlan Reach v9:

22000:TCP:localsubnet:Enabled:GoverlanV9(For all machines that will have the Goverlan Agent installed)

22100:TCP:localsubnet:Enabled:GoverlanReachServer(Only set on the Goverlan Reach Server as this is inbound to the Reach Server.)

15155:TCP:localsubnet:Enabled:GoverlanReachGateway(Default or Custom Port used for inbound communication to the Reach Gateway Server, used by internal Goverlan Agents to confirm they are internal.)

For Goverlan v8:21158:TCP:localsubnet:Enabled:GoverlanV821160:TCP:localsubnet:Enabled:GoverlanCentralServer (This configuration needs to be set on the Goverlan Central Server)
Updated on February 20, 2019

Related Articles