Adding Windows Firewall Rules to App-V Packages

You may have noticed Windows Firewall prompts appearing when launching virtualised applications:

Firewall Prompt

This is because App-V does not support detecting or applying firewall rule changes. You could of course apply these rules via group policy, but this becomes difficult since the rule needs to contain the full path including the package and version GUIDs. We can however apply them with a script!

On your sequencer, open the advanced firewall settings by running wf.msc and find the rules that were added by the application. If the installer did not add them, then launching the application and dismissing the dialog as shown above will create a rule for you. You may have both inbound and outbound rules to deal with.

As mentioned in this article, you should use the netsh advfirewall firewall command rather than the deprecated netsh firewall command. The full syntax for this command can be found here. You should take care to ensure that the rules you set up adhere to any security policies in your organisation (e.g. you may want to only allow an app to communicate if connected to the domain network) so don’t necessarily copy the examples provided here exactly. The basic form I am using here for an outbound rule (use dir=in for inbound) is:

netsh.exe advfirewall firewall add rule name="RULE NAME" dir=out action=allow program="PATH TO EXE.exe" enable=yes

And to remove:

netsh.exe advfirewall firewall delete rule name="RULE NAME" program="PATH TO EXE.exe"

This particular application adds two rules so I am going to use the new Scriptrunner.exe method that requires App-V 5.1. For more info on how to do this refer to the following links:

https://blogs.technet.microsoft.com/sbucci/2015/09/14/app-v-5-1-scriptrunner

https://technet.microsoft.com/en-us/itpro/mdop/appv-v5/about-app-v-51-dynamic-configuration

I am also going to use another feature added in 5.1, which is the ability to place the script inside the internal AppXManifest.xml so that we don’t have to rely upon the external DeploymentConfig.xml file. I used Tim Mangan’s excellent App-V Manifest Editor tool to make this easier. This results in the following snippet added to AppXManifest.xml:

And since SCCM automatically imports the DynamicConfig.xml, the script should go in there too, otherwise the blank entries in the generated file may override what’s provided in the manifest:

I’ve opted to use AddPackage and RemovePackage here rather than PublishPackage and UnpublishPackage. The reason for this is that again, when deploying with SCCM, it imports the UserConfig file which overrides the PublishPackage script defined at the machine-level (which I consider a bug, but that should be another post!).

Now after adding that package you should be able to see your rules added in the firewall settings on the App-V client. If you used an App-V variable as above like [{ProgramFilesX86}] or [{AppvPackageRoot}] when defining your exe path, it should be converted to the full virtual path under C:\ProgramData\App-V!

3 responses on “Adding Windows Firewall Rules to App-V Packages

  1. Pollewops

    Now after adding that package you should be able to see your rules added in the firewall settings on the App-V client. If you used an App-V variable as above like [{ProgramFilesX86}] or [{AppvPackageRoot}] when defining your exe path, it should be converted to the full virtual path under C:\ProgramData\App-V!

    But how can you use the FULL VIRTUAL PATH..everytime you save the AppV package, the version id is changed 🙁

    1. That’s why you use the variables; your answer is in your question! The script will convert those variables to the full paths automatically at runtime, substituting in the correct GUIDs.

      1. Pollewops

        Hi Dan,

        Thanks for your response.
        I tried it again and YESSSS now it is working.
        Thanks

Leave a Reply