Dan Gough

You may have noticed Windows Firewall prompts appearing when launching virtualised applications:

Firewall Prompt

This is because App-V does not support detecting or applying firewall rule changes. You could of course apply these rules via group policy, but this becomes difficult since the rule needs to contain the full path including the package and version GUIDs. We can however apply them with a script!

On your sequencer, open the advanced firewall settings by running wf.msc and find the rules that were added by the application. If the installer did not add them, then launching the application and dismissing the dialog as shown above will create a rule for you. You may have both inbound and outbound rules to deal with. As mentioned in this article, you should use the netsh advfirewall firewall command rather than the deprecated netsh firewall command. The full syntax for this command can be found here.

You should take care to ensure that the rules you set up adhere to any security policies in your organisation (e.g. you may want to only allow an app to communicate if connected to the domain network) so don’t necessarily copy the examples provided here exactly. The basic form I am using here for an outbound rule (use dir=in for inbound) is:

netsh.exe advfirewall firewall add rule name="RULE NAME" dir=out action=allow program="PATH TO EXE.exe" enable=yes

And to remove:

netsh.exe advfirewall firewall delete rule name="RULE NAME" program="PATH TO EXE.exe"

This particular application adds two rules so I am going to use the new Scriptrunner.exe method that requires App-V 5.1. For more info on how to do this refer to the following links:

https://blogs.technet.microsoft.com/sbucci/2015/09/14/app-v-5-1-scriptrunner

https://technet.microsoft.com/en-us/itpro/mdop/appv-v5/about-app-v-51-dynamic-configuration

I am also going to use another feature added in 5.1, which is the ability to place the script inside the internal AppXManifest.xml so that we don’t have to rely upon the external DeploymentConfig.xml file. I used Tim Mangan’s excellent App-V Manifest Editor tool to make this easier. This results in the following snippet added to AppXManifest.xml:

<appv:MachineScripts>
  <appv:AddPackage>
    <appv:Path>Scriptrunner.exe</appv:Path>
    <appv:Arguments>-appvscript netsh.exe advfirewall firewall add rule name="Rule 1" dir=out action=allow program="[{ProgramFilesX86}]\MyApp\MyApp.exe" enable=yes 
-appvscript netsh.exe advfirewall firewall add rule name="Rule 2" dir=out action=allow program="[{AppVPackageRoot}]\MyApp.exe" enable=yes</appv:Arguments>
  </appv:AddPackage>
  <appv:RemovePackage>
    <appv:Path>Scriptrunner.exe</appv:Path>
    <appv:Arguments>-appvscript netsh.exe advfirewall firewall delete rule name="Rule 1" program="[{ProgramFilesX86}]\MyApp\MyApp.exe" 
-appvscript netsh.exe advfirewall firewall delete rule name="Rule 2" program="[{AppVPackageRoot}]\MyApp.exe"</appv:Arguments>
  </appv:RemovePackage>
</appv:MachineScripts>

And since SCCM automatically imports the DynamicConfig.xml, the script should go in there too, otherwise the contents of this file could override what’s provided in the manifest:

<MachineScripts>
  <AddPackage>
    <Path>Scriptrunner.exe</Path>
    <Arguments>-appvscript netsh.exe advfirewall firewall add rule name="Rule 1" dir=out action=allow program="[{ProgramFilesX86}]\MyApp\MyApp.exe" enable=yes 
-appvscript netsh.exe advfirewall firewall add rule name="Rule 2" dir=out action=allow program="[{AppVPackageRoot]\MyApp.exe" enable=yes</Arguments>
  </AddPackage>
  <RemovePackage>
    <Path>Scriptrunner.exe</Path>
    <Arguments>-appvscript netsh.exe advfirewall firewall delete rule name="Rule 1" program="[{ProgramFilesX86}]\MyApp\MyApp.exe" 
-appvscript netsh.exe advfirewall firewall delete rule name="Rule 2" program="[{AppVPackageRoot]\MyApp.exe"</Arguments>
  </RemovePackage>
</MachineScripts>

I’ve opted to use AddPackage and RemovePackage here rather than PublishPackage and UnpublishPackage, as this is the only way you can get a script to run as local system when using user publishing. Now after adding that package you should be able to see your rules added in the firewall settings on the App-V client. If you used an App-V variable as above like [{ProgramFilesX86}] or [{AppvPackageRoot}] when defining your exe path, it should be converted to the full virtual path under C:\ProgramData\App-V!

Tags:

Categories:

Updated:

Comments

You May Also Enjoy

Windows 11 Microsoft Store Announcements

24 June 2021

After a series of leaks, Microsoft have officially unveiled Windows 11 earlier today. While most of the reporting has been focussed on the UI changes, there was a huge reveal regarding the Microsoft Store that will prove to be very interesting for...

Nevergreen: My first Powershell module

10 May 2021

Nevergreen is a Powershell module that returns the latest version and download links for various Windows applications. It can be used as an alternative to Aaron Parker’s (and others) excellent Evergreen module.

Free ebook! MSIX Packaging Fundamentals

19 November 2020

A new MSIX book has been released as a free download - MSIX Packaging Fundamentals, a collaboration between Tim Mangan, Bogdan Mitrache and Kevin Kaminski.

App-V 5.1 Support Dates

17 March 2020

App-V is no longer under active development, but still supported. Microsoft have extended the support date for App-V 5.1 to April 2026: