I'm in the midst of setting up GFI LAN Guard for vulnerability scanning and patch management. The first thing I have to get in order is for LG to inventory all of the clients on the network. In order to ensure that this runs successfully, I need to allow certain traffic to be allowed to pass through the clients' Windows Firewall. We don't want to disable the FW fully, just allow the particular LG traffic through.
I've created a GPO which allows the required traffic through, but it includes some potentially sensitive services such as File & Print, WMI, as well as opening port 135. What I am trying to figure out is how to restrict this GPO to only take effect for traffic originating from, or headed to, the IP address of the LG server. Is this possible?
On windows 7
You do a custom rule and you can pick a port, followed by a source / destination IP.
You'll find the GPO location in "Policies\computer\windows settings\security settings\windows firewall and advanced secruity\" choose inbound rules and then create a custom rule.
On windows XP
you can add a port rule, and then change the scope.
Here is an article that goes over some deployment options.
http://www.windowsecurity.com/articles/customizing-windows-firewall.html