Firewall Script as "Execute Immediate" Custom Action
Hi,
I have a small problem with a custom action which I want to execute as immediate. This script sets the exception for the windows firewall.
I put this script behind Copy files but still it will be launched before copy files in "Execution Deferred" so that in the end the script cant work because the exe file is still not on the disc. Is there a away how I can solve it in "Immediate" or do I have to put it in "Deferred" which means some more work with the variables.
Thx
I have a small problem with a custom action which I want to execute as immediate. This script sets the exception for the windows firewall.
I put this script behind Copy files but still it will be launched before copy files in "Execution Deferred" so that in the end the script cant work because the exe file is still not on the disc. Is there a away how I can solve it in "Immediate" or do I have to put it in "Deferred" which means some more work with the variables.
Thx
0 Comments
[ + ] Show comments
Answers (11)
Please log in to answer
Posted by:
anonymous_9363
13 years ago
Do some reading about what the EI sequence actually does until it gets to InstallFinalize. John McFadyen's Live blog will probably have a ton of stuff about it but, failing that, MSDN.
Posted by:
captain_planet
13 years ago
....you should be fine putting it somewhere between InstallFiles and InstallFinalize in the Install Execute (IE, not EI [;)])sequence....I'm not sure what you mean about more work with variables etc etc unless you're on about passing property values to deferred Custom Actions, which I briefly described in post 4 here: http://itninja.com/question/faulttree-100046&mpage=1&key=installfiles쐞
Posted by:
anonymous_9363
13 years ago
Cap'n,
My shorthand is at fault. EI = ExecuteImmediate, ED = ExecuteDeferred.
Since the script is making a system change, then it belongs in the ED sequence so yes, more work with variables means using CustomActionData.
My shorthand is at fault. EI = ExecuteImmediate, ED = ExecuteDeferred.
Since the script is making a system change, then it belongs in the ED sequence so yes, more work with variables means using CustomActionData.
Posted by:
captain_planet
13 years ago
Hmmm. I just noticed the 'Firewall Exceptions' feature in Wise. This populates the WiseFirewallSetup table to add firewall exceptions. I've never used it myself, but it could be worth a stab?
Posted by:
Rheuvel
13 years ago
I recently made a package doing exactly the same thing.
It looks like this, in Execute Immediate:
Part of the embedded VBScript is:
It's working just fine :)
It looks like this, in Execute Immediate:
Installfinalize
If Not Installed then
| Call VBScript From Embedded Code (Config)
EndPart of the embedded VBScript is:
Option Explicit
Dim objShell
Set objShell = CreateObject("WScript.Shell")
' Config Firewall
objShell.Run "netsh firewall add allowedprogram <path to exe> <name> ENABLE", 0, TrueIt's working just fine :)
Posted by:
anonymous_9363
13 years ago
Are vanilla users permitted to add programs to firewall exceptions? If not, surely you get 'Access denied' with your script since, because it runs after InstallFinalize in EI, it's running in User context.
Perhaps your users all have local admin privileges?
Perhaps your users all have local admin privileges?
Posted by:
Rheuvel
13 years ago
Hmmm, good point.
However, if I place it in front of InstallFinalize it doesn't run at all. I get an 17xx error.
I guess I haven't had any complaints yet because it gets installed on Citrix .
If that's the case ignore my bad example in my first post .
However, if I place it in front of InstallFinalize it doesn't run at all. I get an 17xx error.
I guess I haven't had any complaints yet because it gets installed on Citrix .
If that's the case ignore my bad example in my first post .
Posted by:
pjgeutjens
13 years ago
Are vanilla users permitted to add programs to firewall exceptions? If not, surely you get 'Access denied' with your script since, because it runs after InstallFinalize in EI, it's running in User context
Isn't it the case that if you're deploying using system credentials, that even in IE after InstallFinalize your actions will run with system credentials? We have CA's here at that position that set AD security on folders, not something a non-admin user can do, so...
Posted by:
aogilmor
13 years ago
ya und also isn't there a way to do this with an exe file so u don't have to vbscript it. hate those!...LOL
Posted by:
mac-duff
13 years ago
HI all,
thanks for all the answers. Has anybody tried the firewall feature of WISE with Vista or 7? Here is my script for the EI:
[CODE]
Dim rulename, installdir, app_e, descrip, result, str, strVerKey, strVersion
Set WshShell=CreateObject("WScript.Shell")
rulename = Session.Property("ProductName")
installdir = Session.Property("INSTALLDIR")
descrip = Session.Property("ProductName")
app_e = "winvnc4.exe"
'detection of windows version
strVerKey = "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\"
strVersion = WshShell.regread(strVerkey & "CurrentBuildNumber")
MsgBox strVersion
If ( Session.Property("ProductState") = "-1" ) Then
'Windows XP
if strVersion >= "2600" and strVersion <="3790" Then
'MSGBOX "Windows XP"
str = "netsh firewall add allowedprogram program=" & chr(34) & installdir & app_e & chr(34) & " name=" & chr(34) & rulename & chr(34) & " mode=ENABLE profile=ALL"
WshShell.Run str,0,true
End If
'Windows 7
if strVersion >= "7600" Then
'MSGBOX "Windows 7"
str = "netsh advfirewall firewall show rule name=" & chr(34) & rulename & chr(34)
result = WshShell.Run (str,0,true)
'msgbox result
If result = "1" Then
str = "netsh advfirewall firewall add rule name=" & chr(34) & rulename & chr(34) & " dir=in action=allow program=" & chr(34) & installdir & app_e & chr(34) & " enable=yes Profile=Domain,Private,Public description=" & chr(34) & descrip & chr(34)
WshShell.Run str,0,true
End If
If result = "0" Then
Set WshShell = Nothing
End If
End If
End If
If ( Session.Property("ProductState") = "5" ) Then
'Windows XP
if strVersion >= "2600" and strVersion <="3790" Then
str = "netsh firewall delete allowedprogram program=" & chr(34) & installdir & app_e & chr(34) & " profile=ALL"
WshShell.Run str,0,true
End If
'Windows 7
if strVersion >= "7600" Then
str = "netsh advfirewall firewall show rule name=" & chr(34) & rulename & chr(34)
result = WshShell.Run (str,0,true)
If result = "0" Then
str = "netsh advfirewall firewall delete rule name=" & chr(34) & rulename & chr(34) & " dir=in program=" & chr(34) & installdir & app_e & chr(34) & " Profile=Domain,Private,Public"
WshShell.Run str,0,true
End If
If result = "1" Then
Set WshShell = Nothing
End If
End If
End If
[/CODE]
thanks for all the answers. Has anybody tried the firewall feature of WISE with Vista or 7? Here is my script for the EI:
[CODE]
Dim rulename, installdir, app_e, descrip, result, str, strVerKey, strVersion
Set WshShell=CreateObject("WScript.Shell")
rulename = Session.Property("ProductName")
installdir = Session.Property("INSTALLDIR")
descrip = Session.Property("ProductName")
app_e = "winvnc4.exe"
'detection of windows version
strVerKey = "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\"
strVersion = WshShell.regread(strVerkey & "CurrentBuildNumber")
MsgBox strVersion
If ( Session.Property("ProductState") = "-1" ) Then
'Windows XP
if strVersion >= "2600" and strVersion <="3790" Then
'MSGBOX "Windows XP"
str = "netsh firewall add allowedprogram program=" & chr(34) & installdir & app_e & chr(34) & " name=" & chr(34) & rulename & chr(34) & " mode=ENABLE profile=ALL"
WshShell.Run str,0,true
End If
'Windows 7
if strVersion >= "7600" Then
'MSGBOX "Windows 7"
str = "netsh advfirewall firewall show rule name=" & chr(34) & rulename & chr(34)
result = WshShell.Run (str,0,true)
'msgbox result
If result = "1" Then
str = "netsh advfirewall firewall add rule name=" & chr(34) & rulename & chr(34) & " dir=in action=allow program=" & chr(34) & installdir & app_e & chr(34) & " enable=yes Profile=Domain,Private,Public description=" & chr(34) & descrip & chr(34)
WshShell.Run str,0,true
End If
If result = "0" Then
Set WshShell = Nothing
End If
End If
End If
If ( Session.Property("ProductState") = "5" ) Then
'Windows XP
if strVersion >= "2600" and strVersion <="3790" Then
str = "netsh firewall delete allowedprogram program=" & chr(34) & installdir & app_e & chr(34) & " profile=ALL"
WshShell.Run str,0,true
End If
'Windows 7
if strVersion >= "7600" Then
str = "netsh advfirewall firewall show rule name=" & chr(34) & rulename & chr(34)
result = WshShell.Run (str,0,true)
If result = "0" Then
str = "netsh advfirewall firewall delete rule name=" & chr(34) & rulename & chr(34) & " dir=in program=" & chr(34) & installdir & app_e & chr(34) & " Profile=Domain,Private,Public"
WshShell.Run str,0,true
End If
If result = "1" Then
Set WshShell = Nothing
End If
End If
End If
[/CODE]
Posted by:
nheim
13 years ago
Hi folks,
a firewall exception CA MUST go into the script (deferred section)!
Everything else is gambling, IMHO.
The challenge is to pass the needed variables (properties) to the CA, as most of the properties are not available, when the script runs.
Please read this to understand this stuff:
http://msdn.microsoft.com/en-us/library/aa368268(VS.85).aspx
http://msdn.microsoft.com/en-us/library/aa370543(VS.85).aspx
Regards, Nick
a firewall exception CA MUST go into the script (deferred section)!
Everything else is gambling, IMHO.
The challenge is to pass the needed variables (properties) to the CA, as most of the properties are not available, when the script runs.
Please read this to understand this stuff:
http://msdn.microsoft.com/en-us/library/aa368268(VS.85).aspx
http://msdn.microsoft.com/en-us/library/aa370543(VS.85).aspx
Regards, Nick
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.