Install CPF on a Headless Server

Hello all,

First time poster, long time lurker looking for a little help.

After reading about the benefits of the Comodo solution for directing traffic over multiple connections (real and virtual) I decided to take the plunge on my server. However, I must have jumped too soon and installed before reading a good tutorial on first time setup figuring it would be as easy as any other firewall I have ever used. Here’s the issue:

The server I installed on is a HP MediaSmart EX485 Server. This machine is 100% headless, meaning there is no way I can hook up a screen/mouse/keyboard up to it for administration. All this has to be done remotely. The server is running Windows Home Server (an off-shoot of Windows Server 2003). I RDC’d over to the machine and installed without hitch. However, after restarting the server as prompted, the server does not connect to my router, and thus I an unable to do any administration at all.

I realize there is little I can do about this at this point except for reinstalling the operating system and starting over. But, when I am able to get my server back up, I am still interested in running Comodo Firewall. Is there anything I can do to make sure the network will reinitialize upon the first restart?

Thanks
-JesterEE

I found this post that seems to have the answer I’m looking for.

https://forums.comodo.com/help/how_can_i_start_comodo_firewall_to_allow_all_connections-t9496.0.html;msg68775#msg68775

Can anyone verify this solution works?

-JesterEE

G’day,

That solution was developed for Comodo Personal Firewall V2.X, but the theory behind it is valid - a registry extract from an “Allow all inbound” firewall install is imported BEFORE restarting the PC, but the reg keys are different for V4. This does mean that you would have to have done an install on another machine before tackling the headless server, though.

Ewen :slight_smile:

P.S. The zipped reg key in the post you mentioned will not work on C3 or V4 due to differing registry layouts.

What you could do is the following.

Assuming you have some form of Remote Desktop Connection to the Server, Install CIS but DON’T reboot when it asks you.
Now there are 2 ways

  1. Disable the firewall
  2. Change the firewall’s settings so you at least will have a Remote Desktop Session available.

After CIS is installed you can start it’s GUI and set the Firewall rules you need before you reboot, I would also change the following settings

  • Remove the “Block IP IN ANY ANY” global rule at least untill you have the other rules in place.
  • Set the Firewall to “Training mode” so what ever happens at system startup is learned instead of “asked”.
  • Go to more, settings and untick “Automatically detect private networks”.
  • Want to make it nice, create allow rules for incoming TCP 3389 of the Remote Desktop on global rules & for svchost.exe on Application rules.

From the top of my head Remote Desktop is serviced by svchost.exe but maybe that needs verification, I’m unable to verify that at the moment.

p.s. please be aware that if you install more then just Firewall you could also have to change the Defense+ settings to prevent “bricking” your server again.

Ronny’s suggestions sounds OK. I would also export the reg keys after setting the config up, so they are available for reinstall (if needed) or for other servers.

If you do extract the reg keys, can you please post a copy here, as others may find this useful.

Ewen :slight_smile:

What about Comodo Endpoint Security Manager?

Had no chance to test it but it supports Windows server and IIRC it should allow remote management.

I’m not sure if this is still working fine, they have added unique UIDs to the keys and I have seen some strange behaviors on “partial” registry imports.
Resulting in corrupt configurations on v4. I have to note those registry imports where v3 though…

That should also do the trick, that environment supports remote deployment and management at least of the CIS configuration so if you lock something out you should be able to fix it on the management server.

Good point Ronny. I forgot about the user IDs.

Everyone,

Thanks so much for your input.

@Endymion

The Comodo Endpoint Security Manager does look like a slick piece of software, and I will certainly keep it in mind for the future. I think that for a personal server and a LAN of 3, it might be a bit of overkill, and might not even work with the Windows Home Server infostructure as there is no Active Directory for “client administration and authentication”. I call my machine a server, well, because that’s what it is, but it doesn’t really do any administration over other machines. It’s really just there to supply files, media and do data backups. In that sense, it’s really no different than having a dedicated computer on a network of peers. For that network model, I don’t think this tool is the best suited, but please let me know if I am missing something.

@panic and Ronny
Great suggestions here! Really, I’m glad you’re here posting on the nuances I know nothing about. Since your feedback leads me to believe that just targeting the registry entries might not be effective, I will try and open the configurations up before I restart. Should I log any files/settings/registry entries before and after so that I can potential help others in the same boat? If so, which ones?

Also, are the UIDs set at installation or do they change while the software is being configured? I’m thinking that a quick script to extract the UID and append the settings might be in order if one can target what exactly needs to be kept the same and what can change.

Thanks Again!
-JesterEE

ESM can also work without Active Directory, as it will function correctly in an XP workgroup type of network. One advantage to using ESM on a small LAN is that the ESM box can download updates and the other PCs on the LAN can fetch them from it, rather than from the internet.

[at]panic and Ronny Great suggestions here! Really, I'm glad you're here posting on the nuances I know nothing about. Since your feedback leads me to believe that just targeting the registry entries might not be effective, I will try and open the configurations up before I restart. Should I log any files/settings/registry entries before and after so that I can potential help others in the same boat? If so, which ones?

All the registry entries for CIS are stored under HKLM/System/Software/Comodo/Firewall Pro.

Also, are the UIDs set at installation or do they change while the software is being configured? I'm thinking that a quick script to extract the UID and append the settings might be in order if one can target what exactly needs to be kept the same and what can change.

Unfortunately the acronym UID (User ID) is a bit of a misnomer. The IDs relate to objects/tasks/configs not to users. There is a unique UID for each rule , policy and configuration. This would make for one hell of a script to extract them all.

Your suggested method of attempting to fudge the configs before the reboot might work. Are you prepared to have a cracjk at this and report the results back? This info may be useful to others.

Cheers,
Ewen :slight_smile:

I just got my server back up yesterday. I will be trying to install again probably early next week, and will certainly report back my before and after finding here. And if all goes well, maybe even a tutorial aimed at the WHS scene.

-JesterEE

That’s be great JesterEE. Fingers crossed it all goes well.

Thanks in advance, :-TU
Ewen :slight_smile:

Well, I tried 3 different times with many different settings, and each time I soft-bricked my server. The last time I allowed/removed every rule, disabled the firewall entirely, and opened up all the ports (just in case the firewall wasn’t “truly disabled”) and I still was not able to connect. I really don’t think there is a way to remotely do this installation. The only thing that comes to mind is installing on a regular computer and importing all the registry files. But, from what others have said on this thread that will probably be very hard with this new version.

I tried CESM briefly, but in all honesty, I was a bit overwhelmed with what I would need to setup just to run a firewall. After digging into the documentation a little, there is a lot of overhead involved that I am not interested in maintaining for the simple task I started with.

I’m a little disheartened here. I would think this would be a fairly common request being that a lot of administration work is done solely over remote terminals. I hope a future release will change the installation options so this can be accomplished.

Until then, I think I am raising the white flag and “giving up” … :-\

-JesterEE

Good call… But I would surmise that for a headless server a router or windows (if using) firewall would be sufficient.

What I would do.

  1. install teamviewer(=T) on the server (=S) and your PC.
  2. reboot S.
  3. Run Teamviewer. configure it to allow certain connections and password protect it, and set it to run on every boot.
  4. reboot S.
  5. use T to connect to the server. make sure it works fine.
  6. install CIS.
  7. reboot S.
  8. Try to connect to S via T = this predicates on the fact that T is a trusted(safe) app according to CIS and should be allowed access. You wouldnt need to disable/enable anything as it should work out of the box.

I do use T but on a machine which is a laptop so I’ve never tried remotely, though I have enabled/disabled CIS via T. T is pretty darn good and its freeware. I would use T even if I didnt use CIS. T is some amazing shit.

take care. :a0

or

  1. install a “Rootkit Trojan” on server. :a0
  2. reboot S.
  3. Install CIS without Av.
  4. check if works.

:a0

slangen,

Thanks for the reply. Though, this is where I envision an problem just like what I have already seen. The issue I’m having isn’t the remote desktop protocol connection, it’s getting initial network connectivity. Maybe I was unclear about that and I apologize. When I install CIS and restart, the server never reconnects to the router to get an IP address. I believe CIS is awaiting input from the user before it instantiates the initial connection. As I can not provide this input on my setup, it will never create the connection.

-JesterEE

Are you saying your system is using DHCP to get a IP address?

No, it is statically defined by MAC address in my router configuration table. It just doesn’t re-establish connection after reboot.

-JesterEE

So you have created a static reservation on your DHCP Server? because in that case it still needs to allow DHCP traffic in/out to receive the reservation.
After that it has an IP address and if that is established then you should be able to use Remote Desktop.

This should work with install, open GUI set firewall to disabled. And change “More, settings” Automatically detect private network disabled, AND then reboot.