Need firewall recomendation - special requirements

[BiPolar_Nut]

I need a software firewall meeting the following requirements:

Must run on Windows Server 2k3
Must be configurable to allow inbound Terminal Services traffic immediately upon installation.

The second criteria is causing me headaches. I will be installing via a remote desktop session and I do not have physical access to the machine. Both Sygate and Comodo will install fine on 2k3, but neither seem to allow any configuration until after the system is rebooted (Sygate won't run until rebooted, and Comodo won't allow rules to be added, and even setting Comodo to "allow all" doesn't work because that setting is not saved, apparently...at least not after the installer runs and before rebooting)...at which point it's too late because inbound connections are blocked at that point.

Although it's trivial to open the necessary ports while sitting in front of the machine after the reboot that completes the install process, I need to be able to do it from a Terminal Services session (which obv must be unblocked prior to rebooting).

Using 2k3's built-in firewall is not an option.

Thanks!

(Other firewall programs I've looked at do not run on 2ks so pls verify your suggestion is 2k3-computable before posting)

[Dementia]

Sygate firewall pro is the only thing I use bro. [img]/images/graemlins/frown.gif[/img]

[Freakin]

i don't suppose you have remote access to the console through VGA over IP available to you? That would kinda make it easy.

What about finding out where sygate or comodo save config settings and putting the file in place immediately after installing them?

[BiPolar_Nut]

[ QUOTE ]
i don't suppose you have remote access to the console through VGA over IP available to you? That would kinda make it easy.

What about finding out where sygate or comodo save config settings and putting the file in place immediately after installing them?

[/ QUOTE ]

I've checked for config files in both and registry entries for sygate...as best I can tell the config is stored in .dat files but aren't clear text (and may even be encrypted)...guess I'll fire up the hex editor and see if that yields any clues.

Will also try a default config, save it, add a rule, then run a diff. I was just hoping someone knew a pre-configurable product instead of going through all that trouble.

Thanks for trying! Will post the trip report if I get it working.

[BiPolar_Nut]

.dat files seem to be encrypted [img]/images/graemlins/frown.gif[/img] (in sygate...haven't re-tried Comodo yet)

[BiPolar_Nut]

Apparently, two files are used for storing each "advanced rule" in Sygate, but I found another problem that's a deal-breaker.

Sygate won't display the popups on a terminal service session, nor can you bring up the configuration.

Off to trying comodo again.

[Freakin]

[ QUOTE ]
Apparently, two files are used for storing each "advanced rule" in Sygate, but I found another problem that's a deal-breaker.

Sygate won't display the popups on a terminal service session, nor can you bring up the configuration.


[/ QUOTE ]

configure RDP to connect to console. that may get around it

[BiPolar_Nut]

[ QUOTE ]
configure RDP to connect to console. that may get around it

[/ QUOTE ]

That would prolly work...currently back on comodo on the test server at the moment tho...looking like it stores configuration in one large file as opposed to sygate's multiple files. I like the multi-file setup better.

['Chair]

[ QUOTE ]
[ QUOTE ]
configure RDP to connect to console. that may get around it

[/ QUOTE ]

That would prolly work...currently back on comodo on the test server at the moment tho...looking like it stores configuration in one large file as opposed to sygate's multiple files. I like the multi-file setup better.

[/ QUOTE ]

bingo...make your own msi installation file.

[BiPolar_Nut]

[ QUOTE ]
bingo...make your own msi installation file.

[/ QUOTE ]

This is something I have never considered. I've never made .msi's before so I'm not sure what I'd be getting in to but without a doubt it could come in handy in many situations (like pushing out software via AD that hasn't been msi-packaged). I'll check into that. Thanks!