Appendix A—Firewall Rules for Windows

This script configures the firewall appropriately to allow communication between the Keyfactor Remote CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. Gateway ConnectorClosed The Keyfactor Gateway Connector is installed in the customer forest to provide a connection between the on-premise CA and the Azure-hosted, Keyfactor managed Hosted Configuration Portal to provide support for synchronization, enrollment and management of certificates through the Azure-hosted instance of Keyfactor Command for the on-premise CA. It is supported on both Windows and Linux. and the Azure-hosted Keyfactor Remote CA Service server. It should be run as an Enterprise Admin in an administrative PowerShell window on the Keyfactor Remote CA Gateway Connector machine.

Usage: KeyfactorAnyGatewayFirewallRules.ps1

Customizations:

  • RemoteAddress
    This value needs to be customized to match the IP address of the Azure-based server hosting your Keyfactor Remote CA Configuration Portal. Your Keyfactor representative can provide this to you.

  • Program
    If you installed the Keyfactor Remote CA Gateway Connector software in a non-default path, modify the script to change the -Program reference before executing it.

KeyfactorAnyGatewayFirewallRules.ps1 script contents:

Write-host Enabling "Keyfactor Gateway Connector RPC-IN"
New-NetFirewallRule -DisplayName "Keyfactor Gateway Connector RPC-IN" `
  -Description "An inbound rule to allow traffic to the Keyfactor Gateway Connector for enterprise certificate enrollment." `
  -Direction Inbound `
  -RemoteAddress "10.9.8.7" `
  -LocalPort "RPC" `
  -RemotePort "49152-65535" `
  -Program "C:\Program Files\Keyfactor\Keyfactor Gateway Connector\GatewayConnector.exe" `
  -Protocol TCP `
  -Action Allow
Write-host Enabling "COM+ Network Access (DCOM-In)"
Set-NetFirewallRule -DisplayName "COM+ Network Access (DCOM-In)" -Enabled True
Get-NetFirewallRule -DisplayName "COM+ Network Access (DCOM-In)"
If your Keyfactor Remote CA Service and Keyfactor Remote CA Configuration Portal are on different servers, you will need to run the script for both servers.