Firewall Ports and External Exceptions

Purpose

PDQ Deploy & Inventory require both console and target computers to have certain firewall ports open.

In addition, use of the Central Server feature will require an additional open port on the PDQ console running in Server Mode.

 

The ports outlined in this KB are in addition to the normal ports open for such things as LDAP (TCP 389)/AD, Kerberos, DNS, etc. It is strongly recommended you do not disable or otherwise modify the firewall to block or impede the proper functioning of those ports.


Ports and Group Policy

The following open ports are required on the Windows Firewall (or any other firewall) for proper functionality of both PDQ Deploy & Inventory. If you can manage remote computers using standard Windows administration tools you should be set since we use the same SMB protocol.

PDQ Server and Target Machines

  • ICMPv4-In
  • ICMPv6-In
  • TCP 445 (SMB)

Central Server Ports

  • TCP 6336 (default for PDQ Deploy Central Server, may be changed to a different unused port)
  • TCP 7337 (default for PDQ Inventory Central Server, may be changed to a different unused port)

Legacy Ports for PDQ Server and Target Machines

  • TCP 137 (Only required for legacy SMB)
  • UDP 137 (Only required for legacy SMB)
  • UDP 138 (Only required for legacy SMB)
  • TCP 139 (Only required for legacy SMB)
 

In light of recent ransomware attacks, it is important to note PDQ Deploy utilizes the version of SMB available in your network. In most cases, this will be the latest version, SMBv3, and will exclude SMBv1, which is the vulnerable version of SMB. SMBv1, is used by Windows XP and Windows Server 2003x, both of which are no longer supported by PDQ Deploy.

In Group Policy (recommended), the settings to open the ports above and ICMP are located in Computer Configuration > Administrative Templates > Network > Network Connections > Windows Defender Firewall > Domain Profile

Alternatively, you may also define port exceptions in Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security, but that is not the Group Policy location described in the examples below.

  1. Windows Defender Firewall: Allow inbound file and printer sharing exception
    This setting opens UDP ports 137 and 138, and TCP ports 139 and 445. TCP 445 specifically is required for the IPC$ and ADMIN$ shares to be available, and the others are legacy SMB ports. Administrative access to these shares is required. (If using a local account to deploy/scan target computers, please see this article for additional configuration settings).
    FW01.png
  2. Windows Defender Firewall: Allow ICMP exceptions
    This rule allows a target computer to respond to ping requests. Ping is used by PDQ Deploy & Inventory to determine the Online status of a computer.
    FW02.png

In the end, you should have something that looks like this (some additional objects have also been enabled):
RDCMan_MlOJh7amy9.png

 

If you are enabling these rules on computers that are not members of an Active Directory (AD) domain then use: Computer Configuration > Administrative Templates > Network > Network Connections > Windows Defender Firewall > Standard Profile

If the target machine is not a member of an AD domain, you may need to disable Remote UAC restrictions. Click here for instructions.

PDQ products ping the Fully Qualified Domain Name (FQDN) of a target or console machine to determine if it is online.


Central Server

Central Server can automatically create a Windows Firewall rule on the PDQ console running in Server Mode. The following is from the initial setup and is also available post-install via Options > Central Server, Change Settings. This is the window in PDQ Deploy (Inventory is nearly identical).
FW041.png

This is equivalent to the following commands:

PDQ Deploy PDQ Inventory
netsh advfirewall firewall add rule name="PDQ Deploy" dir=in action=allow program="C:\Program Files (x86)\Admin Arsenal\PDQ Deploy\PDQDeployService.exe" enable=yes localport=6336 remoteport=6336 protocol=tcp profile=any

External Exceptions

PDQ Products access the internet to perform regular tasks such as:

  • Update Packages from the Package Library
  • Update Collections from the Collection Library
  • Update Tools from the Tools Library
  • Update System Variables used in multiple Products
  • Verify License Expiration Information
  • Important notifications from PDQ.com

In order for these connections to work properly, PDQ Deploy & Inventory require access to the following external sites:

If PDQ Deploy Package Library packages are partially downloading or downloading as corrupt, ensure that these links are explicitly allowed on your firewall or proxy server.  In some environments, we've seen instances of these pages being accessible (the expected XML error page loads), however downloaded files are still being blocked by the firewall or proxy server.

Additionally, you must ensure that you are not blocking any Cloudflare IP ranges as this will also prevent connections to PDQ.com resources. These ranges are updated periodically and found here: https://www.cloudflare.com/ips

Is PDQ blocking the traffic coming from my network?

Although rare, it is possible for requests coming from your network to be blocked by our firewall. If you go to one of the above URLs and get a screen that looks like this (see below), your traffic has been flagged as potentially malicious and has been blocked. If this happens to you, please open a support ticket and we can help!

mceclip0.png

See Also:

Article - Configuring Central Server - PDQ Deploy

Article - Configuring Central Server - PDQ Inventory

Article - How It Works: PDQ Deploy

Article - How It Works: PDQ Inventory

Article - See Firewall activity in Windows Defender Firewall logs

Article - Can't access ADMIN$ share using a local user or LAPS account

Article - Getting Started With PDQ Deploy & PDQ Inventory

Was this article helpful?
Still have a question or want to share what you have learned? Visit our Community Discord to get help and collaborate with others.