Firewall Ports and External Exceptions

Purpose:

PDQ Deploy and PDQ Inventory require both console and target computers have certain firewall ports open.

In addition, use of the Central Server feature will require an additional open port on the PDQ console running in Server Mode.

Resolution:

Firewall ports and exceptions are covered in the following:

Ports and Group Policy
Central Server
External Exceptions

IMPORTANT:

The ports outlined in this KB are in addition to the normal ports open for such things as LDAP (TCP 389)/AD, Kerberos, DNS, etc. It is strongly recommended you do not disable or otherwise modify the firewall to block or impede the proper functioning of those ports.

 

Ports and Group Policy:

The following open ports are required on the Windows Firewall (or any other firewall) for proper functionality of both PDQ Deploy and PDQ Inventory. If you can manage remote computers using standard Windows administration tools you should be set since we use the same SMB protocol:

PDQ Server and Target Machines

  • ICMPv4-In
  • ICMPv6-In
  • TCP 445 (SMB)

Central Server Ports

  • TCP 6336 (default for PDQ Deploy Central Server, may be changed to a different unused port)
  • TCP 7337 (default for PDQ Inventory Central Server, may be changed to a different unused port)

Legacy Ports for PDQ Server and Target Machines

  • TCP 137 (Only required for legacy SMB)
  • UDP 137 (Only required for legacy SMB)
  • UDP 138 (Only required for legacy SMB)
  • TCP 139 (Only required for legacy SMB)

NOTE:

In light of recent ransomware attacks, it is important to note PDQ Deploy utilizes the version of SMB available in your network. In most cases, this will be the latest version, SMBv3, and will exclude SMBv1, which is the vulnerable version of SMB. SMBv1, is used by Windows XP and Windows Server 2003x, both of which are no longer supported by PDQ Deploy.

In Group Policy (recommended), the settings to open the ports above and ICMP are located in Computer Configuration > Administrative Templates > Network > Network Connections > Windows Defender Firewall > Domain Profile

Alternatively, you may also define port exceptions in Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security, but that is not the Group Policy location described in the examples below.

  1. Windows Defender Firewall: Allow inbound file and printer sharing exception
    This setting opens UDP ports 137 and 138, and TCP ports 139 and 445. TCP 445 specifically is required for the IPC$ and ADMIN$ shares to be available, and the others are legacy SMB ports. Administrative access to these shares is required. (If using a local account to deploy/scan target computers, please see this article for additional configuration settings).
    FW01.png
  2. Windows Defender Firewall: Allow ICMP exceptions
    This rule allows a target computer to respond to ping requests. Ping is used by PDQ Deploy and PDQ Inventory to determine the Online status of a computer.
    FW02.png

In the end, you should have something that looks like this (some additional objects have also been enabled):
RDCMan_MlOJh7amy9.png

NOTES:

  • If you are enabling these rules on computers that are not members of an Active Directory (AD) domain then use: Computer ConfigurationAdministrative Templates > Network > Network Connections > Windows Defender Firewall > Standard Profile
  • If the target machine is not a member of an AD domain, you may need to disable Remote UAC restrictions. Click here for instructions.
  • PDQ products ping the Fully Qualified Domain Name (FQDN) of a target or console machine to determine if it is online.

 

Central Server:

Central Server can automatically create a Windows Firewall rule on the PDQ console running in Server Mode. The following is from the initial setup and is also available post-install via Options > Central Server, Change Settings. This is the window in PDQ Deploy (Inventory is nearly identical).
FW041.png

This is equivalent to the following command (PDQ Deploy):

netsh advfirewall firewall add rule name="PDQ Deploy" dir=in action=allow program="C:\Program Files (x86)\Admin Arsenal\PDQ Deploy\PDQDeployService.exe" enable=yes localport=6336 remoteport=6336 protocol=tcp profile=any

 

External Exceptions:

PDQ Deploy and PDQ Inventory access the internet to perform regular tasks such as update the Package Library, Collection Library, Tools Library, and System Variables (used in collections). In addition to these regular connections, PDQ products periodically check for program updates, package updates, license expiration information, and for notifications from PDQ.com (For example, webcast notices, beta notices, etc.). 

In order for these connections to function properly, PDQ products will require access to the following external sites:

https://aafiles.blob.core.windows.net
https://pdqlibrary1.blob.core.windows.net
https://secure.adminarsenal.com/
https://cfcdn.pdq.com
https://download.pdq.com/
https://library.pdq.com
https://secure.pdq.com/
https://services.pdq.tools 

You can test these connections by using Google Chrome or IE/Edge (friendly error messages turned off):

Also ensure that you are not blocking any Cloudflare IP ranges as this will prevent successful connections to the Library content as well. These ranges may be found in the link below and are updated periodically.

Is PDQ blocking the traffic coming from my network?

Although rare, it is possible for requests coming from your network to be blocked by our firewall. If you go to one of the above URLs and get a screen that looks like this (see below), your traffic has been flagged as potentially malicious and has been blocked. If this happens to you, please open a support ticket and we can help!

mceclip0.png

See Also:

Article - Configuring Central Server - PDQ Deploy

Article - Configuring Central Server - PDQ Inventory

Article - How It Works: PDQ Deploy

Article - How It Works: PDQ Inventory

Article - See Firewall activity in Windows Defender Firewall logs

Article - Can't access ADMIN$ share using a local user or LAPS account

Article - Getting Started With PDQ Deploy & PDQ Inventory

Still have a question or want to share what you have learned? Visit our Community to get help and collaborate with others.