Hyper-V Replication Firewall Rules on Nano Server

Nano Server is the newest edition in the Windows Server family and because of it’s ultra-low footprint and patching requirement, makes it an ideal Hyper-V host for running your private cloud infrastructure.

One of the resiliency features in Hyper-V, Hyper-V Replicas allows you to replicate a VM on a timed interval of as low as 30 seconds. This isn’t a new feature but is a great one none-the-less and is ideally suited to organisations with multiple data centres wanting to protect their VMs across two or more sites without the need for expensive SAN replication technologies.

Nano Server ships by default with the Windows Firewall enabled and there are two rules for Hyper-V Replicas which are both disabled by default. If you want to use Hyper-V Replica, even once you’ve configured everything you need via the Hyper-V Manager console or via PowerShell such as virtual networks and enabling the Hyper-V Replica feature, you will still need to configure this rule.

Nano Server and Group Policy Settings

It is important to note that Nano Server does not process Group Policy like a Server Core or GUI-based Windows Server therefore you cannot configure this using an Advanced Windows Firewall policy Group Policy Object. If you want to apply Group Policy derived settings to a Nano Server host then you should refer to this TechNet post at https://blogs.msdn.microsoft.com/powershell/2016/05/09/new-security-cmdlets-in-nano-server/. Nano Server and Windows Server 2016 in general includes new PowerShell Cmdlets that allow you to import an export from utilities such as SecEdit or AuditPol and then import the resulting files from these tools into Nano Server.

The following snippets of PowerShell code are for enabling the specific rules whether you use HTTP or HTTPS for replication. Bear in mind that you could include this in a Nano host build script to automate the configuration of your hosts.

Enable Hyper-V Replication over HTTP

If you are using Hyper-V Replica over HTTP with Kerberos authentication then you will need to enable the firewall rule for this using the following PowerShell snippet.

$Cred = Get-Credential
Enter-PSSession -ComputerName <NanoHostFQDN> -Credential $Cred

Set-NetFirewallRule -Name VIRT-HVRHTTPL-In-Tcp-NoScope -Enabled True -Scope Any

 Enable Hyper-V Replication over HTTPS

If you are using Hyper-V Replica over HTTPS with certificated based authentication then you will need to enable the firewall rule for this using the following PowerShell snippet. Bear in mind that as Nano Server does not process Group Policy, any certificate auto-enrollment policies you have configured in the domain will not apply so you will need to manually request and issue the certificates to the hosts, or automate this via another means.

$Cred = Get-Credential
Enter-PSSession -ComputerName <NanoHostFQDN> -Credential $Cred

Set-NetFirewallRule -Name VIRT-HVRHTTPSL-In-Tcp-NoScope -Enabled True -Scope Any

 

richardjgreen

Richard works as a Cloud Consultant for Fordway Solution where his primary focus is to help customers understand, adopt and develop with Microsoft Azure, Office 365 and System Center. Richard Green is an IT Pro with over 15 years' of experience in all things Microsoft including System Center and Office 365. He has previously worked as a System Center consultant and as an internal solutions architect across many verticals. Outside of work, he loves motorbikes and is part of the orange army, marshaling for NGRRC, British Superbikes and MotoGP. He is also an Assistant Cub Scout Leader.