Configuring the Window's Firewall for Windows Server® 2012 and 2016

Business Intelligence & Financial Performance PROFITstar® and PROFITability®

Configuring the Window’s Firewall

For Windows Server® 2012 and 2016

Configuring the Window’s Firewall ...... 3 Summary ...... 3 How to Allow Communication through Windows Firewall ...... 4 Firewall Exclusions for SQL Servers ...... 8 Inbound Rules ...... 8 Outbound Rules ...... 10 Additional Firewall Configuration Information for PROFITstar ...... 13 Additional Firewall Configuration Information for Budget Manager ...... 13 Using Whitelisting to Enable Cloud Email Access ...... 14 Appendix – Related Links ...... 15

Configuring the Window’s Firewall Summary If firewall software is used to protect the server, it must be configured to allow incoming connections for the Profitstar Server service. ® This guide contains instructions for configuring the Windows Firewall, in Windows Server 2012, ® ® Windows Server 2012 R2, or Windows Server 2016, to satisfy and manage client requests for ® ® data in the database used by the 2014, or greater, versions of PROFITstar , PROFITability , ® Profitstar Suite™, and PROFITstar Portfolio. “PROFITstar” is used throughout this guide as a generic name for the PROFITstar family of products.

NOTE: Windows Server 2012 R2 screen images are used in this document.

How to Allow Communication through Windows Firewall 1. In Windows Server, go to Control Panel > System and Security and find Windows Firewall. Click Allow an app through Windows Firewall.

2. From the Allowed apps screen, click Allow another app.

3. Click Browse, in the Add an app dialog box.

4. Browse to the Profitstar.Service.exe file.

The default location for the file is determined by the annual version. For the 2018 version, the file is found at: C:\Program Files\Profitstar Server 2018\Profitstar.Service.exe

NOTE: If the PROFITstar programs were installed elsewhere, browse to that location.

In the Browse dialog box, click Open to select the file.

5. With the program now displayed in the Add an app dialog box, click Add to return to Allowed apps.

6. When the Allowed apps screen is displayed, the last program added will be highlighted in the Allowed apps and features list.

Verify that all the check boxes are selected—Name, Domain, Private, and Public.

7. After the Profitstar Service has been selected and added to the Allowed apps and features list, click OK to return to the Windows Firewall screen, where you can exit the Control Panel.

When these changes are made, the Windows Firewall, for Windows Server 2012 or Windows Server 2016, will not prevent the Profitstar Service from accessing the data used by the PROFITstar programs.

NOTE: Windows Servers may also require adding inbound and outbound access for TCP ports 20925 and 20927 through the Windows Firewall. The Profitstar Server utilizes these ports to satisfy and manage client requests for data.

Firewall Exclusions for SQL Servers When the Profitstar Server and the SQL Servers are run on different machines, and the SQL Server is configured with named instances, it is necessary to add exclusions in the Windows Firewall on the SQL server since the named instances now use dynamic ports. To create these Windows Firewall exclusions (using program rules, not port rules) follow these steps:

Inbound Rules 1. From Administrative Tools, open the Windows Firewall with Advanced Security screen.

2. Select Inbound Rules from the panel on the left and click New Rule in the Actions column.

3. New Rule – Rule Type step: When the New Inbound Rule Wizard opens, select Program (if it is not already selected), and click Next.

4. Temporarily leave the New Inbound Rule Wizard and toggle back to Administrative Tools. Open the Services window and find SQL Server Browser in the list. Right-click the service and select Properties.

5. In the SQL Server Browser Properties dialog box, copy the Path to executable information and close the box.

6. New Rule – Program step: Back in the New Inbound Rule Wizard, select This program path and paste the copied path into the program path box. (If quotation marks are also pasted into the box, remove them before proceeding.) Click Next.

7. New Rule – Action step: Choose Allow the connection and click Next.

8. New Rule – Profile step: Select all the check boxes: Domain, Private, and Public. Click Next.

9. New Rule – Name step: Assign a name to the new rule and click Finish.

10. Now, the new rule is included in the list of Inbound Rules.

11. Repeat steps 2 through 9 to create another inbound rule for the SQL Server (MSSQLSERVER) service.

12. When this process is completed, you will have two new inbound rules.

Outbound Rules 1. From Administrative Tools, open the Windows Firewall with Advanced Security window.

2. Select Outbound Rules from the panel on the left and click New Rule in the Actions column.

3. New Rule – Rule Type step: When the New Outbound Rule Wizard opens, select Program (if it isn’t already selected), and click Next.

4. Temporarily leave the New Outbound Rule Wizard and toggle back to Administrative Tools. Open the Services window and find SQL Server Browser in the list. Right-click the service and select Properties. 5. In the SQL Server Properties dialog box, copy the Path to executable information and close the box.

6. New Rule – Program step: Back in the New Outbound Rule Wizard, select This program path and paste the copied path into the program path box. (If quotation marks are also pasted into the box, remove them before proceeding.) Click Next.

7. New Rule – Action step: Choose Allow the connection and click Next.

8. New Rule – Profile step: Select all the check boxes: Domain, Private, and Public. Click Next.

9. New Rule – Name step: Assign a name to the new rule and click Finish.

10. Now, the new rule is included in the list of Outbound Rules.

11. Repeat steps 2 through 9 to create another outbound rule for the SQL Server (MSSQLSERVER) service.

12. When this process is completed, you will have two new outbound rules.

13. Close the Windows Firewall with Advanced Security window.

Additional Firewall Configuration Information for PROFITstar Certain actions in PROFITstar require access to specific ports and URLs. You may need to add the following information to your firewall filter lists: • Downloading the current month’s Key Rates – PROFITstar uses port 80, with the TCP protocol. If the .prn file type is being blocked then an exception will need to be made for that file type. URL: http://profitstarhelp.jackhenry.com/keyrates/keyrates.prn • Checking for Updates – PROFITstar uses port 80, with the TCP protocol. URL: http://profitstarhelp.jackhenry.com/dev/CurrentVersion.txt • Downloading the current month’s CECL rates – CECL uses https, which is usually port 443. URL: https://prod.profitstarsfps.com

Additional Firewall Configuration Information for Budget Manager • Firewall Issues – When the Hosted Budget Manger is accessed, either through a browser or from the PROFITstar client during the Export or Import processes, industry standard ports are used. These ports are 80 (http:) for text and 443 (https:) for secure connections. To be able to perform the Export or Import processes from PROFITstar® or PROFITability®, the PS.exe and PA.exe files need to be given access to port 443 (https:). • Proxy Server Issues – Institutions that utilize a proxy server and integrated authentication may have to add a rule on their proxy server to allow the PS.exe and PA.exe files to connect to the Budget Manager URL (https://www.profitstarbudgetmanager.com/).

Using Whitelisting to Enable Cloud Email Access Cloud email is used in Budget Manager. In addition, the PROFITstar and PROFITability programs can access cloud email functionality, via the Budget Manager site, for User Permissions and Product Survey purposes. (It is not necessary to be a Budget Manager client to have cloud email access.) If the firewall does not allow ProfitStars’ programs to talk to the Budget Manager URL, then the email server will never receive requests to send email and the users won’t receive the requested messages. By whitelisting the IP and Domain, the institution’s security suite knows that any email from the server 198.37.154.211 is from ProfitStars. Use the following information to do this: Domain: @email.profitstarbudgetmanager.com IP: 198.37.154.211 Specific web service: https://www.profitstarbudgetmanager.com/Services/CloudEmailService.svc

Appendix – Related Links The most current version of this document http://profitstarhelp.jackhenry.com/dev/ConfiguringWindowsFirewall.pdf

PROFITstar®, PROFITability®, Profitstar Suite™, and PROFITstar® Portfolio System Requirements http://profitstarhelp.jackhenry.com/dev/CurrentSysReq.pdf

Complete installation instructions containing 2012 data conversion information http://profitstarhelp.jackhenry.com/dev/2018DataConversionInstall.pdf

Installation instructions for existing 2014 and later clients http://profitstarhelp.jackhenry.com/dev/2018NoConversionInstall.pdf

Installation instructions for new clients http://profitstarhelp.jackhenry.com/dev/2018NewInstall.pdf

Hardware recommendations http://profitstarhelp.jackhenry.com/dev/HardwareRecommendations.pdf

Release notes http://profitstarhelp.jackhenry.com/dev/2018ReleaseNotes.pdf

PROFITstar’s Hosted Budget Manager System requirements http://profitstarhelp.jackhenry.com/dev/BudgetManagerHostedSysReq.pdf

Profitstar Web Services for Optimizer Installation guide http://profitstarhelp.jackhenry.com/dev/2018Profitstar Web Services Install.pdf

For more IT-related documentation, refer to the PROFITstar, PROFITability & CUPRO Release Information and Documentation pages, in ProfitStars’ For Clients portal.