This article provides you with information related to the Windows Firewall, how to access, configure and adjust it.
A firewall is a program installed on your machine or a piece of hardware in your network, that uses a rule-set to block or allow access to a computer, server or network. It seperatres dedicated network segments, likly your LAN from the Internet. Firewalls can permit traffic to be routed through a specific port to a program or destination, while blocking all other traffic.
The Windows Firewall interface can be accessed multiple ways. The way we will look during this TB is via the Windows search function.
Click the Windows icon and type in “firewall“. Then, click on the “Windows Firewall with Advanced Security” icon.
The GUI provides you a general overview, about the basic function of the software. Displaying the current status of the firewall also which profiles are currently set up. By default the firewall should be enabled.
We strongly recommend that the Windows Firewall is enabled on all your Bosch devices featuring a Windows Operating System.
There are 3 different profiles within your Windows Firewall, which are simply groups of different firewall rule-sets, depending where your machine is currently connected.
Public Profile: This profile is used when the computer is connected directly to a public network like a restaurant, library or airport. This profile should be the most restrictive because security is usually not well controlled in public places.
Private Profile: This profile is used if your are only connected to a private network, not directly to the Internet. In these cases, your device is located behind a router or hardware firewall. Which allows to set this profil less restrictive.
Domain Profile: This profile is used when the machine is connected to a domain controller, which in turn is controlling a windows domain. This profile should be the least restrictive of the other profiles because security is usually very well controlled within a domain.
by default the Windows Firewall behavior is the following:
Windows Firewall never blocks outgoing traffic. Any requests sent out from the server will not be hindered in any way.
Windows Firewall blocks all incoming traffic, except for traffic that is in responses to a request. This means that if you make a request to Google, Google’s inbound reply to your outbound request will not be blocked.
Windows Firewall blocks all other traffic. This means that any traffic that is not explicitly allowed is blocked in the firewall.
In the Windows Firewall we can filter connection in two different kinds: port exceptions (rule assigned to a dedicated port number) and program exception (rule assigned to a dedicated program)
In general we need to distinguish between the inbound (frome somewhere to your machine) and outbound (from your machine to somewhere) rule-set.
Open a port in the firewall (inbound rule)
In the Windows Firewall with Advanced Security window, right-click "Inbound Rules", and then click "New Rule..." in the action pane.
"Rule Type" dialog box, select "Port" depending on your need and then click "Next".
In the "Protocol and Ports" dialog box, select "TCP". Then select "Specific local Ports", and then type the port number and then click "Next".
In the "Action" dialog box, select "Allow the connection" and then click "Next".
In the "Profile" dialog box, select any profiles that apply and then click "Next". (We have allowed all three for demonstration purposes, your selection may vary.)
In the "Name" dialog box, type a name and description for this rule, and then click "Finish".
At this point, you will now see a new rule in the main firewall rules in the center section, as well as a new listing in the right window panel.
Open a program in the firewall (inbound rule)
Click on the "Inbound Rules" option on the top left of the firewall interface. Then, click on the "New rule…"
Under "Rule Type" dialog box, select the option "Program" and then click "Next".
Select the option "This Program path" browse to the path/location of the program and click "Next".
Next, we select the option “Allow the connection” and then click “Next”.
Select the "Profile" the rule will be applied to and click "Next". (We have allowed all three for demonstration purposes, your selection may vary.)
Select a "Name" and "Description" for this rule and then Click “Finish”.
At this point, you will be dropped back to the main firewall screen. You will now see a new rule in the main firewall rules in the center section, as well as a new listing in the right window pane
Edit a port / program in the firewall
Right-click on the rule which will open a context menu. Then click "Properties" and adjust the rule according your needs .
Close a port / program in the firewall
Right-click on the rule which will open a context menu. Then click " Delete".
Adjust program rule after BVMS upgrade
In case you upgraded your current BVMS up to BVMS10, refering to the article TSG-Upgrading-VRM-from-32bit-to-64bit you need to adjust the inbound + outbound rule "Bosch VRM Server" and "USB Transcoder".
Therefore right-click on the rule which will open a context menu. Then click "Properties" and adjust the programs path to:
Bosch VRM Server: "C:\Program Files\Bosch\Video Recording Manager\VRM Server\bin\rms.exe"
USB Transcoder: "C:\Program Files (x86)\Bosch\Video Recording Manager\VRM Server\bin\usbsvc.exe" Keep in mind, that you need to perform this action on all four rules (inbound and outbound)
Alternatively download the attachment set_fw_rules.zip (1 KB) locally to your device, extract the archive and run the PowerShell script "set_fw_rule_trancoder.ps1" as administrator. The script will adjust all necessary rules.
Bosch has been providing 2 types of VRM packages: a 32bit and a 64bit version. Since VRM 3.82 we are only offering the 64bit version.
As all of our released DIVAP IP units started off as 32bit VRM which includes a Transcoder service.
If you do not use the Start.exe included in the VRM Master Installer, you will not be offered the oppertunity to also upgarde the Transcoder. Just running the Setup_VRM_Service_<version>.exe found in the <Install\Bosch> folder, will cause the Transcoder service to stop functioning!
This includes if the upgarde is done via BVMS installer.
Since BVMS 10.0, VRM 3.82 "64bit" was implemented.
Due to the fact that BVMS does not manage the transcoder, it was not installed.
Also see Firewall settings: HowTo Configure Windows Firewall Rules, includes PS script to adjust the VRM 64bit and Transcoder rules.
Download the appropriate VRM version from our Downloadstore
Run the Start.exe
Deselect all components and choose only the Transcoder Service
Click on "Install"
To confirm that the Transcoder is fully functional, open your browser and navigate to the VRM Monitor:
Log in with you Credentials
When using Configuration Manager, each device has a status icon.
The method below shows you how to generate an updated certificate for Bosch IP Camera's and VRM Servers
Here we are talking about Certificates, the Icon is colored Yellow with an exclamation mark.
Using the mouse over Tooltip, the device is saying exactly what is wrong with the certificate connection.
VRM on a DIVAR IP 5000:
Right click on the device to Show Certificates, if you wish to view them.
We can see that there are multiple things wrong.
The Cert is not Trusted
Cert Name mismatch.
First is inconsistent date:
All IP devices and PC’s must be synchronized on Date time page (group General)
Second is invalid certificate
First quick look on certificate requirement level, navigate to Preferences -> Configuration Manager -> Access -> Security:
The certificate must just be valid - self signed certificate matching host name/IP address will be sufficient.
We need to generate a new certificate on Certificate page.
Clicking "Generate certificate" button:
should open a certificate creation dialog - most important options are matching common name and matching validity time.
After the certificate is created correct usage must be set as shown below:
IP Camera Certificate
To apply changes VRM must be restarted.
If certificate requirement is higher, then a validatable chain of certification must be used (This would be setup by a System Integrator or IT Administrator):
Trusted - the signing entity CA (e.g. VeriSign) must be trusted on target PC
Issued by this CA - There is a Micro CA setup on this PC.
DIVAR IP 7000R2 and DIVAR IP 6000R2
DIVAR IP 6000 2U W/O HDD
DIVAR IP 6000 2U 4X3TB
DIVAR IP 6000 2U 8X3TB
DIVAR IP 6000 2U 4X4TB
DIVAR IP 6000 2U 8X4TB
DIVAR IP 6000 3U W/O HDD
DIVAR IP 6000 3U 16X3TB
DIVAR IP 6000 3U 16X4TB
DIVAR IP 7000 2U W/O HDD (R2)
DIVAR IP 7000 2U 4X3TB (R2)
DIVAR IP 7000 2U 8X3TB (R2)
DIVAR IP 7000 2U 8X3TB (R2)
DIVAR IP 7000 2U 8X4TB (R2)
DIVAR IP 7000 3U W/O HDD (R2)
DIVAR IP 7000 3U 16X3TB (R2)
4000GB HDD DIVAR IP 6000/7000
For recovery of DIVAR IP 6000 R2 or DIVAR IP 7000 R2 one should use only the DVD provided with the particular device. Do not use the DVD for recovery if you are not sure that it is the one delivered with the system. In case the DVD is lost or damaged request the respective ISO image from Bosch Technical Support.
Request the ISO image from Bosch Technical Support:
Provide the Serial Number of the device
What is the reason for the recovery
Why it is not possible to use the recovery DVD