ClickOnce applications and Windows Firewall

Question

It appears to me that ClickOnce applications will not work smoothly with Windows Firewall.

I have been successfully using ClickOnce deployments for two years. This has hit a stumbling block now the enterprise has upgraded to Windows 7. Each user's configuration has changed:

• Windows Firewall is enabled on each user's machines
• Users do not have administrator privileges on their machines.

Here's how ClickOnce works: Every time a ClickOnce application is updated, the executable file is copied to a new directory. This directory has a machine generated name. (For example it might deploy to "C:\Users\andrew.shepherd\AppData\Local\Apps\2.0\GTTG5EJB.AVG\jc69hir.e45\watershedclient.exe").

Windows Firewall, by default, blocks applications from accepting incoming calls. However, when the application first attempts this, Windows Firewall pops up a dialog that allows an administrator to make an exception for the application, giving it the privileges it needs.

The problem is, Windows Firewall stores the application record as the full file path. Each time a ClickOnce application is updated, it installs to a different directory. Therefore, Windows Firewall sees it as a whole new application. An administrator now has to configure the firewall for this update for every machine that it's updated on. This effectively defeats the whole reason why we use ClickOnce technology.

This was flagged as an issue in 2005, and Microsoft acknowledged the problem and admitted there was no solution.

Has this problem been addressed?

Answer 1

The problem is, Windows Firewall stores the application record as the full file path. Each time a ClickOnce application is updated, it installs to a different directory. Therefore, Windows Firewall sees it as a whole new application.

One approach here is to edit the rule name so that it specifies the name of the EXE only and not the full path. E.g. my locally deployed 'Hello World' application was installed at this path by ClickOnce:

C:\Users\jdoe\AppData\Local\Apps\2.0\BNYJV8NM.JT8\DGEMYJV2.ZN7\hell..tion_32be098505965508_0001.0000_ad51d60d7593998b\HelloWorld.exe

And a firewall rule that applies to only "HelloWorld.exe" can be used. However that creates a security hole in that the rule applies to any application with that name. We can refine the rule a little further by specifying some of the path:

%LOCALAPPDATA%\Apps\2.0\BNYJV8NM.JT8\DGEMYJV2.ZN7\*\HelloWorld.exe

Note that I also used an environment variable, which apparently is expanded for the purposes of testing the firewall rule.