Branchcache and Firewall

Question

We are successfully using Branchcache to distribute packages using CM.
There are a few event messages that have been bothering me for a while and I wanted to see what you all think about them.

The problem we have is around firewall.

We use GPO to manage the Windows defender advanced firewall on clients. We do not allow any local rules to apply to clients and instead provide firewall rules from GPO.

I have noticed that when I run Get-BCNetworkConfiguration, ContetentRetrievalFirewallRulesEnabled = False.
In addition, when I look in the BranchCache/Operational event log, there are many EventID 7 and EventID 8 errors logged.

EventID 7 is A firewall is blocking inbound traffic on UDP port nnnn
EventID 8 is A firewall is blocking inbound traffic on TCP port nnnn

I am certain that I have these ports accounted for in the Firewall rules, and please also note that branchcache is working fine for peer-peer package sharing. I have a very high percentage of distribution coming over BC according to logging and in the CM dashboards. So the rules I have are allowing BranchCache to work, it is just BC logging errors in its application log, and the BC config checker is reporting a flase.

So is the process that is logging these errors or showing the status actually looking for rules that are named "BranchCache Content Retrieval (HTTP-In)" and "BranchCache Peer Discovery (WSD-In)" or are they actually probing the ports to see if the traffic is allowed or denied?

Id like to stop BC from logging errors to the event log if I can.

Answer 1

Regarding Firewall blocking you may go through the following Microsoft references:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/windows-fireware-rule-block-udp-communication

https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule