Unify Testing Center Firewall Rules 2026 (CLEP & PRAXIS)
Firwall rules for setting up CLEP & Praxis servers
README
The [[Unify General|Unify]] Server requires firewall rules to be allowed on the host machine. According to the Unify Technical Configuration Requirements and Guidelines you should only need to allow certain ports.
I ran Wireshark and discovered it was trying to hit ports not listed in the documentation.
From what I can tell from my testing the rules only need to be applied to machines that are running the Server. Except for the Admin stations which may require [[#5.2 Applications with Full Paths (specific locations required)|wba.exe]] to be allowed.
Below is the Full documentation of my [[#Full Script|script]] which adds all of the potential firewall rules to allow the Unify ETS system to work.
ETS Testing Center – Firewall & Security Summary
Step 1: Network Ports (Windows Firewall)
| Port | Proto | Direction | Purpose |
|---|---|---|---|
| 443 | TCP | In/Out | HTTPS (secure web) |
| 80 | TCP | In/Out | HTTP (web/download) |
| 29290 | TCP | In/Out | ETS client–server |
| 29291 | TCP | In/Out | ETS client–server |
| 29293 | TCP | In/Out | ETS client–server |
Rules are Allow on All Profiles. Script uses PowerShell with
netshfallback.
Step 2-3: Internet Security Zones & File Downloads
| Domain | Zone | Notes |
|---|---|---|
| ets.org | Trusted Sites (2) | Main ETS |
| proctorcache.ets.org | Trusted Sites (2) | Caching |
| download.ets.org | Trusted Sites (2) | File delivery |
| Setting | Zone | Value |
|---|---|---|
| Automatic file downloads | Trusted Sites (2) | Enabled |
Step 4: Microsoft Defender Exclusions
4.1 Process/Script Exclusions
| Group | Executable(s) |
|---|---|
| Core launchers | admlauncher.exe; admLauncherHelper.exe; admLauncherMain.exe; admLauncherMainUpdater.exe |
| Java/runtime | bin.exe; java.exe; javaw.exe; jar.exe; jre.exe |
| ETS browser | etschrome.exe; cpbrowser.exe |
| Testing platform | lscpLauncher.exe; lscpLauncherMain.exe; lscpLauncherMainUpdater.exe; vtoolexe.exe; vtoolLauncher.exe; vtoolLauncherMain.exe; vtoolLauncherMainUpdater.exe |
| Workstation | wkslauncher.exe; wksLauncherHelper.exe; wksLauncherMain.exe; wksLauncherMainUpdater.exe; wkswinproc.exe |
| Installers | UnifyAdminInstaller.exe; UnifyCPInstaller_PROD.exe; UnifyVToolInstaller_PROD.exe; UnifyWksInstaller.exe |
| Scripts | catalina.bat; setclasspath.bat; startup.bat |
4.2 Path Exclusions
| Path |
|---|
| C:\Program Files\ETS |
| C:\Program Files (x86)\ETS |
Step 5: Application Firewall Rules
5.1 Standard Applications (by filename - Windows locates automatically)
| Application | Protocols | Direction | Notes |
|---|---|---|---|
| admlauncher.exe | TCP | In/Out | Admin launcher |
| admLauncherMain.exe | TCP | In/Out | Admin main |
| java.exe | TCP | In/Out | Runtime |
| javaw.exe | TCP | In/Out | Windowed runtime |
| etschrome.exe | TCP | In/Out | ETS browser |
| wkslauncher.exe | TCP | In/Out | Workstation launcher |
| wksLauncherMain.exe | TCP | In/Out | Workstation main |
| UnifyCPInstaller_PROD.exe | TCP | In/Out | Installer |
5.2 Applications with Full Paths (specific locations required)
| Application | Full Path | Protocols | Direction | Notes |
|---|---|---|---|---|
| cpbrowser.exe | C:\programdata\ets\ibt2\unifycp\bin\cpbrowser.exe |
TCP & UDP | In/Out | Test delivery |
| wba.exe | C:\programdata\ets\ibt2\adm\bin\wba.exe |
TCP & UDP | In/Out | Web Browser Admin |
From what I gathered you may only need to add the wba.exe exception to the Admin Station computers.
The Server computer may not actually need to use this?
Step 6: Additional Security Configurations
6.1 Additional Trusted Domains
| Domain | Purpose |
|---|---|
| proctorcache.ets.org | ETS caching server |
| download.ets.org | ETS file delivery |
Step 7: Windows 11 Java/OpenJDK Fix (CLEP)
7.1 Re-enable Existing Rules (if present)
| Pattern (DisplayName) | Action |
|---|---|
| Java(TM) Update* | Enable if disabled |
| Java Auto Updater* | Enable if disabled |
| Java(TM) Platform SE* | Enable if disabled |
| Java Web Start* | Enable if disabled |
7.2 Create/Ensure OpenJDK Inbound
| Rule Name | Program | Proto | Direction | Action |
|---|---|---|---|---|
| OpenJDK Platform binary | java.exe | TCP | Inbound | Allow/Enable |
| OpenJDK Platform binary (javaw) | javaw.exe | TCP | Inbound | Allow/Enable |
7.3 Comprehensive Java Inbound
| Program | Proto | Direction | Purpose |
|---|---|---|---|
| java.exe | TCP & UDP | Inbound | Complete runtime |
| javaw.exe | TCP & UDP | Inbound | Windowed runtime |
| javaws.exe | TCP & UDP | Inbound | Web Start |
| jp2launcher.exe | TCP & UDP | Inbound | Java plugin launcher |
Windows 11 often ships with OpenJDK inbound rules disabled, breaking CLEP admin/workstation connectivity.