We have a home-grown service running, along with other services, on a ten-node, mostly Hyper-V cluster. The service listens on a defined TCP port. I've created a windows firewall inbound rule on all the nodes to allow connections to that program. I created the rule based on the service executable, not the fixed port. Everything works fine until we migrate the service to a different node. After migration, the service comes up, netstat shows the service is listening on the right port, but clients can't make connections. The only remedy is to disable the active firewall profile, apply the change, then re-activate it. Does the firewall only look for given executables to be running when the firewall starts? Since the service is installed as a windows service, albeit one managed by the cluster service, should I configure the rule to allow connections to the service, not specifically the executable? Is there any way to force a firewall refresh when the cluster brings the service online? I guess I could fall back to opening the port, but I'd rather not have the port open on the hosts where the service isn't running.