8 files changed, 1332 insertions, 0 deletions

diff --git a/src/ca/CustomMsiErrors.h b/src/ca/CustomMsiErrors.h
new file mode 100644
index 00000000..f149fb31
--- /dev/null
+++ b/src/ca/CustomMsiErrors.h
@@ -0,0 +1,130 @@
+#pragma once
+// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+
+#define GLOBAL_ERROR_BASE                 25501
+
+#define msierrSecureObjectsFailedCreateSD    25520
+#define msierrSecureObjectsFailedSet         25521
+#define msierrSecureObjectsUnknownType       25522
+
+#define msierrXmlFileFailedRead         25530
+#define msierrXmlFileFailedOpen         25531
+#define msierrXmlFileFailedSelect       25532
+#define msierrXmlFileFailedSave         25533
+
+#define msierrXmlConfigFailedRead         25540
+#define msierrXmlConfigFailedOpen         25541
+#define msierrXmlConfigFailedSelect       25542
+#define msierrXmlConfigFailedSave         25543
+
+#define msierrFirewallCannotConnect       25580
+
+//---------------------------------------------------------------------------
+// Server CustomAction Errors
+// SERVER range: 26001-26100
+#define SERVER_ERROR_BASE                      26000
+
+#define msierrIISCannotConnect                 26001
+#define msierrIISFailedReadWebSite             26002
+#define msierrIISFailedReadWebDirs             26003
+#define msierrIISFailedReadVDirs               26004
+#define msierrIISFailedReadFilters             26005
+#define msierrIISFailedReadAppPool             26006
+#define msierrIISFailedReadMimeMap             26007
+#define msierrIISFailedReadProp                26008
+#define msierrIISFailedReadWebSvcExt           26009
+#define msierrIISFailedReadWebError            26010
+#define msierrIISFailedReadHttpHeader          26011
+
+#define msierrIISFailedSchedTransaction        26031
+#define msierrIISFailedSchedInstallWebs        26032
+#define msierrIISFailedSchedInstallWebDirs     26033
+#define msierrIISFailedSchedInstallVDirs       26034
+#define msierrIISFailedSchedInstallFilters     26035
+#define msierrIISFailedSchedInstallAppPool     26036
+#define msierrIISFailedSchedInstallProp        26037
+#define msierrIISFailedSchedInstallWebSvcExt   26038
+
+#define msierrIISFailedSchedUninstallWebs      26051
+#define msierrIISFailedSchedUninstallWebDirs   26052
+#define msierrIISFailedSchedUninstallVDirs     26053
+#define msierrIISFailedSchedUninstallFilters   26054
+#define msierrIISFailedSchedUninstallAppPool   26055
+#define msierrIISFailedSchedUninstallProp      26056
+#define msierrIISFailedSchedUninstallWebSvcExt 26057
+
+#define msierrIISFailedStartTransaction        26101
+#define msierrIISFailedOpenKey                 26102
+#define msierrIISFailedCreateKey               26103
+#define msierrIISFailedWriteData               26104
+#define msierrIISFailedCreateApp               26105
+#define msierrIISFailedDeleteKey               26106
+#define msierrIISFailedDeleteApp               26107
+#define msierrIISFailedDeleteValue             26108
+#define msierrIISFailedCommitInUse             26109
+
+#define msierrSQLFailedCreateDatabase          26201
+#define msierrSQLFailedDropDatabase            26202
+#define msierrSQLFailedConnectDatabase         26203
+#define msierrSQLFailedExecString              26204
+#define msierrSQLDatabaseAlreadyExists         26205
+
+#define msierrPERFMONFailedRegisterDLL         26251
+#define msierrPERFMONFailedUnregisterDLL       26252
+#define msierrInstallPerfCounterData           26253
+#define msierrUninstallPerfCounterData         26254
+
+#define msierrSMBFailedCreate                  26301
+#define msierrSMBFailedDrop                    26302
+
+#define msierrCERTFailedOpen                   26351
+#define msierrCERTFailedAdd                    26352
+
+#define msierrUSRFailedUserCreate              26401
+#define msierrUSRFailedUserCreatePswd          26402
+#define msierrUSRFailedUserGroupAdd            26403
+#define msierrUSRFailedUserCreateExists        26404
+#define msierrUSRFailedGrantLogonAsService     26405
+
+#define msierrDependencyMissingDependencies    26451
+#define msierrDependencyHasDependents          26452
+
+//--------------------------------------------------------------------------
+// Managed code CustomAction Errors
+// MANAGED range: 27000-27100
+#define MANAGED_ERROR_BASE                     27000
+
+#define msierrDotNetRuntimeRequired            27000
+//---------------------------------------------------------------------------
+// Public CustomAction Errors
+// PUBLIC range: 28001-28100
+#define PUBLIC_ERROR_BASE                            28000
+
+#define msierrComPlusCannotConnect                   28001
+#define msierrComPlusPartitionReadFailed             28002
+#define msierrComPlusPartitionRoleReadFailed         28003
+#define msierrComPlusUserInPartitionRoleReadFailed   28004
+#define msierrComPlusPartitionUserReadFailed         28005
+#define msierrComPlusApplicationReadFailed           28006
+#define msierrComPlusApplicationRoleReadFailed       28007
+#define msierrComPlusUserInApplicationRoleReadFailed 28008
+#define msierrComPlusAssembliesReadFailed            28009
+#define msierrComPlusSubscriptionReadFailed          28010
+#define msierrComPlusPartitionDependency             28011
+#define msierrComPlusPartitionNotFound               28012
+#define msierrComPlusPartitionIdConflict             28013
+#define msierrComPlusPartitionNameConflict           28014
+#define msierrComPlusApplicationDependency           28015
+#define msierrComPlusApplicationNotFound             28016
+#define msierrComPlusApplicationIdConflict           28017
+#define msierrComPlusApplicationNameConflict         28018
+#define msierrComPlusApplicationRoleDependency       28019
+#define msierrComPlusApplicationRoleNotFound         28020
+#define msierrComPlusApplicationRoleConflict         28021
+#define msierrComPlusAssemblyDependency              28022
+#define msierrComPlusSubscriptionIdConflict          28023
+#define msierrComPlusSubscriptionNameConflict        28024
+#define msierrComPlusFailedLookupNames               28025
+
+#define msierrMsmqCannotConnect                      28101
diff --git a/src/ca/cost.h b/src/ca/cost.h
new file mode 100644
index 00000000..da68c667
--- /dev/null
+++ b/src/ca/cost.h
@@ -0,0 +1,5 @@
+#pragma once
+// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+
+const UINT COST_FIREWALL_EXCEPTION = 2000;
diff --git a/src/ca/dllmain.cpp b/src/ca/dllmain.cpp
new file mode 100644
index 00000000..df53f872
--- /dev/null
+++ b/src/ca/dllmain.cpp
@@ -0,0 +1,26 @@
+// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+#include "precomp.h"
+
+/********************************************************************
+DllMain - standard entry point for all WiX CustomActions
+
+********************************************************************/
+extern "C" BOOL WINAPI DllMain(
+    IN HINSTANCE hInst,
+    IN ULONG ulReason,
+    IN LPVOID)
+{
+    switch(ulReason)
+    {
+    case DLL_PROCESS_ATTACH:
+        WcaGlobalInitialize(hInst);
+        break;
+
+    case DLL_PROCESS_DETACH:
+        WcaGlobalFinalize();
+        break;
+    }
+
+    return TRUE;
+}
diff --git a/src/ca/firewall.cpp b/src/ca/firewall.cpp
new file mode 100644
index 00000000..62a5b454
--- /dev/null
+++ b/src/ca/firewall.cpp
@@ -0,0 +1,1067 @@
+// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+#include "precomp.h"
+
+LPCWSTR vcsFirewallExceptionQuery =
+    L"SELECT `Name`, `RemoteAddresses`, `Port`, `Protocol`, `Program`, `Attributes`, `Profile`, `Component_`, `Description` FROM `WixFirewallException`";
+enum eFirewallExceptionQuery { feqName = 1, feqRemoteAddresses, feqPort, feqProtocol, feqProgram, feqAttributes, feqProfile, feqComponent, feqDescription };
+enum eFirewallExceptionTarget { fetPort = 1, fetApplication, fetUnknown };
+enum eFirewallExceptionAttributes { feaIgnoreFailures = 1 };
+
+/******************************************************************
+ SchedFirewallExceptions - immediate custom action worker to 
+   register and remove firewall exceptions.
+
+********************************************************************/
+static UINT SchedFirewallExceptions(
+    __in MSIHANDLE hInstall,
+    WCA_TODO todoSched
+    )
+{
+    HRESULT hr = S_OK;
+    UINT er = ERROR_SUCCESS;
+    int cFirewallExceptions = 0;
+
+    PMSIHANDLE hView = NULL;
+    PMSIHANDLE hRec = NULL;
+
+    LPWSTR pwzCustomActionData = NULL;
+    LPWSTR pwzName = NULL;
+    LPWSTR pwzRemoteAddresses = NULL;
+    LPWSTR pwzPort = NULL;
+    int iProtocol = 0;
+    int iAttributes = 0;
+    int iProfile = 0;
+    LPWSTR pwzProgram = NULL;
+    LPWSTR pwzComponent = NULL;
+    LPWSTR pwzFormattedFile = NULL;
+    LPWSTR pwzDescription = NULL;
+
+    // initialize
+    hr = WcaInitialize(hInstall, "SchedFirewallExceptions");
+    ExitOnFailure(hr, "failed to initialize");
+
+    // anything to do?
+    if (S_OK != WcaTableExists(L"WixFirewallException"))
+    {
+        WcaLog(LOGMSG_STANDARD, "WixFirewallException table doesn't exist, so there are no firewall exceptions to configure.");
+        ExitFunction();
+    }
+
+    // query and loop through all the firewall exceptions
+    hr = WcaOpenExecuteView(vcsFirewallExceptionQuery, &hView);
+    ExitOnFailure(hr, "failed to open view on WixFirewallException table");
+
+    while (S_OK == (hr = WcaFetchRecord(hView, &hRec)))
+    {
+        hr = WcaGetRecordFormattedString(hRec, feqName, &pwzName);
+        ExitOnFailure(hr, "failed to get firewall exception name");
+
+        hr = WcaGetRecordFormattedString(hRec, feqRemoteAddresses, &pwzRemoteAddresses);
+        ExitOnFailure(hr, "failed to get firewall exception remote addresses");
+
+        hr = WcaGetRecordFormattedString(hRec, feqPort, &pwzPort);
+        ExitOnFailure(hr, "failed to get firewall exception port");
+
+        hr = WcaGetRecordInteger(hRec, feqProtocol, &iProtocol);
+        ExitOnFailure(hr, "failed to get firewall exception protocol");
+
+        hr = WcaGetRecordFormattedString(hRec, feqProgram, &pwzProgram);
+        ExitOnFailure(hr, "failed to get firewall exception program");
+
+        hr = WcaGetRecordInteger(hRec, feqAttributes, &iAttributes);
+        ExitOnFailure(hr, "failed to get firewall exception attributes");
+        
+        hr = WcaGetRecordInteger(hRec, feqProfile, &iProfile);
+        ExitOnFailure(hr, "failed to get firewall exception profile");
+
+        hr = WcaGetRecordString(hRec, feqComponent, &pwzComponent);
+        ExitOnFailure(hr, "failed to get firewall exception component");
+
+        hr = WcaGetRecordString(hRec, feqDescription, &pwzDescription);
+        ExitOnFailure(hr, "failed to get firewall description");
+
+        // figure out what we're doing for this exception, treating reinstall the same as install
+        WCA_TODO todoComponent = WcaGetComponentToDo(pwzComponent);
+        if ((WCA_TODO_REINSTALL == todoComponent ? WCA_TODO_INSTALL : todoComponent) != todoSched)
+        {
+            WcaLog(LOGMSG_STANDARD, "Component '%ls' action state (%d) doesn't match request (%d)", pwzComponent, todoComponent, todoSched);
+            continue;
+        }
+
+        // action :: name :: profile :: remoteaddresses :: attributes :: target :: {port::protocol | path}
+        ++cFirewallExceptions;
+        hr = WcaWriteIntegerToCaData(todoComponent, &pwzCustomActionData);
+        ExitOnFailure(hr, "failed to write exception action to custom action data");
+
+        hr = WcaWriteStringToCaData(pwzName, &pwzCustomActionData);
+        ExitOnFailure(hr, "failed to write exception name to custom action data");
+
+        hr = WcaWriteIntegerToCaData(iProfile, &pwzCustomActionData);
+        ExitOnFailure(hr, "failed to write exception profile to custom action data");
+
+        hr = WcaWriteStringToCaData(pwzRemoteAddresses, &pwzCustomActionData);
+        ExitOnFailure(hr, "failed to write exception remote addresses to custom action data");
+
+        hr = WcaWriteIntegerToCaData(iAttributes, &pwzCustomActionData);
+        ExitOnFailure(hr, "failed to write exception attributes to custom action data");
+
+        if (*pwzProgram)
+        {
+            // If program is defined, we have an application exception.
+            hr = WcaWriteIntegerToCaData(fetApplication, &pwzCustomActionData);
+            ExitOnFailure(hr, "failed to write exception target (application) to custom action data");
+
+            hr = WcaWriteStringToCaData(pwzProgram, &pwzCustomActionData);
+            ExitOnFailure(hr, "failed to write application path to custom action data");
+        }
+        else
+        {
+            // we have a port-only exception
+            hr = WcaWriteIntegerToCaData(fetPort, &pwzCustomActionData);
+            ExitOnFailure(hr, "failed to write exception target (port) to custom action data");
+        }
+
+        hr = WcaWriteStringToCaData(pwzPort, &pwzCustomActionData);
+        ExitOnFailure(hr, "failed to write application path to custom action data");
+
+        hr = WcaWriteIntegerToCaData(iProtocol, &pwzCustomActionData);
+        ExitOnFailure(hr, "failed to write exception protocol to custom action data");
+
+        hr = WcaWriteStringToCaData(pwzDescription, &pwzCustomActionData);
+        ExitOnFailure(hr, "failed to write firewall rule description to custom action data");
+    }
+
+    // reaching the end of the list is actually a good thing, not an error
+    if (E_NOMOREITEMS == hr)
+    {
+        hr = S_OK;
+    } 
+    ExitOnFailure(hr, "failure occured while processing WixFirewallException table");
+
+    // schedule ExecFirewallExceptions if there's anything to do
+    if (pwzCustomActionData && *pwzCustomActionData)
+    {
+        WcaLog(LOGMSG_STANDARD, "Scheduling firewall exception (%ls)", pwzCustomActionData);
+
+        if (WCA_TODO_INSTALL == todoSched)
+        {
+            hr = WcaDoDeferredAction(L"WixRollbackFirewallExceptionsInstall", pwzCustomActionData, cFirewallExceptions * COST_FIREWALL_EXCEPTION);
+            ExitOnFailure(hr, "failed to schedule firewall install exceptions rollback");            
+            hr = WcaDoDeferredAction(L"WixExecFirewallExceptionsInstall", pwzCustomActionData, cFirewallExceptions * COST_FIREWALL_EXCEPTION);
+            ExitOnFailure(hr, "failed to schedule firewall install exceptions execution");
+        }
+        else
+        {
+            hr = WcaDoDeferredAction(L"WixRollbackFirewallExceptionsUninstall", pwzCustomActionData, cFirewallExceptions * COST_FIREWALL_EXCEPTION);
+            ExitOnFailure(hr, "failed to schedule firewall uninstall exceptions rollback");    
+            hr = WcaDoDeferredAction(L"WixExecFirewallExceptionsUninstall", pwzCustomActionData, cFirewallExceptions * COST_FIREWALL_EXCEPTION);
+            ExitOnFailure(hr, "failed to schedule firewall uninstall exceptions execution");
+        }
+    }
+    else
+    {
+        WcaLog(LOGMSG_STANDARD, "No firewall exceptions scheduled");
+    }
+
+LExit:
+    ReleaseStr(pwzCustomActionData);
+    ReleaseStr(pwzName);
+    ReleaseStr(pwzRemoteAddresses);
+    ReleaseStr(pwzPort);
+    ReleaseStr(pwzProgram);
+    ReleaseStr(pwzComponent);
+    ReleaseStr(pwzDescription);
+    ReleaseStr(pwzFormattedFile);
+
+    return WcaFinalize(er = FAILED(hr) ? ERROR_INSTALL_FAILURE : er);
+}
+
+/******************************************************************
+ SchedFirewallExceptionsInstall - immediate custom action entry
+   point to register firewall exceptions.
+
+********************************************************************/
+extern "C" UINT __stdcall SchedFirewallExceptionsInstall(
+    __in MSIHANDLE hInstall
+    )
+{
+    return SchedFirewallExceptions(hInstall, WCA_TODO_INSTALL);
+}
+
+/******************************************************************
+ SchedFirewallExceptionsUninstall - immediate custom action entry
+   point to remove firewall exceptions.
+
+********************************************************************/
+extern "C" UINT __stdcall SchedFirewallExceptionsUninstall(
+    __in MSIHANDLE hInstall
+    )
+{
+    return SchedFirewallExceptions(hInstall, WCA_TODO_UNINSTALL);
+}
+
+/******************************************************************
+ GetFirewallRules - Get the collection of firewall rules.
+
+********************************************************************/
+static HRESULT GetFirewallRules(
+    __in BOOL fIgnoreFailures,
+    __out INetFwRules** ppNetFwRules
+    )
+{
+    HRESULT hr = S_OK;
+    INetFwPolicy2* pNetFwPolicy2 = NULL;
+    INetFwRules* pNetFwRules = NULL;
+    *ppNetFwRules = NULL;
+    
+    do
+    {
+        ReleaseNullObject(pNetFwPolicy2);
+        ReleaseNullObject(pNetFwRules);
+
+        if (SUCCEEDED(hr = ::CoCreateInstance(__uuidof(NetFwPolicy2), NULL, CLSCTX_ALL, __uuidof(INetFwPolicy2), (void**)&pNetFwPolicy2)) &&
+            SUCCEEDED(hr = pNetFwPolicy2->get_Rules(&pNetFwRules)))
+        {
+            break;
+        }
+        else if (fIgnoreFailures)
+        {
+            ExitFunction1(hr = S_FALSE);
+        }
+        else
+        {
+            WcaLog(LOGMSG_STANDARD, "Failed to connect to Windows Firewall");
+            UINT er = WcaErrorMessage(msierrFirewallCannotConnect, hr, INSTALLMESSAGE_ERROR | MB_ABORTRETRYIGNORE, 0);
+            switch (er)
+            {
+            case IDABORT: // exit with the current HRESULT
+                ExitFunction();
+            case IDRETRY: // clean up and retry the loop
+                hr = S_FALSE;
+                break;
+            case IDIGNORE: // pass S_FALSE back to the caller, who knows how to ignore the failure
+                ExitFunction1(hr = S_FALSE);
+            default: // No UI, so default is to fail.
+                ExitFunction();
+            }
+        }
+    } while (S_FALSE == hr);
+
+    *ppNetFwRules = pNetFwRules;
+    pNetFwRules = NULL;
+    
+LExit:
+    ReleaseObject(pNetFwPolicy2);
+    ReleaseObject(pNetFwRules);
+
+    return hr;
+}
+
+/******************************************************************
+ CreateFwRuleObject - CoCreate a firewall rule, and set the common set of properties which are shared
+ between port and application firewall rules
+
+********************************************************************/
+static HRESULT CreateFwRuleObject(
+    __in BSTR bstrName,
+    __in int iProfile,
+    __in_opt LPCWSTR wzRemoteAddresses,
+    __in LPCWSTR wzPort,
+    __in int iProtocol,
+    __in LPCWSTR wzDescription,
+    __out INetFwRule** ppNetFwRule
+    )
+{
+    HRESULT hr = S_OK;
+    BSTR bstrRemoteAddresses = NULL;
+    BSTR bstrPort = NULL;
+    BSTR bstrDescription = NULL;
+    INetFwRule* pNetFwRule = NULL;
+    *ppNetFwRule = NULL;
+
+    // convert to BSTRs to make COM happy
+    bstrRemoteAddresses = ::SysAllocString(wzRemoteAddresses);
+    ExitOnNull(bstrRemoteAddresses, hr, E_OUTOFMEMORY, "failed SysAllocString for remote addresses");
+    bstrPort = ::SysAllocString(wzPort);
+    ExitOnNull(bstrPort, hr, E_OUTOFMEMORY, "failed SysAllocString for port");
+    bstrDescription = ::SysAllocString(wzDescription);
+    ExitOnNull(bstrDescription, hr, E_OUTOFMEMORY, "failed SysAllocString for description");
+
+    hr = ::CoCreateInstance(__uuidof(NetFwRule), NULL, CLSCTX_ALL, __uuidof(INetFwRule), (void**)&pNetFwRule);
+    ExitOnFailure(hr, "failed to create NetFwRule object");
+
+    hr = pNetFwRule->put_Name(bstrName);
+    ExitOnFailure(hr, "failed to set exception name");
+
+    hr = pNetFwRule->put_Profiles(static_cast<NET_FW_PROFILE_TYPE2>(iProfile));
+    ExitOnFailure(hr, "failed to set exception profile");
+
+    if (MSI_NULL_INTEGER != iProtocol)
+    {
+        hr = pNetFwRule->put_Protocol(static_cast<NET_FW_IP_PROTOCOL>(iProtocol));
+        ExitOnFailure(hr, "failed to set exception protocol");
+    }
+
+    if (bstrPort && *bstrPort)
+    {
+        hr = pNetFwRule->put_LocalPorts(bstrPort);
+        ExitOnFailure(hr, "failed to set exception port");
+    }
+
+    if (bstrRemoteAddresses && *bstrRemoteAddresses)
+    {
+        hr = pNetFwRule->put_RemoteAddresses(bstrRemoteAddresses);
+        ExitOnFailure(hr, "failed to set exception remote addresses '%ls'", bstrRemoteAddresses);
+    }
+
+    if (bstrDescription && *bstrDescription)
+    {
+        hr = pNetFwRule->put_Description(bstrDescription);
+        ExitOnFailure(hr, "failed to set exception description '%ls'", bstrDescription);
+    }
+
+    *ppNetFwRule = pNetFwRule;
+    pNetFwRule = NULL;
+
+LExit:
+    ReleaseBSTR(bstrRemoteAddresses);
+    ReleaseBSTR(bstrPort);
+    ReleaseBSTR(bstrDescription);
+    ReleaseObject(pNetFwRule);
+
+    return hr;
+}
+
+/******************************************************************
+ FSupportProfiles - Returns true if we support profiles on this machine.
+  (Only on Vista or later)
+
+********************************************************************/
+static BOOL FSupportProfiles()
+{
+    BOOL fSupportProfiles = FALSE;
+    INetFwRules* pNetFwRules = NULL;
+
+    // We only support profiles if we can co-create an instance of NetFwPolicy2. 
+    // This will not work on pre-vista machines.
+    if (SUCCEEDED(GetFirewallRules(TRUE, &pNetFwRules)) &&  pNetFwRules != NULL)
+    {
+        fSupportProfiles = TRUE;
+        ReleaseObject(pNetFwRules);
+    }
+
+    return fSupportProfiles;
+}
+
+/******************************************************************
+ GetCurrentFirewallProfile - get the active firewall profile as an
+   INetFwProfile, which owns the lists of exceptions we're 
+   updating.
+
+********************************************************************/
+static HRESULT GetCurrentFirewallProfile(
+    __in BOOL fIgnoreFailures,
+    __out INetFwProfile** ppfwProfile
+    )
+{
+    HRESULT hr = S_OK;
+    INetFwMgr* pfwMgr = NULL;
+    INetFwPolicy* pfwPolicy = NULL;
+    INetFwProfile* pfwProfile = NULL;
+    *ppfwProfile = NULL;
+    
+    do
+    {
+        ReleaseNullObject(pfwPolicy);
+        ReleaseNullObject(pfwMgr);
+        ReleaseNullObject(pfwProfile);
+
+        if (SUCCEEDED(hr = ::CoCreateInstance(__uuidof(NetFwMgr), NULL, CLSCTX_INPROC_SERVER, __uuidof(INetFwMgr), (void**)&pfwMgr)) &&
+            SUCCEEDED(hr = pfwMgr->get_LocalPolicy(&pfwPolicy)) &&
+            SUCCEEDED(hr = pfwPolicy->get_CurrentProfile(&pfwProfile)))
+        {
+            break;
+        }
+        else if (fIgnoreFailures)
+        {
+            ExitFunction1(hr = S_FALSE);
+        }
+        else
+        {
+            WcaLog(LOGMSG_STANDARD, "Failed to connect to Windows Firewall");
+            UINT er = WcaErrorMessage(msierrFirewallCannotConnect, hr, INSTALLMESSAGE_ERROR | MB_ABORTRETRYIGNORE, 0);
+            switch (er)
+            {
+            case IDABORT: // exit with the current HRESULT
+                ExitFunction();
+            case IDRETRY: // clean up and retry the loop
+                hr = S_FALSE;
+                break;
+            case IDIGNORE: // pass S_FALSE back to the caller, who knows how to ignore the failure
+                ExitFunction1(hr = S_FALSE);
+            default: // No UI, so default is to fail.
+                ExitFunction();
+            }
+        }
+    } while (S_FALSE == hr);
+
+    *ppfwProfile = pfwProfile;
+    pfwProfile = NULL;
+    
+LExit:
+    ReleaseObject(pfwPolicy);
+    ReleaseObject(pfwMgr);
+    ReleaseObject(pfwProfile);
+
+    return hr;
+}
+
+/******************************************************************
+ AddApplicationException
+
+********************************************************************/
+static HRESULT AddApplicationException(
+    __in LPCWSTR wzFile, 
+    __in LPCWSTR wzName,
+    __in int iProfile,
+    __in_opt LPCWSTR wzRemoteAddresses,
+    __in BOOL fIgnoreFailures,
+    __in LPCWSTR wzPort,
+    __in int iProtocol,
+    __in LPCWSTR wzDescription
+    )
+{
+    HRESULT hr = S_OK;
+    BSTR bstrFile = NULL;
+    BSTR bstrName = NULL;
+    INetFwRules* pNetFwRules = NULL;
+    INetFwRule* pNetFwRule = NULL;
+
+    // convert to BSTRs to make COM happy
+    bstrFile = ::SysAllocString(wzFile);
+    ExitOnNull(bstrFile, hr, E_OUTOFMEMORY, "failed SysAllocString for path");
+    bstrName = ::SysAllocString(wzName);
+    ExitOnNull(bstrName, hr, E_OUTOFMEMORY, "failed SysAllocString for name");
+
+    // get the collection of firewall rules
+    hr = GetFirewallRules(fIgnoreFailures, &pNetFwRules);
+    ExitOnFailure(hr, "failed to get firewall rules object");
+    if (S_FALSE == hr) // user or package author chose to ignore missing firewall
+    {
+        ExitFunction();
+    }
+
+    // try to find it (i.e., support reinstall)
+    hr = pNetFwRules->Item(bstrName, &pNetFwRule);
+    if (HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND) == hr)
+    {
+        hr = CreateFwRuleObject(bstrName, iProfile, wzRemoteAddresses, wzPort, iProtocol, wzDescription, &pNetFwRule);
+        ExitOnFailure(hr, "failed to create FwRule object");
+
+        // set edge traversal to true
+        hr = pNetFwRule->put_EdgeTraversal(VARIANT_TRUE);
+        ExitOnFailure(hr, "failed to set application exception edgetraversal property");
+        
+        // set path
+        hr = pNetFwRule->put_ApplicationName(bstrFile);
+        ExitOnFailure(hr, "failed to set application name");
+        
+        // enable it
+        hr = pNetFwRule->put_Enabled(VARIANT_TRUE);
+        ExitOnFailure(hr, "failed to to enable application exception");
+     
+        // add it to the list of authorized apps
+        hr = pNetFwRules->Add(pNetFwRule);
+        ExitOnFailure(hr, "failed to add app to the authorized apps list");
+    }
+    else
+    {
+        // we found an existing app exception (if we succeeded, that is)
+        ExitOnFailure(hr, "failed trying to find existing app");
+        
+        // enable it (just in case it was disabled)
+        pNetFwRule->put_Enabled(VARIANT_TRUE);
+    }
+
+LExit:
+    ReleaseBSTR(bstrName);
+    ReleaseBSTR(bstrFile);
+    ReleaseObject(pNetFwRules);
+    ReleaseObject(pNetFwRule);
+
+    return fIgnoreFailures ? S_OK : hr;
+}
+
+/******************************************************************
+ AddApplicationExceptionOnCurrentProfile
+
+********************************************************************/
+static HRESULT AddApplicationExceptionOnCurrentProfile(
+    __in LPCWSTR wzFile, 
+    __in LPCWSTR wzName, 
+    __in_opt LPCWSTR wzRemoteAddresses,
+    __in BOOL fIgnoreFailures
+    )
+{
+    HRESULT hr = S_OK;
+    BSTR bstrFile = NULL;
+    BSTR bstrName = NULL;
+    BSTR bstrRemoteAddresses = NULL;
+    INetFwProfile* pfwProfile = NULL;
+    INetFwAuthorizedApplications* pfwApps = NULL;
+    INetFwAuthorizedApplication* pfwApp = NULL;
+
+    // convert to BSTRs to make COM happy
+    bstrFile = ::SysAllocString(wzFile);
+    ExitOnNull(bstrFile, hr, E_OUTOFMEMORY, "failed SysAllocString for path");
+    bstrName = ::SysAllocString(wzName);
+    ExitOnNull(bstrName, hr, E_OUTOFMEMORY, "failed SysAllocString for name");
+    bstrRemoteAddresses = ::SysAllocString(wzRemoteAddresses);
+    ExitOnNull(bstrRemoteAddresses, hr, E_OUTOFMEMORY, "failed SysAllocString for remote addresses");
+
+    // get the firewall profile, which is our entry point for adding exceptions
+    hr = GetCurrentFirewallProfile(fIgnoreFailures, &pfwProfile);
+    ExitOnFailure(hr, "failed to get firewall profile");
+    if (S_FALSE == hr) // user or package author chose to ignore missing firewall
+    {
+        ExitFunction();
+    }
+
+    // first, let's see if the app is already on the exception list
+    hr = pfwProfile->get_AuthorizedApplications(&pfwApps);
+    ExitOnFailure(hr, "failed to get list of authorized apps");
+
+    // try to find it (i.e., support reinstall)
+    hr = pfwApps->Item(bstrFile, &pfwApp);
+    if (HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND) == hr)
+    {
+        // not found, so we get to add it
+        hr = ::CoCreateInstance(__uuidof(NetFwAuthorizedApplication), NULL, CLSCTX_INPROC_SERVER, __uuidof(INetFwAuthorizedApplication), reinterpret_cast<void**>(&pfwApp));
+        ExitOnFailure(hr, "failed to create authorized app");
+
+        // set the display name
+        hr = pfwApp->put_Name(bstrName);
+        ExitOnFailure(hr, "failed to set authorized app name");
+
+        // set path
+        hr = pfwApp->put_ProcessImageFileName(bstrFile);
+        ExitOnFailure(hr, "failed to set authorized app path");
+
+        // set the allowed remote addresses
+        if (bstrRemoteAddresses && *bstrRemoteAddresses)
+        {
+            hr = pfwApp->put_RemoteAddresses(bstrRemoteAddresses);
+            ExitOnFailure(hr, "failed to set authorized app remote addresses");
+        }
+
+        // add it to the list of authorized apps
+        hr = pfwApps->Add(pfwApp);
+        ExitOnFailure(hr, "failed to add app to the authorized apps list");
+    }
+    else
+    {
+        // we found an existing app exception (if we succeeded, that is)
+        ExitOnFailure(hr, "failed trying to find existing app");
+
+        // enable it (just in case it was disabled)
+        pfwApp->put_Enabled(VARIANT_TRUE);
+    }
+
+LExit:
+    ReleaseBSTR(bstrRemoteAddresses);
+    ReleaseBSTR(bstrName);
+    ReleaseBSTR(bstrFile);
+    ReleaseObject(pfwApp);
+    ReleaseObject(pfwApps);
+    ReleaseObject(pfwProfile);
+
+    return fIgnoreFailures ? S_OK : hr;
+}
+
+/******************************************************************
+ AddPortException
+
+********************************************************************/
+static HRESULT AddPortException(
+    __in LPCWSTR wzName,
+    __in int iProfile,
+    __in_opt LPCWSTR wzRemoteAddresses,
+    __in BOOL fIgnoreFailures,
+    __in LPCWSTR wzPort,
+    __in int iProtocol,
+    __in LPCWSTR wzDescription
+    )
+{
+    HRESULT hr = S_OK;
+    BSTR bstrName = NULL;
+    INetFwRules* pNetFwRules = NULL;
+    INetFwRule* pNetFwRule = NULL;
+
+    // convert to BSTRs to make COM happy
+    bstrName = ::SysAllocString(wzName);
+    ExitOnNull(bstrName, hr, E_OUTOFMEMORY, "failed SysAllocString for name");
+
+    // get the collection of firewall rules
+    hr = GetFirewallRules(fIgnoreFailures, &pNetFwRules);
+    ExitOnFailure(hr, "failed to get firewall rules object");
+    if (S_FALSE == hr) // user or package author chose to ignore missing firewall
+    {
+        ExitFunction();
+    }
+
+    // try to find it (i.e., support reinstall)
+    hr = pNetFwRules->Item(bstrName, &pNetFwRule);
+    if (HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND) == hr)
+    {
+        hr = CreateFwRuleObject(bstrName, iProfile, wzRemoteAddresses, wzPort, iProtocol, wzDescription, &pNetFwRule);
+        ExitOnFailure(hr, "failed to create FwRule object");
+
+        // enable it
+        hr = pNetFwRule->put_Enabled(VARIANT_TRUE);
+        ExitOnFailure(hr, "failed to to enable port exception");
+
+        // add it to the list of authorized ports
+        hr = pNetFwRules->Add(pNetFwRule);
+        ExitOnFailure(hr, "failed to add app to the authorized ports list");
+    }
+    else
+    {
+        // we found an existing port exception (if we succeeded, that is)
+        ExitOnFailure(hr, "failed trying to find existing port rule");
+
+        // enable it (just in case it was disabled)
+        pNetFwRule->put_Enabled(VARIANT_TRUE);
+    }
+
+LExit:
+    ReleaseBSTR(bstrName);
+    ReleaseObject(pNetFwRules);
+    ReleaseObject(pNetFwRule);
+
+    return fIgnoreFailures ? S_OK : hr;
+}
+
+/******************************************************************
+ AddPortExceptionOnCurrentProfile
+
+********************************************************************/
+static HRESULT AddPortExceptionOnCurrentProfile(
+    __in LPCWSTR wzName,
+    __in_opt LPCWSTR wzRemoteAddresses,
+    __in BOOL fIgnoreFailures,
+    __in int iPort,
+    __in int iProtocol
+    )
+{
+    HRESULT hr = S_OK;
+    BSTR bstrName = NULL;
+    BSTR bstrRemoteAddresses = NULL;
+    INetFwProfile* pfwProfile = NULL;
+    INetFwOpenPorts* pfwPorts = NULL;
+    INetFwOpenPort* pfwPort = NULL;
+
+    // convert to BSTRs to make COM happy
+    bstrName = ::SysAllocString(wzName);
+    ExitOnNull(bstrName, hr, E_OUTOFMEMORY, "failed SysAllocString for name");
+    bstrRemoteAddresses = ::SysAllocString(wzRemoteAddresses);
+    ExitOnNull(bstrRemoteAddresses, hr, E_OUTOFMEMORY, "failed SysAllocString for remote addresses");
+
+    // create and initialize a new open port object
+    hr = ::CoCreateInstance(__uuidof(NetFwOpenPort), NULL, CLSCTX_INPROC_SERVER, __uuidof(INetFwOpenPort), reinterpret_cast<void**>(&pfwPort));
+    ExitOnFailure(hr, "failed to create new open port");
+
+    hr = pfwPort->put_Port(iPort);
+    ExitOnFailure(hr, "failed to set exception port");
+
+    hr = pfwPort->put_Protocol(static_cast<NET_FW_IP_PROTOCOL>(iProtocol));
+    ExitOnFailure(hr, "failed to set exception protocol");
+
+    if (bstrRemoteAddresses && *bstrRemoteAddresses)
+    {
+        hr = pfwPort->put_RemoteAddresses(bstrRemoteAddresses);
+        ExitOnFailure(hr, "failed to set exception remote addresses '%ls'", bstrRemoteAddresses);
+    }
+
+    hr = pfwPort->put_Name(bstrName);
+    ExitOnFailure(hr, "failed to set exception name");
+
+    // get the firewall profile, its current list of open ports, and add ours
+    hr = GetCurrentFirewallProfile(fIgnoreFailures, &pfwProfile);
+    ExitOnFailure(hr, "failed to get firewall profile");
+    if (S_FALSE == hr) // user or package author chose to ignore missing firewall
+    {
+        ExitFunction();
+    }
+
+    hr = pfwProfile->get_GloballyOpenPorts(&pfwPorts);
+    ExitOnFailure(hr, "failed to get open ports");
+
+    hr = pfwPorts->Add(pfwPort);
+    ExitOnFailure(hr, "failed to add exception to global list");
+
+LExit:
+    ReleaseBSTR(bstrRemoteAddresses);
+    ReleaseBSTR(bstrName);
+    ReleaseObject(pfwProfile);
+    ReleaseObject(pfwPorts);
+    ReleaseObject(pfwPort);
+
+    return fIgnoreFailures ? S_OK : hr;
+}
+
+/******************************************************************
+ RemoveException - Removes the exception rule with the given name.
+
+********************************************************************/
+static HRESULT RemoveException(
+    __in LPCWSTR wzName, 
+    __in BOOL fIgnoreFailures
+    )
+{
+    HRESULT hr = S_OK;;
+    INetFwRules* pNetFwRules = NULL;
+
+    // convert to BSTRs to make COM happy
+    BSTR bstrName = ::SysAllocString(wzName);
+    ExitOnNull(bstrName, hr, E_OUTOFMEMORY, "failed SysAllocString for path");
+
+    // get the collection of firewall rules
+    hr = GetFirewallRules(fIgnoreFailures, &pNetFwRules);
+    ExitOnFailure(hr, "failed to get firewall rules object");
+    if (S_FALSE == hr) // user or package author chose to ignore missing firewall
+    {
+        ExitFunction();
+    }
+
+    hr = pNetFwRules->Remove(bstrName);
+    ExitOnFailure(hr, "failed to remove authorized app");
+
+LExit:
+    ReleaseBSTR(bstrName);
+    ReleaseObject(pNetFwRules);
+
+    return fIgnoreFailures ? S_OK : hr;
+}
+
+/******************************************************************
+ RemoveApplicationExceptionFromCurrentProfile
+
+********************************************************************/
+static HRESULT RemoveApplicationExceptionFromCurrentProfile(
+    __in LPCWSTR wzFile, 
+    __in BOOL fIgnoreFailures
+    )
+{
+    HRESULT hr = S_OK;
+    INetFwProfile* pfwProfile = NULL;
+    INetFwAuthorizedApplications* pfwApps = NULL;
+
+    // convert to BSTRs to make COM happy
+    BSTR bstrFile = ::SysAllocString(wzFile);
+    ExitOnNull(bstrFile, hr, E_OUTOFMEMORY, "failed SysAllocString for path");
+
+    // get the firewall profile, which is our entry point for removing exceptions
+    hr = GetCurrentFirewallProfile(fIgnoreFailures, &pfwProfile);
+    ExitOnFailure(hr, "failed to get firewall profile");
+    if (S_FALSE == hr) // user or package author chose to ignore missing firewall
+    {
+        ExitFunction();
+    }
+
+    // now get the list of app exceptions and remove the one
+    hr = pfwProfile->get_AuthorizedApplications(&pfwApps);
+    ExitOnFailure(hr, "failed to get list of authorized apps");
+
+    hr = pfwApps->Remove(bstrFile);
+    ExitOnFailure(hr, "failed to remove authorized app");
+
+LExit:
+    ReleaseBSTR(bstrFile);
+    ReleaseObject(pfwApps);
+    ReleaseObject(pfwProfile);
+
+    return fIgnoreFailures ? S_OK : hr;
+}
+
+/******************************************************************
+ RemovePortExceptionFromCurrentProfile
+
+********************************************************************/
+static HRESULT RemovePortExceptionFromCurrentProfile(
+    __in int iPort,
+    __in int iProtocol,
+    __in BOOL fIgnoreFailures
+    )
+{
+    HRESULT hr = S_OK;
+    INetFwProfile* pfwProfile = NULL;
+    INetFwOpenPorts* pfwPorts = NULL;
+
+    // get the firewall profile, which is our entry point for adding exceptions
+    hr = GetCurrentFirewallProfile(fIgnoreFailures, &pfwProfile);
+    ExitOnFailure(hr, "failed to get firewall profile");
+    if (S_FALSE == hr) // user or package author chose to ignore missing firewall
+    {
+        ExitFunction();
+    }
+
+    hr = pfwProfile->get_GloballyOpenPorts(&pfwPorts);
+    ExitOnFailure(hr, "failed to get open ports");
+
+    hr = pfwPorts->Remove(iPort, static_cast<NET_FW_IP_PROTOCOL>(iProtocol));
+    ExitOnFailure(hr, "failed to remove open port %d, protocol %d", iPort, iProtocol);
+
+LExit:
+    return fIgnoreFailures ? S_OK : hr;
+}
+
+static HRESULT AddApplicationException(
+    __in BOOL fSupportProfiles,
+    __in LPCWSTR wzFile, 
+    __in LPCWSTR wzName,
+    __in int iProfile,
+    __in_opt LPCWSTR wzRemoteAddresses,
+    __in BOOL fIgnoreFailures,
+    __in LPCWSTR wzPort,
+    __in int iProtocol,
+    __in LPCWSTR wzDescription
+    )
+{
+    HRESULT hr = S_OK;
+
+    if (fSupportProfiles)
+    {
+        hr = AddApplicationException(wzFile, wzName, iProfile, wzRemoteAddresses, fIgnoreFailures, wzPort, iProtocol, wzDescription);
+    }
+    else
+    {
+        if (0 != *wzPort || MSI_NULL_INTEGER != iProtocol)
+        {
+            // NOTE: This is treated as an error rather than either creating a rule based on just the application (no port), or 
+            // just the port because it is unclear what is the proper fall back. For example, suppose that you have code that 
+            // runs in dllhost.exe. Clearly falling back to opening all of dllhost is wrong. Because the firewall is a security
+            // feature, it seems better to require the MSI author to indicate the behavior that they want.
+            WcaLog(LOGMSG_STANDARD, "FirewallExtension: Cannot add firewall rule '%ls', which defines both an application and a port or protocol. Such a rule requires Microsoft Windows Vista or later.", wzName);
+            return fIgnoreFailures ? S_OK : E_NOTIMPL;
+        }
+
+        hr = AddApplicationExceptionOnCurrentProfile(wzFile, wzName, wzRemoteAddresses, fIgnoreFailures);
+    }
+
+    return hr;
+}
+
+static HRESULT AddPortException(
+    __in BOOL fSupportProfiles,
+    __in LPCWSTR wzName,
+    __in int iProfile,
+    __in_opt LPCWSTR wzRemoteAddresses,
+    __in BOOL fIgnoreFailures,
+    __in LPCWSTR wzPort,
+    __in int iProtocol,
+    __in LPCWSTR wzDescription
+    )
+{
+    HRESULT hr = S_OK;
+
+    if (fSupportProfiles)
+    {
+        hr = AddPortException(wzName, iProfile, wzRemoteAddresses, fIgnoreFailures, wzPort, iProtocol, wzDescription);
+    }
+    else
+    {
+        hr = AddPortExceptionOnCurrentProfile(wzName, wzRemoteAddresses, fIgnoreFailures, wcstol(wzPort, NULL, 10), iProtocol);
+    }
+
+    return hr;
+}
+
+static HRESULT RemoveApplicationException(
+    __in BOOL fSupportProfiles,
+    __in LPCWSTR wzName,
+    __in LPCWSTR wzFile, 
+    __in BOOL fIgnoreFailures,
+    __in LPCWSTR wzPort,
+    __in int iProtocol
+    )
+{
+    HRESULT hr = S_OK;
+
+    if (fSupportProfiles)
+    {
+        hr = RemoveException(wzName, fIgnoreFailures);
+    }
+    else
+    {
+        if (0 != *wzPort || MSI_NULL_INTEGER != iProtocol)
+        {
+            WcaLog(LOGMSG_STANDARD, "FirewallExtension: Cannot remove firewall rule '%ls', which defines both an application and a port or protocol. Such a rule requires Microsoft Windows Vista or later.", wzName);
+            return S_OK;
+        }
+
+        hr = RemoveApplicationExceptionFromCurrentProfile(wzFile, fIgnoreFailures);
+    }
+
+    return hr;
+}
+
+static HRESULT RemovePortException(
+    __in BOOL fSupportProfiles,
+    __in LPCWSTR wzName,
+    __in LPCWSTR wzPort,
+    __in int iProtocol,
+    __in BOOL fIgnoreFailures
+    )
+{
+    HRESULT hr = S_OK;
+
+    if (fSupportProfiles)
+    {
+        hr = RemoveException(wzName, fIgnoreFailures);
+    }
+    else
+    {
+        hr = RemovePortExceptionFromCurrentProfile(wcstol(wzPort, NULL, 10), iProtocol, fIgnoreFailures);
+    }
+
+    return hr;
+}
+
+/******************************************************************
+ ExecFirewallExceptions - deferred custom action entry point to 
+   register and remove firewall exceptions.
+
+********************************************************************/
+extern "C" UINT __stdcall ExecFirewallExceptions(
+    __in MSIHANDLE hInstall
+    )
+{
+    HRESULT hr = S_OK;
+    BOOL fSupportProfiles = FALSE;
+    LPWSTR pwz = NULL;
+    LPWSTR pwzCustomActionData = NULL;
+    int iTodo = WCA_TODO_UNKNOWN;
+    LPWSTR pwzName = NULL;
+    LPWSTR pwzRemoteAddresses = NULL;
+    int iAttributes = 0;
+    int iTarget = fetUnknown;
+    LPWSTR pwzFile = NULL;
+    LPWSTR pwzPort = NULL;
+    LPWSTR pwzDescription = NULL;
+    int iProtocol = 0;
+    int iProfile = 0;
+
+    // initialize
+    hr = WcaInitialize(hInstall, "ExecFirewallExceptions");
+    ExitOnFailure(hr, "failed to initialize");
+
+    hr = WcaGetProperty( L"CustomActionData", &pwzCustomActionData);
+    ExitOnFailure(hr, "failed to get CustomActionData");
+    WcaLog(LOGMSG_TRACEONLY, "CustomActionData: %ls", pwzCustomActionData);
+
+    hr = ::CoInitialize(NULL);
+    ExitOnFailure(hr, "failed to initialize COM");
+
+    // Find out if we support profiles (only on Vista or later)
+    fSupportProfiles = FSupportProfiles();
+
+    // loop through all the passed in data
+    pwz = pwzCustomActionData;
+    while (pwz && *pwz)
+    {
+        // extract the custom action data and if rolling back, swap INSTALL and UNINSTALL
+        hr = WcaReadIntegerFromCaData(&pwz, &iTodo);
+        ExitOnFailure(hr, "failed to read todo from custom action data");
+        if (::MsiGetMode(hInstall, MSIRUNMODE_ROLLBACK))
+        {
+            if (WCA_TODO_INSTALL == iTodo)
+            {
+                iTodo = WCA_TODO_UNINSTALL;
+            }
+            else if (WCA_TODO_UNINSTALL == iTodo)
+            {
+                iTodo = WCA_TODO_INSTALL;
+            }
+        }
+
+        hr = WcaReadStringFromCaData(&pwz, &pwzName);
+        ExitOnFailure(hr, "failed to read name from custom action data");
+
+        hr = WcaReadIntegerFromCaData(&pwz, &iProfile);
+        ExitOnFailure(hr, "failed to read profile from custom action data");
+
+        hr = WcaReadStringFromCaData(&pwz, &pwzRemoteAddresses);
+        ExitOnFailure(hr, "failed to read remote addresses from custom action data");
+
+        hr = WcaReadIntegerFromCaData(&pwz, &iAttributes);
+        ExitOnFailure(hr, "failed to read attributes from custom action data");
+        BOOL fIgnoreFailures = feaIgnoreFailures == (iAttributes & feaIgnoreFailures);
+
+        hr = WcaReadIntegerFromCaData(&pwz, &iTarget);
+        ExitOnFailure(hr, "failed to read target from custom action data");
+
+        if (iTarget == fetApplication)
+        {
+            hr = WcaReadStringFromCaData(&pwz, &pwzFile);
+            ExitOnFailure(hr, "failed to read file path from custom action data");
+        }
+
+        hr = WcaReadStringFromCaData(&pwz, &pwzPort);
+        ExitOnFailure(hr, "failed to read port from custom action data");
+        hr = WcaReadIntegerFromCaData(&pwz, &iProtocol);
+        ExitOnFailure(hr, "failed to read protocol from custom action data");
+        hr = WcaReadStringFromCaData(&pwz, &pwzDescription);
+        ExitOnFailure(hr, "failed to read protocol from custom action data");
+
+        switch (iTarget)
+        {
+        case fetPort:
+            switch (iTodo)
+            {
+            case WCA_TODO_INSTALL:
+            case WCA_TODO_REINSTALL:
+                WcaLog(LOGMSG_STANDARD, "Installing firewall exception2 %ls on port %ls, protocol %d", pwzName, pwzPort, iProtocol);
+                hr = AddPortException(fSupportProfiles, pwzName, iProfile, pwzRemoteAddresses, fIgnoreFailures, pwzPort, iProtocol, pwzDescription);
+                ExitOnFailure(hr, "failed to add/update port exception for name '%ls' on port %ls, protocol %d", pwzName, pwzPort, iProtocol);
+                break;
+
+            case WCA_TODO_UNINSTALL:
+                WcaLog(LOGMSG_STANDARD, "Uninstalling firewall exception2 %ls on port %ls, protocol %d", pwzName, pwzPort, iProtocol);
+                hr = RemovePortException(fSupportProfiles, pwzName, pwzPort, iProtocol, fIgnoreFailures);
+                ExitOnFailure(hr, "failed to remove port exception for name '%ls' on port %ls, protocol %d", pwzName, pwzPort, iProtocol);
+                break;
+            }
+            break;
+
+        case fetApplication:
+            switch (iTodo)
+            {
+            case WCA_TODO_INSTALL:
+            case WCA_TODO_REINSTALL:
+                WcaLog(LOGMSG_STANDARD, "Installing firewall exception2 %ls (%ls)", pwzName, pwzFile);
+                hr = AddApplicationException(fSupportProfiles, pwzFile, pwzName, iProfile, pwzRemoteAddresses, fIgnoreFailures, pwzPort, iProtocol, pwzDescription);
+                ExitOnFailure(hr, "failed to add/update application exception for name '%ls', file '%ls'", pwzName, pwzFile);
+                break;
+
+            case WCA_TODO_UNINSTALL:
+                WcaLog(LOGMSG_STANDARD, "Uninstalling firewall exception2 %ls (%ls)", pwzName, pwzFile);
+                hr = RemoveApplicationException(fSupportProfiles, pwzName, pwzFile, fIgnoreFailures, pwzPort, iProtocol);
+                ExitOnFailure(hr, "failed to remove application exception for name '%ls', file '%ls'", pwzName, pwzFile);
+                break;
+            }
+            break;
+        }
+    }
+
+LExit:
+    ReleaseStr(pwzCustomActionData);
+    ReleaseStr(pwzName);
+    ReleaseStr(pwzRemoteAddresses);
+    ReleaseStr(pwzFile);
+    ReleaseStr(pwzPort);
+    ReleaseStr(pwzDescription);
+    ::CoUninitialize();
+
+    return WcaFinalize(FAILED(hr) ? ERROR_INSTALL_FAILURE : ERROR_SUCCESS);
+}
diff --git a/src/ca/fwca.def b/src/ca/fwca.def
new file mode 100644
index 00000000..d32c5379
--- /dev/null
+++ b/src/ca/fwca.def
@@ -0,0 +1,9 @@
+; Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+
+LIBRARY      "fwca"
+
+EXPORTS
+        SchedFirewallExceptionsInstall
+        SchedFirewallExceptionsUninstall
+        ExecFirewallExceptions
diff --git a/src/ca/fwca.vcxproj b/src/ca/fwca.vcxproj
new file mode 100644
index 00000000..b6075790
--- /dev/null
+++ b/src/ca/fwca.vcxproj
@@ -0,0 +1,72 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->
+
+<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="..\..\packages\WixToolset.DUtil.4.0.6\build\WixToolset.DUtil.props" Condition="Exists('..\..\packages\WixToolset.DUtil.4.0.6\build\WixToolset.DUtil.props')" />
+  <Import Project="..\..\packages\WixToolset.WcaUtil.4.0.2\build\WixToolset.WcaUtil.props" Condition="Exists('..\..\packages\WixToolset.WcaUtil.4.0.2\build\WixToolset.WcaUtil.props')" />
+
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{F72D34CA-48DA-4DFD-91A9-A0C78BEF6981}</ProjectGuid>
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <TargetName>fwca</TargetName>
+    <PlatformToolset>v141</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+    <ProjectModuleDefinitionFile>fwca.def</ProjectModuleDefinitionFile>
+    <Description>WiX Toolset Firewall CustomAction</Description>
+  </PropertyGroup>
+
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+
+  <ImportGroup Label="Shared">
+    <Import Project="..\..\packages\Microsoft.VisualStudio.Setup.Configuration.Native.1.14.114\build\native\Microsoft.VisualStudio.Setup.Configuration.Native.targets" Condition="Exists('..\..\packages\Microsoft.VisualStudio.Setup.Configuration.Native.1.14.114\build\native\Microsoft.VisualStudio.Setup.Configuration.Native.targets')" />
+  </ImportGroup>
+
+  <PropertyGroup>
+    <ProjectAdditionalLinkLibraries>msi.lib</ProjectAdditionalLinkLibraries>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ClCompile Include="dllmain.cpp">
+      <PrecompiledHeader>Create</PrecompiledHeader>
+    </ClCompile>
+    <ClCompile Include="firewall.cpp" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ClInclude Include="cost.h" />
+    <ClInclude Include="CustomMsiErrors.h" />
+    <ClInclude Include="precomp.h" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <None Include="packages.config" />
+    <None Include="fwca.def" />
+  </ItemGroup>
+
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+
+  <Target Name="EnsureNuGetPackageBuildImports" BeforeTargets="PrepareForBuild">
+    <PropertyGroup>
+      <ErrorText>This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them.  For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}.</ErrorText>
+    </PropertyGroup>
+    <Error Condition="!Exists('..\..\packages\Microsoft.VisualStudio.Setup.Configuration.Native.1.14.114\build\native\Microsoft.VisualStudio.Setup.Configuration.Native.targets')" Text="$([System.String]::Format('$(ErrorText)', '..\..\packages\Microsoft.VisualStudio.Setup.Configuration.Native.1.14.114\build\native\Microsoft.VisualStudio.Setup.Configuration.Native.targets'))" />
+    <Error Condition="!Exists('..\..\packages\WixToolset.DUtil.4.0.6\build\WixToolset.DUtil.props')" Text="$([System.String]::Format('$(ErrorText)', '..\..\packages\WixToolset.DUtil.4.0.6\build\WixToolset.DUtil.props'))" />
+    <Error Condition="!Exists('..\..\packages\WixToolset.WcaUtil.4.0.2\build\WixToolset.WcaUtil.props')" Text="$([System.String]::Format('$(ErrorText)', '..\..\packages\WixToolset.WcaUtil.4.0.2\build\WixToolset.WcaUtil.props'))" />
+  </Target>
+</Project>
+
diff --git a/src/ca/packages.config b/src/ca/packages.config
new file mode 100644
index 00000000..b74ff5d0
--- /dev/null
+++ b/src/ca/packages.config
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packages>
+  <package id="Microsoft.VisualStudio.Setup.Configuration.Native" version="1.14.114" targetFramework="native" developmentDependency="true" />
+  <package id="WixToolset.DUtil" version="4.0.6" targetFramework="native" />
+  <package id="WixToolset.WcaUtil" version="4.0.2" targetFramework="native" />
+</packages>
\ No newline at end of file
diff --git a/src/ca/precomp.h b/src/ca/precomp.h
new file mode 100644
index 00000000..a84bacff
--- /dev/null
+++ b/src/ca/precomp.h
@@ -0,0 +1,17 @@
+#pragma once
+// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+
+#include <windows.h>
+#include <msidefs.h>
+#include <msiquery.h>
+#include <strsafe.h>
+#include <netfw.h>
+
+#include "wcautil.h"
+#include "fileutil.h"
+#include "pathutil.h"
+#include "strutil.h"
+
+#include "CustomMsiErrors.h"
+#include "cost.h"