diff --git a/lib/core/icingaagent/firewall/Disable-IcingaFirewall.psm1 b/lib/core/icingaagent/firewall/Disable-IcingaFirewall.psm1
new file mode 100644
index 0000000..749d17c
--- /dev/null
+++ b/lib/core/icingaagent/firewall/Disable-IcingaFirewall.psm1
@@ -0,0 +1,30 @@
+function Disable-IcingaFirewall()
+{
+    param(
+        [switch]$LegacyOnly
+    );
+
+    $FirewallConfig = Get-IcingaFirewallConfig -NoOutput;
+
+    if ($FirewallConfig.LegacyFirewall) {
+        $Firewall = Start-IcingaProcess -Executable 'netsh' -Arguments 'advfirewall firewall delete rule name="Icinga 2 Agent Inbound by PS-Module"';
+        if ($Firewall.ExitCode -ne 0) {
+            Write-Host ([string]::Format('Failed to remove legacy firewall: {0}{1}', $Firewall.Message, $Firewall.Error));
+        } else {
+            Write-Host 'Successfully removed legacy Firewall rule';
+        }
+    }
+
+    if ($LegacyOnly) {
+        return;
+    }
+
+    if ($FirewallConfig.IcingaFirewall) {
+        $Firewall = Start-IcingaProcess -Executable 'netsh' -Arguments 'advfirewall firewall delete rule name="Icinga Agent Inbound"';
+        if ($Firewall.ExitCode -ne 0) {
+            Write-Host ([string]::Format('Failed to remove Icinga firewall: {0}{1}', $Firewall.Message, $Firewall.Error));
+        } else {
+            Write-Host 'Successfully removed Icinga Firewall rule';
+        }
+    }
+}
diff --git a/lib/core/icingaagent/firewall/Enable-IcingaFirewall.psm1 b/lib/core/icingaagent/firewall/Enable-IcingaFirewall.psm1
new file mode 100644
index 0000000..88b353c
--- /dev/null
+++ b/lib/core/icingaagent/firewall/Enable-IcingaFirewall.psm1
@@ -0,0 +1,35 @@
+function Enable-IcingaFirewall()
+{
+    param(
+        [int]$IcingaPort = 5665,
+        [switch]$Force
+    );
+
+    $FirewallConfig = Get-IcingaFirewallConfig -NoOutput;
+
+    if ($FirewallConfig.IcingaFirewall -And $Force -eq $FALSE) {
+        Write-Host 'Icinga Firewall is already enabled'
+        return;
+    }
+
+    if ($Force) {
+        Disable-IcingaFirewall;
+    }
+
+    $IcingaBinary         = Get-IcingaAgentBinary;
+    [string]$FirewallRule = [string]::Format(
+        'advfirewall firewall add rule dir=in action=allow program="{0}" name="{1}" description="{2}" enable=yes remoteip=any localip=any localport={3} protocol=tcp',
+        $IcingaBinary,
+        'Icinga Agent Inbound',
+        'Inbound Firewall Rule to allow Icinga 2 masters / satellites to connect to the Icinga 2 Agent installed on this system.',
+        $IcingaPort
+    );
+    
+    $FirewallResult = Start-IcingaProcess -Executable 'netsh' -Arguments $FirewallRule;
+
+    if ($FirewallResult.ExitCode -ne 0) {
+        Write-Host ([string]::Format('Failed to open Icinga firewall for port "{0}": {1}[2}', $IcingaPort, $FirewallResult.Message, $FirewallResult.Error));
+    } else {
+        Write-Host ([string]::Format('Successfully enabled firewall for port "{0}"', $IcingaPort));
+    }
+}
diff --git a/lib/core/icingaagent/firewall/Get-IcingaFirewallConfig.psm1 b/lib/core/icingaagent/firewall/Get-IcingaFirewallConfig.psm1
new file mode 100644
index 0000000..6caa144
--- /dev/null
+++ b/lib/core/icingaagent/firewall/Get-IcingaFirewallConfig.psm1
@@ -0,0 +1,36 @@
+function Get-IcingaFirewallConfig()
+{
+    param(
+        [switch]$NoOutput
+    );
+
+    [bool]$LegacyFirewallPresent = $FALSE;
+    [bool]$IcingaFirewallPresent = $FALSE;
+
+    $LegacyFirewall = Start-IcingaProcess -Executable 'netsh' -Arguments 'advfirewall firewall show rule name="Icinga 2 Agent Inbound by PS-Module"';
+
+    if ($LegacyFirewall.ExitCode -eq 0) {
+        if ($NoOutput -eq $FALSE) {
+            Write-Host 'Legacy firewall configuration has been detected.';
+        }
+        $LegacyFirewallPresent = $TRUE;
+    }
+
+    $IcingaFirewall = Start-IcingaProcess -Executable 'netsh' -Arguments 'advfirewall firewall show rule name="Icinga Agent Inbound"';
+
+    if ($IcingaFirewall.ExitCode -eq 0) {
+        if ($NoOutput -eq $FALSE) {
+            Write-Host 'Icinga firewall is present.';
+        }
+        $IcingaFirewallPresent = $TRUE;
+    } else {
+        if ($NoOutput -eq $FALSE) {
+            Write-Host 'Icinga firewall is not present';
+        }
+    }
+
+    return @{
+        'LegacyFirewall' = $LegacyFirewallPresent;
+        'IcingaFirewall' = $IcingaFirewallPresent;
+    }
+}
diff --git a/lib/core/icingaagent/misc/Start-IcingaAgentInstallWizard.psm1 b/lib/core/icingaagent/misc/Start-IcingaAgentInstallWizard.psm1
index 19057d9..837fbf8 100644
--- a/lib/core/icingaagent/misc/Start-IcingaAgentInstallWizard.psm1
+++ b/lib/core/icingaagent/misc/Start-IcingaAgentInstallWizard.psm1
@@ -12,6 +12,7 @@ function Start-IcingaAgentInstallWizard()
         [string]$AgentVersion,
         $AllowVersionChanges,
         $UpdateAgent                 = $null,
+        $AddFirewallRule             = $null,
         $AcceptConnections           = $null,
         [array]$Endpoints            = @(),
         [array]$EndpointConnections  = @(),
@@ -99,6 +100,9 @@ function Start-IcingaAgentInstallWizard()
             $Result              = Set-IcingaWizardArgument -DirectorArgs $DirectorArgs -WizardArg 'AcceptConnections' -Value $AcceptConnections -InstallerArguments $InstallerArguments;
             $AcceptConnections   = $Result.Value;
             $InstallerArguments  = $Result.Args;
+            $Result              = Set-IcingaWizardArgument -DirectorArgs $DirectorArgs -WizardArg 'AddFirewallRule' -Value $AddFirewallRule -InstallerArguments $InstallerArguments;
+            $AddFirewallRule     = $Result.Value;
+            $InstallerArguments  = $Result.Args;            
             $Result              = Set-IcingaWizardArgument -DirectorArgs $DirectorArgs -WizardArg 'ServiceUser' -Value $ServiceUser -InstallerArguments $InstallerArguments;
             $ServiceUser         = $Result.Value;
             $InstallerArguments  = $Result.Args;
@@ -239,6 +243,18 @@ function Start-IcingaAgentInstallWizard()
         }
     }
 
+    if ($AcceptConnections -eq 0) {
+        if ($null -eq $AddFirewallRule) {
+            if ((Get-IcingaAgentInstallerAnswerInput -Prompt ([string]::Format('Do you want to open the Windows Firewall for incoming traffic on Port "{0}"?', $CAPort)) -Default 'y').result -eq 1) {
+                $InstallerArguments += "-AddFirewallRule 1";
+                $AddFirewallRule = $TRUE;
+            } else {
+                $InstallerArguments += "-AddFirewallRule 0";
+                $AddFirewallRule = $FALSE;
+            }
+        }
+    }
+
     if ($EndpointConnections.Count -eq 0 -And $AcceptConnections -eq 1) {
         $NetworkDefault = '';
         foreach ($Endpoint in $Endpoints) {
@@ -428,6 +444,10 @@ function Start-IcingaAgentInstallWizard()
             Install-IcingaAgentCertificates -Hostname $Hostname -Endpoint $CAEndpoint -Port $CAPort -CACert $CAFile -Ticket $Ticket | Out-Null;
             Write-IcingaAgentApiConfig -Port $CAPort;
             Write-IcingaAgentZonesConfig -Endpoints $Endpoints -EndpointConnections $EndpointConnections -ParentZone $ParentZone -GlobalZones $GlobalZoneConfig -Hostname $Hostname;
+            if ($AddFirewallRule) {
+                # First cleanup the system by removing all old Firewalls
+                Enable-IcingaFirewall -IcingaPort $CAPort -Force;
+            }
             Test-IcingaAgent;
             Restart-IcingaService 'icingapowershell';
             Restart-IcingaService 'icinga2';