Solved

Verify firewall ports in logon script

Posted on 2007-03-23
8
792 Views
Last Modified: 2008-02-01
I am looking to write a bat file to use as part of a logon script to verify that users have proper port opened for SMS.  If a port isn't open, the batch file should open it.  I have already created a batchfile that will open the ports.  The enviroment has 2k3 domain controlers and file servers, along with some 2k file server.  Al workstaions are XP pro.
0
Comment
Question by:jhdjbutler
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
8 Comments
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 18782168
I believe the ports you need to open on clients is TCP, 139 and 445
http://support.microsoft.com/kb/826852

So you would use the NETSH command. (net shell)
netsh firewall set portopening TCP 139 SMS ENABLE ALL
netsh firewall set portopening TCP 445 SMB ENABLE ALL

Example of Netsh | Firewall usage:
set portopening
      [ protocol = ] TCP|UDP|ALL
      [ port = ] 1-65535
      [ [ name = ] name
        [ mode = ] ENABLE|DISABLE
        [ scope = ] ALL|SUBNET|CUSTOM
        [ addresses = ] addresses
        [ profile = ] CURRENT|DOMAIN|STANDARD|ALL
        [ interface = ] name ]

  Sets firewall port configuration.

  Parameters:

  protocol - Port protocol.
      TCP - Transmission Control Protocol (TCP).
      UDP - User Datagram Protocol (UDP).
      ALL - All protocols.

  port - Port number.

  name - Port name (optional).

  mode - Port mode (optional).
      ENABLE  - Allow through firewall (default).
      DISABLE - Do not allow through firewall.

  scope - Port scope (optional).
      ALL    - Allow all traffic through firewall (default).
      SUBNET - Allow only local network (subnet) traffic through firewall.
      CUSTOM - Allow only specified traffic through firewall.

  addresses - Custom scope addresses (optional).

  profile - Configuration profile (optional).
      CURRENT  - Current profile (default).
      DOMAIN   - Domain profile.
      STANDARD - Standard profile.
      ALL      - All profiles.

  interface - Interface name (optional).

  Remarks: 'profile' and 'interface' may not be specified together.
           'scope' and 'interface' may not be specified together.
           'scope' must be 'CUSTOM' to specify 'addresses'.

  Examples:

      set portopening TCP 80 MyWebPort

      set portopening UDP 500 IKE ENABLE ALL

      set portopening ALL 53 DNS ENABLE CUSTOM

          157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet
      set portopening protocol = TCP port = 80 name = MyWebPort

      set portopening protocol = UDP port = 500 name = IKE mode = ENABLE scope =
 ALL
      set portopening protocol = ALL port = 53 name = DNS mode = ENABLE

          scope = CUSTOM addresses =
          157.60.0.1,172.16.0.0/16,10.0.0.0/255.0.0.0,LocalSubnet
0
 

Author Comment

by:jhdjbutler
ID: 18782619
Thanks for the info but I have already created the batch file to open necessary ports.  I am looking to create a logon script that will check to see if every port is open, and if not, it will open it.  I am looking primarly for a way to verify one port at a time.
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 18799684
I really don't think that can be done with DOS.  VB code, or c++ is a more likely solution.

Why would you need to "check/verify" , if they are open ?? ....instead of just making sure they are always open anytime someone logs on ?

If you just want to check if they are open...why not just use a scanner against the whole subnet from a single workstation ?
0
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

 

Author Comment

by:jhdjbutler
ID: 18800078
I have thought about using a port scanner to verify, the only problem is about 60% of my 200 users are sales engineers who can go  long periods of time with out ever connecting to the network.  I can run reports from the sms server to show who has been connecting properly, but again somtimes it is a week or two between when the users vpn in so its hard to tell who actually working properly.  The sales staff uses their laptops to do alot of sales demos so they tinker with their windows firewall frequently in order to demo certain apps (i.e. other firewalls).

When you say:

"Why would you need to "check/verify" , if they are open ?? ....instead of just making sure they are always open anytime someone logs on ?"

that is what I am looking to do, make sure that they are always open anytime somone logs in.  Corprate (the power over all 2500 users) is requiring all of our users to comply with this firewall policy.  They told me to just incorperate the port open netsh commands into the logon script.  The only problem I have with doing that is that it takes time (and sales engineers are not the most patient people I've met).  If the only answer is to open them each time, I guess I will have to live with it.  I was just hoping that there was a way to do a quick check before "wasting" their time.
0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 18819349
I understand now....

Ok...there are only two ways I can think to do this, one would be to create your own group policy administrative template...(assuming that the firewall configuration can be modified via the registry.)  This will take a bit of research and practice on your part.  I haven't yet had to create my own gp template, but I know where the information is on how to do it.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/gp/admtgp.mspx

Two, create an .msi file which essentially would do the same thing but it is more user friendly, and it costs . ....using WINSTALL LE. < I use this to create small .msi files to modify registry settings, or install programs through group policy/logon script.
www.ondemandsoftware.com
0
 

Author Comment

by:jhdjbutler
ID: 18850899
Thanks for the info.  Unfortunately the network heads do not let lower level network admins push GPO's.  They make us responsible for enforcing policies, but the limit our ability to do so (corporate America for ya).  What I ended up doing is having the logon script create a file containing info from the "netsh.exe firewall show portopening".  Then I do a string search in the file to verify the ports are opened.  This takes about 1/4 the time it took to open the ports, so I figure it will have to do.  The script looks like this:

@ECHO OFF
IF EXIST C:\FWSTATS.TXT del c:\fwstats.txt
netsh.exe firewall show portopening > c:\fwstats.txt
findstr SMS389 c:\fwstats.txt
findstr SMS636 c:\fwstats.txt
findstr SMS3268 c:\fwstats.txt
findstr SMS2703 c:\fwstats.txt
findstr SMS2701 c:\fwstats.txt
findstr SMS2702 c:\fwstats.txt
findstr SMS2704 c:\fwstats.txt

if not %errorlevel% equ 1 goto end



ECHO. ENABLING FILE AND PRINTER PORT...

netsh.exe firewall set service type = FILEANDPRINT mode = ENABLE Profile=ALL Scope=Custom addresses=139.126.12.106,139.126.12.117,139.126.12.10,139.126.12.141,139.126.12.135,139.126.12.149,139.126.12.16

ECHO. ENABLING VARIOUS PORTS FOR THE SMS CLIENT...

netsh.exe firewall add portopening protocol=all port=389 name=SMS389=enable profile=all scope=custom addresses=139.126.12.106,139.126.12.117,139.126.12.10,139.126.12.141,139.126.12.135,139.126.12.149,139.126.12.16
netsh.exe firewall add portopening protocol=tcp port=636 name=SMS636=enable profile=all scope=custom addresses=139.126.12.106,139.126.12.117,139.126.12.10,139.126.12.141,139.126.12.135,139.126.12.149,139.126.12.16
netsh.exe firewall add portopening protocol=all port=3268 name=SMS3268=enable profile=all scope=custom addresses=139.126.12.106,139.126.12.117,139.126.12.10,139.126.12.141,139.126.12.135,139.126.12.149,139.126.12.16
netsh.exe firewall add portopening protocol=all port=2703 name=SMS2703=enable profile=all scope=custom addresses=139.126.12.106,139.126.12.117,139.126.12.10,139.126.12.141,139.126.12.135,139.126.12.149,139.126.12.16
netsh.exe firewall add portopening protocol=all port=2701 name=SMS2701=enable profile=all scope=custom addresses=139.126.12.106,139.126.12.117,139.126.12.10,139.126.12.141,139.126.12.135,139.126.12.149,139.126.12.16
netsh.exe firewall add portopening protocol=all port=2702 name=SMS2702=enable profile=all scope=custom addresses=139.126.12.106,139.126.12.117,139.126.12.10,139.126.12.141,139.126.12.135,139.126.12.149,139.126.12.16
netsh.exe firewall add portopening protocol=all port=2704 name=SMS2704=enable profile=all scope=custom addresses=139.126.12.106,139.126.12.117,139.126.12.10,139.126.12.141,139.126.12.135,139.126.12.149,139.126.12.16

ECHO. ***** FIREWALL PORTS WERE SUCCESSFULLY OPENED! *****
ECHO.
ECHO.

:end
ECHO.
ECHO.
ECHO.
ECHO. ****** SMS CLIENT FIREWALL PORTS HAVE BEEN VERIFIED. ******
del c:\fwstats.txt

It ends up workin’ pretty slick.  I still wish there was a simpler way to do this though.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 19855623
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
This article summaries thoughts and ideas from two years of sustained use. It provides good reasoning to make the jump to Windows 10.
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question