Link to home
Create AccountLog in
Avatar of mcj
mcj

asked on

Need to ping 2003 SBS member workstation

For reasons that aren't important, I need to be able to ping workstations that have been joined to a 2003 SBS Standard server with SP2 (Note, this is not an R2 installation.)

It seems that any workstation joined to the server becomes "unpingable" after it is a member, even though it was perfectly responsive to pings as a standalone workstation just before it was joined.

I suspect a group policy is forced onto the workstation that modifies the the workstation's firewall settings to disregard pings. I need to re-enable pinging, and (for reasons that are too long to get into) there is simply no acceptable subsititue for pinging in this situation. It has to be a ping from a command prompt to the IP of a joined workstation.

What adjustment to the group policy (or whatever) needs to be made on the server to restore a member workstaion's ability to respond to pings?



Avatar of iCoreKC
iCoreKC
Flag of United States of America image

The default policy is in place and it is denying pings (ICMP packets).

Here is a good explanation of why:

http://www.corecom.com/external/livesecurity/xpfirewall.htm      Look under Myths and Missed Configurations about halfway through the article.

To edit this use Group Policy Manager.

http://technet.microsoft.com/en-us/library/bb490626.aspx

Go to step two and read through it.  It should be fairly easy for you to edit the policy and step the firewall back a few security notches.

Hope this helps!

Avatar of mcj
mcj

ASKER

This seems to be "on the right track" here, but a few details elude me. The reference you provided for Group Policy Manager seems to suggest that this modification needs to be made locally on each workstation. There are two issues with that.

First, the policy for the local machine was to allow ping before being joined to the domain. So the change in policy seems to have occured when the system was joind and a new policy was "forced down" onto the workstation. I need to make the correction on the server so that it won't keep "breaking" every workstation when it is joined, then forcing me to go manually correct it. (ie, the problem was caused "from the server" so it should be fixable "from the server" as well.)

Second, the number of workstations involved make it impractical to "touch" each one of them even if the "local fix" that seems to be described in the link does work. (Again, I end up needing a server-side fix...)
Avatar of Jeffrey Kane - TechSoEasy
No, the whole point of group policy is that you configure it centrally and it gets deployed locally automatically.  That's why it's called Group Policy, not Local Policy.

You don't actually modify the "Local Policy" of a machine, but you DO modify the COMPUTER policy which would superscede any local policy anyhow.

If you want to be able to ping, then just enable that by modifying the Default Small Business Server Windows Firewall GPO which is the policy that controls Windows XP Firewalls.  It should already be what's applied to each workstation assuming you joined them to the domain properly (the SBS - way of http://<servername>/connectcomputer).

Jeff
TechSoEasy
TechSoEasy filled in the blanks well.

The Group Policy would be centralized and affect workstations in an OU, Site, or Domain to which the GP was applied.  Edit it from the DC.
Avatar of mcj

ASKER

OK, I think this I'm just about there on this. Where would those modifications be done on the server? I've only needed to make a handful of policy changes in the past, and I've done them from the Group Policy Object Editor mmc, but I can't seem to find any workstation firewall policy values in there.
 
ASKER CERTIFIED SOLUTION
Avatar of iCoreKC
iCoreKC
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of mcj

ASKER

That's got it! Thanks guys!