Solved

Unable to manage Windows XP Firewall using Group Policy

Posted on 2007-11-16
15
1,683 Views
Last Modified: 2008-06-01
I try to configure Win XP Firewall using Group Policy.
I have to open 4 ports: 137 UDP, 138 UDP, 139 TCP and 2967 TCP
I've created a Policy named Firewall Settings:
Under Computer Config -> Admin templates -> Network -> Windows Firewall -> Domain Policy.
iI've edited "Windows Firewall: Define port exceptions" and add 4 lines
137:UDP:192.x.x.x:enabled:Symantec Endpoint 137UDP
138:UDP:192.x.x.x:enabled:Symantec Endpoint 138UDP
139:TCP:192.x.x.x:enabled:Symantec Endpoint 137TCP
2967:TCP:192.x.x.x:enabled:Symantec Endpoint 2967TCP

Apply the policy, refresh Policy on the Client by runinng "gpupdate /force"
Reboot the client
The I go in the Firewall management on the client and I see only one port open using Group Policy, the 2967 TCP.

Somebody can help me ?
Thanks in advance.
0
Comment
Question by:polarisit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 3
  • +2
15 Comments
 
LVL 2

Expert Comment

by:Haze0830
ID: 20299250
Is there a reason you're using the firewall to begin with? Most admins forgo the use of a firewall on client machines in a domain.
0
 

Author Comment

by:polarisit
ID: 20299274
We've got a lot of users with Latops travelling all over the world, in hotel, web cafe, other network
I need to secure these laptop.
0
 
LVL 2

Expert Comment

by:t_taylor
ID: 20299519
If you look, you will see two sets of options under firewall: Standard and Domain.  Go to domain and turn the firewall off, as this is what it uses when you login and authenticate to a dc.  If you login and fail to connect to the dc (say you are in a hotel somewhere), then the password is verified through cache and the Standard settings are used instead of Domain.  Here is where you go into the Standard section and set all of the lockdown policies for firewall that you want set, which I typically make fairly stringent.  This way, when your users login at work they have the firewall off, but when they are anywhere else, the firewall is on and allows only your specific exceptions, if any.  
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 
LVL 2

Expert Comment

by:Haze0830
ID: 20299548
k...but when they aren't attached to the domain, your domain settings won't matter.

Taylor has the answer.
0
 

Author Comment

by:polarisit
ID: 20299585
Already tested
I say that I see one of the 4 ports open using the Group Policy !
That's not logical :(
0
 
LVL 2

Expert Comment

by:Haze0830
ID: 20299730
Are they connected to the domain when you're seeing this? Logoff and unplug the network cable, then logon to the domain and see what settings are applied. Still see the same port open?
0
 
LVL 2

Expert Comment

by:t_taylor
ID: 20299823
Well if you aren't seeing all 4 and for whatever reason you don't to just turn off the firewall, then you can trouble shoot it some more.  Create a new GPO and add one of the 4 ports not working.  See if that works.  Run RSoP on a user and see if all 4 are listed under the applied settings.  Run gpupdate /force /y on the DC just to be sure.  Run set and verify client is logging into DC.  Check DC and verify it sees the client.  Reboot the client (as it can sometimes take more than one reboot in order to get settings to be applied in XP if fast boot is enabled).  Create a test OU and add your user that is logging in on the laptop.  Link the GPO(s) there and see what gets applied.
0
 
LVL 2

Expert Comment

by:t_taylor
ID: 20299895
Also, it is probably much more likely that there is another GPO that is opening the one port and your GPO isn't getting applied at all, rather than 1 port of the GPO you wrote is getting applied and the rest are not.
0
 

Author Comment

by:polarisit
ID: 20311227
I did some test again
I deleted all GPO related to Firewall settings
I created a new one and open 137 and 138 UDP -> gpupdate /force on all DC and client
Firewall policy is well applied because the firewall is enable on the client but I did not see 137 and 138 UDP open.
I add 2967 TCP and rune again gpudate /force, reboot the client and miracle, 2967 TCP is open (Group Policy Colum: Yes).
Why the Policy did not work for 137 and 138 UDP, is there any restricition on these ports ?
I will do a test with a Vista right now.

Thanks for you help.
0
 

Author Comment

by:polarisit
ID: 20311278
I confirm that the same Policy work well on Vista, the 3 ports: 137, 138 UDP and 2967 TCP are open.
That the 1st time that I see something not working on XP and working on Vista :)
Somebody has an idea why this GPO is not applied correctly on XP Laptop ?

PS: I test the policy on 3 different XP machine with teh same result

Thanks in advance.
0
 
LVL 2

Accepted Solution

by:
t_taylor earned 250 total points
ID: 20312865
Not entirely sure what is going on yet.  Just for the sake of testing, have you tried to use the applications that use those UDP ports to see if they work?  It is possible that they are configured but just not showing up as such for some reason.
0
 

Author Comment

by:polarisit
ID: 20312965
Dear T Taylor,
You're right.
I just did the test to deploy Symantec Endpoint that use ports 137 and 138 UDP and that worked.
That mean that the port are opnened but not visible ine the XP fiirewall management console
But why did I see the 2967 TCP ?
Very strange but as you know computer science is not a exact science :)

Thanks for your help
0
 
LVL 2

Expert Comment

by:t_taylor
ID: 20313010
To be honest, I really couldn't tell you.  My guess is just a bug in some combination of those ports, group policy, and XP.  Who knows, but I did figure it should work since the policy was enabled.  Anyway, glad you got it sorted out.
0
 
LVL 3

Expert Comment

by:bdibene
ID: 20446478
I'm guessing you also had 'File and Printer Sharing' checked as an exception (i.e. allowing it through the firewall ), which are the ports 137, 138, 139 you are trying to explicitly allow.  Since those ports are already included with File and Printer Sharing perhaps they weren't shown?  Just a guess.
0
 
LVL 3

Expert Comment

by:mreece983
ID: 20761896
Ports 137 and 138 are the one listed for File and Print Sharing.  That is why you do not see the ports listed specifically.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
A look at what happened in the Verizon cloud breach.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question