Solved

Unable to manage Windows XP Firewall using Group Policy

Posted on 2007-11-16
15
1,649 Views
Last Modified: 2008-06-01
I try to configure Win XP Firewall using Group Policy.
I have to open 4 ports: 137 UDP, 138 UDP, 139 TCP and 2967 TCP
I've created a Policy named Firewall Settings:
Under Computer Config -> Admin templates -> Network -> Windows Firewall -> Domain Policy.
iI've edited "Windows Firewall: Define port exceptions" and add 4 lines
137:UDP:192.x.x.x:enabled:Symantec Endpoint 137UDP
138:UDP:192.x.x.x:enabled:Symantec Endpoint 138UDP
139:TCP:192.x.x.x:enabled:Symantec Endpoint 137TCP
2967:TCP:192.x.x.x:enabled:Symantec Endpoint 2967TCP

Apply the policy, refresh Policy on the Client by runinng "gpupdate /force"
Reboot the client
The I go in the Firewall management on the client and I see only one port open using Group Policy, the 2967 TCP.

Somebody can help me ?
Thanks in advance.
0
Comment
Question by:polarisit
  • 5
  • 5
  • 3
  • +2
15 Comments
 
LVL 2

Expert Comment

by:Haze0830
ID: 20299250
Is there a reason you're using the firewall to begin with? Most admins forgo the use of a firewall on client machines in a domain.
0
 

Author Comment

by:polarisit
ID: 20299274
We've got a lot of users with Latops travelling all over the world, in hotel, web cafe, other network
I need to secure these laptop.
0
 
LVL 2

Expert Comment

by:t_taylor
ID: 20299519
If you look, you will see two sets of options under firewall: Standard and Domain.  Go to domain and turn the firewall off, as this is what it uses when you login and authenticate to a dc.  If you login and fail to connect to the dc (say you are in a hotel somewhere), then the password is verified through cache and the Standard settings are used instead of Domain.  Here is where you go into the Standard section and set all of the lockdown policies for firewall that you want set, which I typically make fairly stringent.  This way, when your users login at work they have the firewall off, but when they are anywhere else, the firewall is on and allows only your specific exceptions, if any.  
0
 
LVL 2

Expert Comment

by:Haze0830
ID: 20299548
k...but when they aren't attached to the domain, your domain settings won't matter.

Taylor has the answer.
0
 

Author Comment

by:polarisit
ID: 20299585
Already tested
I say that I see one of the 4 ports open using the Group Policy !
That's not logical :(
0
 
LVL 2

Expert Comment

by:Haze0830
ID: 20299730
Are they connected to the domain when you're seeing this? Logoff and unplug the network cable, then logon to the domain and see what settings are applied. Still see the same port open?
0
 
LVL 2

Expert Comment

by:t_taylor
ID: 20299823
Well if you aren't seeing all 4 and for whatever reason you don't to just turn off the firewall, then you can trouble shoot it some more.  Create a new GPO and add one of the 4 ports not working.  See if that works.  Run RSoP on a user and see if all 4 are listed under the applied settings.  Run gpupdate /force /y on the DC just to be sure.  Run set and verify client is logging into DC.  Check DC and verify it sees the client.  Reboot the client (as it can sometimes take more than one reboot in order to get settings to be applied in XP if fast boot is enabled).  Create a test OU and add your user that is logging in on the laptop.  Link the GPO(s) there and see what gets applied.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 2

Expert Comment

by:t_taylor
ID: 20299895
Also, it is probably much more likely that there is another GPO that is opening the one port and your GPO isn't getting applied at all, rather than 1 port of the GPO you wrote is getting applied and the rest are not.
0
 

Author Comment

by:polarisit
ID: 20311227
I did some test again
I deleted all GPO related to Firewall settings
I created a new one and open 137 and 138 UDP -> gpupdate /force on all DC and client
Firewall policy is well applied because the firewall is enable on the client but I did not see 137 and 138 UDP open.
I add 2967 TCP and rune again gpudate /force, reboot the client and miracle, 2967 TCP is open (Group Policy Colum: Yes).
Why the Policy did not work for 137 and 138 UDP, is there any restricition on these ports ?
I will do a test with a Vista right now.

Thanks for you help.
0
 

Author Comment

by:polarisit
ID: 20311278
I confirm that the same Policy work well on Vista, the 3 ports: 137, 138 UDP and 2967 TCP are open.
That the 1st time that I see something not working on XP and working on Vista :)
Somebody has an idea why this GPO is not applied correctly on XP Laptop ?

PS: I test the policy on 3 different XP machine with teh same result

Thanks in advance.
0
 
LVL 2

Accepted Solution

by:
t_taylor earned 250 total points
ID: 20312865
Not entirely sure what is going on yet.  Just for the sake of testing, have you tried to use the applications that use those UDP ports to see if they work?  It is possible that they are configured but just not showing up as such for some reason.
0
 

Author Comment

by:polarisit
ID: 20312965
Dear T Taylor,
You're right.
I just did the test to deploy Symantec Endpoint that use ports 137 and 138 UDP and that worked.
That mean that the port are opnened but not visible ine the XP fiirewall management console
But why did I see the 2967 TCP ?
Very strange but as you know computer science is not a exact science :)

Thanks for your help
0
 
LVL 2

Expert Comment

by:t_taylor
ID: 20313010
To be honest, I really couldn't tell you.  My guess is just a bug in some combination of those ports, group policy, and XP.  Who knows, but I did figure it should work since the policy was enabled.  Anyway, glad you got it sorted out.
0
 
LVL 3

Expert Comment

by:bdibene
ID: 20446478
I'm guessing you also had 'File and Printer Sharing' checked as an exception (i.e. allowing it through the firewall ), which are the ports 137, 138, 139 you are trying to explicitly allow.  Since those ports are already included with File and Printer Sharing perhaps they weren't shown?  Just a guess.
0
 
LVL 3

Expert Comment

by:mreece983
ID: 20761896
Ports 137 and 138 are the one listed for File and Print Sharing.  That is why you do not see the ports listed specifically.
0

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques. This attack comes as a nightmare trifecta for email filtering services; sent from a familiar contact, using authentic tone and verbi…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now