Are the XP clients SP3? All of our XP SP3 clients show up.
Do they have any third party firewall software installed on them? If so, then check with the product's manufacturer to see if they have properly validated the product you are using for SBS 2008.

Philip
MPECS Inc.

Thanks for the reply Philip. Yes all of them are SP3 and patched up to day. Also the firewall is the native windows one controlled via the AD GP (the users cannot even turn it off). I also tried for lab testing to deploy this from 0 using some VMs. So now I have a brand new SBS 2008 Standard with one XP SP3 client and the outcome is the same. Everything looks fine beside the clients firewall report. I will attach a snapshot of the SBS console with this information from the production environment in order for you to understand better what I mean. If you'll look at the screenshot you will see that none of all the clients (XP+Vista) show up with the firewall enabled, but only the XP ones are reporting the firewall disabled.

Thanks again for your help.


SBS-2008-console.jpg

Are your XP SP3 boxes up to date? There are some functionality updates (GP Preferences for example) that need to be downloaded and installed.
Philip

Thanks again for the reply Philip.

Yes, all the boxes are up to date with all updates installed, even Group Policy Preference Client Side Extensions for Windows XP (KB943729).

I see Trend in the screenshot. I have been seeing threads about Trend's product causing firewall issues in the SBS Console, and hiccups in the SBS console itself without Trend.
Do you have:
http://support.microsoft.com/KB/958715
SBS 2008 Rollup 1.

Please make sure your server is backed up prior to running this update.

Philip

It's true. I worked a lot with Trend Level 3 support on some issues with the SBS Console and after 958715 the problems are gone. But the problems were not with the firewall reports but with the antivirus ones. To be more specific SBS reported no antivirus is installed on the Vista machines. After the rollup everything is fine and SBS reports that all the clients (XP+Vista) have antivirus but the firewall problem still remains. That's why I did a fresh install of SBS 2k8 + two clients (without adding Trend WFBSA) on an ESXi server in a lab environment and the firewall problems are there from the beginning. It's true that I don't have any disabled firewalls reported but both clients (XP and Vista) are reported with an unknown status of the firewall. So again I have 0 firewall enabled reported in the console. I read somewhere that Windows SBS Manager process is checking firewalls on the clients on a 30 minutes cycle so I will let it rest a bit in order to see maybe it will start reporting any of the two clients with the firewall enabled. Will keep you posted and thanks again for the help.

 
SBS2k8-screenshot-2.jpg

After waiting a couple of hours the situation is the same. In my test environment I have both clients showing up in the SBS console with "unknown status for the firewall".

Anything I should try next Philip? Thanks a lot.

Alex.

Create a TestOU under Computers.
Create and link a GPO and call it TestGPO.
 Edit the new GPO and "Not Configured" the domain based firewall settings.
 Close the GPO editor.
 Right click on the new GPO and set to Enforced.
 Move one workstation into the new OU via ADUC.
 GPUpdate /force on both SBS (first) and then the workstation.
Manually disable the firewall settings.
GPUpdate /force on the workstation. It probably will not hit the console yet.
Manually enable the firewall settings.
GPUpdate /force
Reboot the workstation.
Wait until the console picks it up.

See what happens. Perhaps there is a hook missing in there somewhere and this may reset it.

Did you use the http://connect wizard to add the systems to the SBS domain?

Philip
MPECS Inc.

Philip,

On any of your deployments did you ever saw a client firewall reported on? I mean not with unknown status but on in the SBS 2008 security console? Being reported with unknown status will get you a green check mark so you really need to look into the details to find this out. Thanks again for your great help.

Alex.

Thanks again. One more question: are you using the native Windows firewalls on the clients (controlled via GP) or does OneCare client has some firewall module also?

We do not have any third party A/V-Firewall products on the clients at all.
We pushed a domain account to all of the workstations via GP Preferences and set it in the local admin group on the machines. All default local admin accounts are disabled via GP Preference too. We rotate the password on that account as soon as the user that needed it is done.
No one can install or make changes on the domain without that password since they are all running as Standard Users.

All firewalls are Windows native and managed by GP. The Domain Security Center is also enabled via GP.

Philip

What is very puzzeling to me is that even in the test enviroment with a fresh SBS and 2 clients (XP and Vista) without any A/V installed and with windows firewall up and running via default SBS GP both clients show up with "unknown firewall status" and not enabled. I didn't do anything besides installing this 3 VMs on an ESXi to test this. I also didn't install FF or Live OneCare. Also all 3 OS (SBS + the clients) are fully updated and patched. What I will try next is to reinstall this test enviroment using FF and OneCare. Maybe this will give some light on the situation. Will keep you posted. Thanks again.

Make sure you do not take any updates during the SBS 08 install routine. Run those once everything is set up and configured on the box.

Philip
MPECS Inc.

Philip,

I did more research on this with my test deployment and I find out that if I deploy OneCare on my clients it automatically enables its firewall module and disable the native windows one. When this happens SBS reports the clients finally with firewall on. If I turn OneCare firewall off and I turn on again the windows one, SBS tells me that the firewall status is off. It seems that it's really a problem with SBS that cannot see the status of the native firewall of Vista and XP as enabled. Maybe you can confirm this also?

Thanks,
Alex.

Ok more info :)

I think I figured it out. Native windows firewall doesn't have an instance registered with WMI. You can check this both on Vista and XP using wbemtest--->SecurityCenter--->FirewallProduct class and check the instances. If you don't have another firewall installed besides the native one you will have no instance there at all. So that's why SBS reported unknown status, because he is unable to check the status via WMI. If on the other hand you install another firewall (OneCare or other one) then you will get an instance in WMI and SBS will detect it OFF or ON depending on the case. That's why MS decided to give us a green check mark even if the firewall status is unknown.

So to get back now to my initial problem. Trend WFBSA is registering an instance of the firewall on XP and turns it off so this is how SBS gets confused and reports that XPs have the firewall off. At least I think this is the case. I will do more testing tomorrow and let you know.

I'm tired and it's late. I hope what I'm saying makes sense to you also Philip.

Thanks for all the help Philip. To wrap this up the conclusion is that SBS 2008 is not reporting clients firewall ENABLED if the firewall is the native windows one (XP or Vista) and not a 3rd party one (considering OneCare a 3rd party also). This is because the native windows firewall is not registering an instance via WMI as all other firewalls do. That's why if SBS doesn't find a firewall instance listed via WMI on the clients it's giving back "firewalls status unknown" but doesn't consider this a problem and gives the Admin a green check mark. But if theres a firewall instance there and that firewall is OFF (even that the windows one is on and working) SBS is telling us that the clients have their firewalls OFF and give us a Critical Error check mark. So if you want to use windows firewall your ok but if you install a 3rd party one and turn it OFF and then use the windows one, SBS will give you critical errors in security reports (even than the clients have firewallsenabled - the windows one). So in my case Trend Micro WFBS agents install a firewall on the machines and turn if OFF because I setted it up to dont use its firewall.

Thanks again for your help Philip. I consider all your guidance very helpful and will accept as a solution one of your answers.

Best regards,
Alex.

Thank you very much for that!
Philip