Solved

How do I find out what incoming connection window firewall is blocking

Posted on 2011-02-16
14
1,341 Views
Last Modified: 2012-05-11
I have a server application that client machines need to access.   I have gone through and opened the ports and programs that I thought were need to the incoming allow rules, but the clients still can run the server program.  How do I turn logging on for the Firewall (Server 2008 R2) so that I can figure out what Firewall is blocking.  Or what is the easiest way to figure out what programs need to be added to the allow list.

Thanks,
0
Comment
Question by:vbchewie
  • 7
  • 7
14 Comments
 
LVL 5

Expert Comment

by:jason987
ID: 34912082
Go to start and then type in "windows firewall" and once in the dialog for that go to "monitoring" and then "firewall".  This will list all of the programs and any inbound and outbound ports allowed.  If you application is in there and the proper ports allowed go back to start and type in "cmd" and then in that window type "netstat -a" and see if there is a line with "listening" on the port the application should be.
0
 
LVL 1

Author Comment

by:vbchewie
ID: 34912271
The problem is I don't know what it is blocking is there a way for me look an figure what it blocked not what it is blocking.  The Developer is telling me just shut of your firewall,  and I would prefer not to.  So I need to figure out what needs to be allowed so I can keep the firewall on.

Thanks
0
 
LVL 5

Expert Comment

by:jason987
ID: 34912344
Well turning off the firewall temporarily is a good step if you can do it because it will isolate whether the issue is the program or the firewall.

Here is the walk-through on how to turn on and view the WinFirewall log, you should only need to turn on the option for blocked connections but for debugging purposes I would do both:

http://technet.microsoft.com/en-us/library/cc947815%28WS.10%29.aspx
0
 
LVL 1

Author Comment

by:vbchewie
ID: 34912512
Here is my pfirewall file.  The Client is 192.166.125.138, does this mean I need to open ports 1072 and 1074?

pfirewall.txt
0
 
LVL 5

Expert Comment

by:jason987
ID: 34912537
No, port 86 is where they are trying to get to, 1074 is the originating port.
0
 
LVL 1

Author Comment

by:vbchewie
ID: 34912582
Opening that port did not fix the problem.  Any places I can look for whats getting blocked?
0
 
LVL 5

Expert Comment

by:jason987
ID: 34913289
Honestly, dropping the firewall temporarily will move this along much faster.  9/10 times when I see issues like this it is the application/service not listening, accepting connections, or handling them properly.

What did:

"netstat -a"

...produce?  You haven't said what ports the application needs or what protocol it is, that's a huge "step one"
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 1

Author Comment

by:vbchewie
ID: 34918677
Should I run "netstat -a" with firwall on or off?  The problem is I don't know what ports the application needs thats what I'm trying to figure out the developer is say just completely disable the firewall and I won't have the issue.
0
 
LVL 5

Expert Comment

by:jason987
ID: 34918782
You can run netstat with the firewall on or off.  The operation of the firewall simply does not allow incoming connections, the applications or services will still attempt to listen.  If you are in contact with the developer can't they tell you what ports the application listens on?

The tcpview tool will show you what applications are listening or connected which should list your application if it is indeed listening for incoming connections:

http://technet.microsoft.com/en-us/sysinternals/bb897437

Again, turning off the firewall temporarily and testing would be the best way to diagnose if this is a firewall problem and not a application issue.
0
 
LVL 1

Author Comment

by:vbchewie
ID: 34919073
I'm sorry, I already determined it was the firewall.  If I turn it off the client application connects fine.  I've attached the netstat -a and the highlighted the to programs on TCPView that I know are part of the application.
netstat.txt
TCPView.png
0
 
LVL 5

Accepted Solution

by:
jason987 earned 450 total points
ID: 34919186
From that:

CCITCP2.EXE is listening for *UDP* connections on port 86.
IMPCSU.EXE is listening for *TCP* connections on port 57196.

The only reason you should need to not have the firewall on is if the application uses different ports for some odd reason.  The TCP/UDP distinction is important.
0
 
LVL 1

Author Comment

by:vbchewie
ID: 34919899
How did you get the UDP port 86?  I see the TCP 57196.
0
 
LVL 5

Expert Comment

by:jason987
ID: 34920006
CCITCP2.exe is listening on local port "mfcobol" which is translated to port 86 as described in:

\Windows\System32\drivers\etc\services

It could point to a different port in services but I verified the port in the netstat log.
0
 
LVL 1

Author Comment

by:vbchewie
ID: 34920063
Thank you it turned out to be just the UDP port 86. Client Program is working now.
0

Featured Post

The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now