Solved

How do I find out what incoming connection window firewall is blocking

Posted on 2011-02-16
14
1,345 Views
Last Modified: 2012-05-11
I have a server application that client machines need to access.   I have gone through and opened the ports and programs that I thought were need to the incoming allow rules, but the clients still can run the server program.  How do I turn logging on for the Firewall (Server 2008 R2) so that I can figure out what Firewall is blocking.  Or what is the easiest way to figure out what programs need to be added to the allow list.

Thanks,
0
Comment
Question by:vbchewie
  • 7
  • 7
14 Comments
 
LVL 5

Expert Comment

by:jason987
ID: 34912082
Go to start and then type in "windows firewall" and once in the dialog for that go to "monitoring" and then "firewall".  This will list all of the programs and any inbound and outbound ports allowed.  If you application is in there and the proper ports allowed go back to start and type in "cmd" and then in that window type "netstat -a" and see if there is a line with "listening" on the port the application should be.
0
 
LVL 1

Author Comment

by:vbchewie
ID: 34912271
The problem is I don't know what it is blocking is there a way for me look an figure what it blocked not what it is blocking.  The Developer is telling me just shut of your firewall,  and I would prefer not to.  So I need to figure out what needs to be allowed so I can keep the firewall on.

Thanks
0
 
LVL 5

Expert Comment

by:jason987
ID: 34912344
Well turning off the firewall temporarily is a good step if you can do it because it will isolate whether the issue is the program or the firewall.

Here is the walk-through on how to turn on and view the WinFirewall log, you should only need to turn on the option for blocked connections but for debugging purposes I would do both:

http://technet.microsoft.com/en-us/library/cc947815%28WS.10%29.aspx
0
 
LVL 1

Author Comment

by:vbchewie
ID: 34912512
Here is my pfirewall file.  The Client is 192.166.125.138, does this mean I need to open ports 1072 and 1074?

pfirewall.txt
0
 
LVL 5

Expert Comment

by:jason987
ID: 34912537
No, port 86 is where they are trying to get to, 1074 is the originating port.
0
 
LVL 1

Author Comment

by:vbchewie
ID: 34912582
Opening that port did not fix the problem.  Any places I can look for whats getting blocked?
0
 
LVL 5

Expert Comment

by:jason987
ID: 34913289
Honestly, dropping the firewall temporarily will move this along much faster.  9/10 times when I see issues like this it is the application/service not listening, accepting connections, or handling them properly.

What did:

"netstat -a"

...produce?  You haven't said what ports the application needs or what protocol it is, that's a huge "step one"
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 1

Author Comment

by:vbchewie
ID: 34918677
Should I run "netstat -a" with firwall on or off?  The problem is I don't know what ports the application needs thats what I'm trying to figure out the developer is say just completely disable the firewall and I won't have the issue.
0
 
LVL 5

Expert Comment

by:jason987
ID: 34918782
You can run netstat with the firewall on or off.  The operation of the firewall simply does not allow incoming connections, the applications or services will still attempt to listen.  If you are in contact with the developer can't they tell you what ports the application listens on?

The tcpview tool will show you what applications are listening or connected which should list your application if it is indeed listening for incoming connections:

http://technet.microsoft.com/en-us/sysinternals/bb897437

Again, turning off the firewall temporarily and testing would be the best way to diagnose if this is a firewall problem and not a application issue.
0
 
LVL 1

Author Comment

by:vbchewie
ID: 34919073
I'm sorry, I already determined it was the firewall.  If I turn it off the client application connects fine.  I've attached the netstat -a and the highlighted the to programs on TCPView that I know are part of the application.
netstat.txt
TCPView.png
0
 
LVL 5

Accepted Solution

by:
jason987 earned 450 total points
ID: 34919186
From that:

CCITCP2.EXE is listening for *UDP* connections on port 86.
IMPCSU.EXE is listening for *TCP* connections on port 57196.

The only reason you should need to not have the firewall on is if the application uses different ports for some odd reason.  The TCP/UDP distinction is important.
0
 
LVL 1

Author Comment

by:vbchewie
ID: 34919899
How did you get the UDP port 86?  I see the TCP 57196.
0
 
LVL 5

Expert Comment

by:jason987
ID: 34920006
CCITCP2.exe is listening on local port "mfcobol" which is translated to port 86 as described in:

\Windows\System32\drivers\etc\services

It could point to a different port in services but I verified the port in the netstat log.
0
 
LVL 1

Author Comment

by:vbchewie
ID: 34920063
Thank you it turned out to be just the UDP port 86. Client Program is working now.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now