Windows 7 Firewall Settings
I was unable to ping, establish a UNC connection or map a drive from a Windows 2008 R2 server to a Windows 7 workstation but could establish an RDP connection. I ended up shutting the firewall completely down with this command, "netsh advfirewall set allprofiles state off" on the Windows 7 workstation. It resolved my connection issue but seemed like I killed a fly with a hand grenade.
I would love to know why or, preferably, get some reference help where to look/read.
I would love to know why or, preferably, get some reference help where to look/read.
ASKER
Thanks Darius. The good news is I had previously tried solutions in each of those links. Just shutting the firewall service off didn't help. Apparently there is additional screening still being applied with and without that service running. So far, only the"netsh advfirewall set allprofiles state off" command cleared the issue.
The techtalkz link may be applicable. Although when I was in the rules view I tried some of what I thought were the obvious choices to enable/disable but never figured it out. From my limited perspective, I think it would be helpful to know what the differences are between the netsh command above and the stopping of the WF service. From there maybe we could narrow down what to change.
The techtalkz link may be applicable. Although when I was in the rules view I tried some of what I thought were the obvious choices to enable/disable but never figured it out. From my limited perspective, I think it would be helpful to know what the differences are between the netsh command above and the stopping of the WF service. From there maybe we could narrow down what to change.
Shutting down service will not stop the firewall from actually blocking programs this is new in Windows 2008 Server and beyond.
Ports and\or services need to be enabled to allow certain services through the firewall what seems to be the problem is the ports aren't opened
Ports and\or services need to be enabled to allow certain services through the firewall what seems to be the problem is the ports aren't opened
Check that your LAN connection has the right profile setting. If you are connected to a domain you should be using the DOMAIN firewall profile and not the PRIVATE or PUBLIC profile. PRIVATE is for use in
"workgroups" and the PUBLIC profile is for use at the hotel or restaurant WiFi hot spot.
See also:
http://technet.microsoft.com/en-us/magazine/ee851569.aspx
Due to prevalence of malware, trojans, virus and worms operating any computer without an active host based firewall is not encouraged.
"workgroups" and the PUBLIC profile is for use at the hotel or restaurant WiFi hot spot.
See also:
http://technet.microsoft.com/en-us/magazine/ee851569.aspx
Due to prevalence of malware, trojans, virus and worms operating any computer without an active host based firewall is not encouraged.
Are your receiving a access denied or host unreachable?
This command will completely turn off windows firewall for all user profiles allowing WMI access.
Entering this while the firewall is up enables remote admin rdp for "remote administration" group.
And this one enables the service through the firewall globally.
Since RDP works for you already you dont need to use those two above. You will however need to have remote administration enabled through the firewall for WMI.
You can set the rule like this
This command will completely turn off windows firewall for all user profiles allowing WMI access.
netsh advfirewall set allprofiles state offEntering this while the firewall is up enables remote admin rdp for "remote administration" group.
netsh advfirewall firewall set rule group="remote administration" new enable=yesAnd this one enables the service through the firewall globally.
netsh firewall set service remoteadmin enableSince RDP works for you already you dont need to use those two above. You will however need to have remote administration enabled through the firewall for WMI.
You can set the rule like this
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes
I forgot to add
netsh advfirewall set currentprofile settings remotemanagement enableASKER
alandc,
This is a unique set up (at a corporation). Some interesting attributes to this scenario that I left out so not to distract from what I thought the root issue was:
- The Windows 7 station is not in an AD/Domain and is on 10.10.10.x
- My PC is in the AD/Domain and is on 10.10.10.x
- The Windows 2k8 R2 test server is in the AD/Domain and is on 10.10.11.x
- The XP and 7 nodes can ping and map back and forth
- The XP and W2k8 server can ping and map back and forth
- The Win 7 can ping and map to the W2k8 server
- The W2k8 server cannot ping or map to the Win 7 WS
Based on that perspective how should I evaluate the profiles?
This is a unique set up (at a corporation). Some interesting attributes to this scenario that I left out so not to distract from what I thought the root issue was:
- The Windows 7 station is not in an AD/Domain and is on 10.10.10.x
- My PC is in the AD/Domain and is on 10.10.10.x
- The Windows 2k8 R2 test server is in the AD/Domain and is on 10.10.11.x
- The XP and 7 nodes can ping and map back and forth
- The XP and W2k8 server can ping and map back and forth
- The Win 7 can ping and map to the W2k8 server
- The W2k8 server cannot ping or map to the Win 7 WS
Based on that perspective how should I evaluate the profiles?
ASKER
Russell,
I get neither of those responses from the ping. I (used to) get a response "timed out". I'll enable the firewall state across all profiles and mess with the last 2 commands. Thanks.
I get neither of those responses from the ping. I (used to) get a response "timed out". I'll enable the firewall state across all profiles and mess with the last 2 commands. Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Another thought..
If name resolution is also a problem you may need to add hard entries to DNS for the Windows 7 box. While troubleshooting just use IP address then switch to UNC names when it starts working. DNS on a domain by default will not allow the workstation to register because it's not an authenticated member. Lowering the DNS security level to allow it to register is an option but not the best choice because of security.
If name resolution is also a problem you may need to add hard entries to DNS for the Windows 7 box. While troubleshooting just use IP address then switch to UNC names when it starts working. DNS on a domain by default will not allow the workstation to register because it's not an authenticated member. Lowering the DNS security level to allow it to register is an option but not the best choice because of security.
ASKER
FYI...I cannot ping by DNS or IP address.
PS I'll try the mode and exception settings today or tomorrow.
PS I'll try the mode and exception settings today or tomorrow.
Your ping is getting block by the firewall somewhere there
Instead of PING use NSLOOKUP. Is DNS working at all? That will answer part of it.
Also try IPCONFIG /REGISTERDNS and then check your DNS server and see if there is any entry for your Windows 7 station. (You may need to add a fixed / permanent entry.) Also, check the event log for errors (on the Win7 station).
Yes the firewall (on the Windows 7 station) is a problem. It is still blocking ICMP traffic from your LAN which should be trusted. But there also may be a problem with the DNS registration and resolution.
Also try IPCONFIG /REGISTERDNS and then check your DNS server and see if there is any entry for your Windows 7 station. (You may need to add a fixed / permanent entry.) Also, check the event log for errors (on the Win7 station).
Yes the firewall (on the Windows 7 station) is a problem. It is still blocking ICMP traffic from your LAN which should be trusted. But there also may be a problem with the DNS registration and resolution.
ASKER
Alan, The nslookup shows that the DNS server has the right IP address registered. The name has worked ins most cases and has in all cases since removing the firewall completely from Win 7 (note my initial question and comments throughout). At one point for added measure I flushed the DNS cache. ...file/print settings have been enabled (and disabled) multiple times, still need to try private mode and at one point had changed enabled ICMP traffic.
Russell, the problem is definitely within the Windows 7 firewall (note my initial comment/question). I'm trying to figure out where/why.
Russell, the problem is definitely within the Windows 7 firewall (note my initial comment/question). I'm trying to figure out where/why.
ASKER
Alan is the big money winner! With workgroup sharing on (obviously) I went into the Windows Firewall with Advanced Security settings, in the profile section, under the Private Profile tab and allowed inbound connections. It is working as expected. It looks like I can get even more granular but don't really have time now.
Thanks.
Thanks.
ASKER
Everything was correct minus the need to enable ICMP (at least I didn't have to). I added a step by step just in case someone else runs into the same issue.
http://windows.microsoft.com/en-US/windows7/Understanding-Windows-Firewall-settings
http://windows.microsoft.com/en-US/windows-vista/Open-a-port-in-Windows-Firewall
http://www.techtalkz.com/windows-7/515977-how-configure-windows-firewall-windows-7-a.html