Enabled firewall with some rule and now I cannot get to one server on the same subnet

We are working on enabling FW with in our company. Our security folks enable some rules (which we cannot change) and for some reason from a win7 system with the FW enabled I cannot get to any shares on this one 2003 server, when I try to get to it by either \\ip or \\name, it will fail. But from other external site we can get to it with FW enabled. Just seems we can't connect from systems on the same subnet with FW enabled. But I can get to other servers on the same subnet, just this one server is the issue.

Now I cannot change the rules as they are locked out. Any way to troubleshoot this?
rdefinoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tyler VerkadeCommented:
Can you reach the server by pinging it?
0
rdefinoAuthor Commented:
yes, forgot to mention that.
0
HeltonQACommented:
Can you ping the IP?
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

HeltonQACommented:
Is the server joined to the domain? Is the computer you trying to access form joined to the domain? When you try to navigate to the share \\ip or \\name does it ever pop up for user and password or does it just say it can't find it?
0
rdefinoAuthor Commented:
Both systems are in the same domain.

No username or password prompt, just fail to find the server.
0
Tyler VerkadeCommented:
This type of problem usually requires that you change the lanman server parameters in order to get Windows 7 working with older servers. Do these adjustments on the Windows 7 machines that need to connect to the server.

Control Panel - Administrative Tools - Local Security Policy

Local Policies - Security Options

Network security: LAN Manager authentication level
Set to Send LM & NTLM responses only

Set the Minimum session security for NTLM SSP
Disable Require 128-bit encryption

Reboot all machines after making the adjustment.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rdefinoAuthor Commented:
Why would this be needed only when the firewall is enabled?

If I disable the FW I can get to the server just fine,.
0
HeltonQACommented:
There is a chance the firewall has UDP ports 135 through 139 or TCP ports 135 through 139 blocked.
0
HeltonQACommented:
When you disable the software firewall on the server?
0
rdefinoAuthor Commented:
Is there a way to determine if these port (UDP ports 135 through 139 or TCP ports 135 through 139 blocked.) are blocked?

No FW enabled on server.
0
HeltonQACommented:
If you have access to the server, you can open up command prompt and type in "netstat -an"  
If you do not have access to the server, you can open up command prompt from one of the computers that is having trouble reaching it and type, "telnet IP Port"
For example, telnet 10.31.1.80 135
0
rdefinoAuthor Commented:
Netstat -an on the server:

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:111            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1061           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2144           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:7937           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:7938           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:8081           0.0.0.0:0              LISTENING
  TCP    10.222.135.247:139     0.0.0.0:0              LISTENING
  TCP    10.222.135.247:139     10.222.133.7:52659     ESTABLISHED
  TCP    10.222.135.247:445     10.222.92.50:64457     ESTABLISHED
  TCP    10.222.135.247:445     10.222.92.51:60662     ESTABLISHED
  TCP    10.222.135.247:445     10.222.133.19:50516    ESTABLISHED
  TCP    10.222.135.247:445     10.222.133.22:50575    ESTABLISHED
  TCP    10.222.135.247:445     10.222.133.122:51160   ESTABLISHED
  TCP    10.222.135.247:445     172.27.22.15:54023     ESTABLISHED
  TCP    10.222.135.247:3389    172.27.22.15:51260     ESTABLISHED
  TCP    10.222.135.247:3844    10.202.88.71:50124     ESTABLISHED
  TCP    10.222.135.247:4201    10.222.135.250:49155   ESTABLISHED
  TCP    127.0.0.1:31000        127.0.0.1:32000        ESTABLISHED
  TCP    127.0.0.1:32000        0.0.0.0:0              LISTENING
  TCP    127.0.0.1:32000        127.0.0.1:31000        ESTABLISHED
  UDP    0.0.0.0:111            *:*
  UDP    0.0.0.0:445            *:*
  UDP    0.0.0.0:500            *:*
  UDP    0.0.0.0:1076           *:*
  UDP    0.0.0.0:1691           *:*
  UDP    0.0.0.0:4500           *:*
  UDP    0.0.0.0:7938           *:*
  UDP    0.0.0.0:8082           *:*
  UDP    10.222.135.247:123     *:*
  UDP    10.222.135.247:137     *:*
  UDP    10.222.135.247:138     *:*
  UDP    127.0.0.1:123          *:*
  UDP    127.0.0.1:1025         *:*
  UDP    127.0.0.1:1049         *:*
  UDP    127.0.0.1:1096         *:*
  UDP    127.0.0.1:3724         *:*
0
skullnobrainsCommented:
if i understand what is stated above, the firewall is on the client, and things work when you disable it.

if the above is correct, forget about the server, it works fine, and focus on the client. most likely the LAN has been marked as unsecure and the firewall is configured to forbid sharing of network resources (even while acting as a client). if that is the case, unless you disable the firewall or configure it properly, you won't be able to do much.

one way to bypass might be to enable sharing over ftp, or nfs, or whatever other protocol you find out is not blocked.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.