We help IT Professionals succeed at work.

WS2019 - some networks ports are blocked.

I have a problem with Windows Server 2019 to be able to open some network ports.
Does no matter if firewall is enabled or not, incoming rules are setup some ports does not works.
Only some of the ports works installed with features.
If I want to run something else like Sage 50 port 13531 , WSUS 8530, SpiceWorks 9676 i can see only sync packet coming in and that's all.
There is no any other firewall installed.
I can connect to local host on those ports, but even if I use external IP address of the server it does not work.
It does not work from clients computers as well.
It looks like process is listening only on localhost (127.0.0.1).
System is setup as a virtual machine in Hyper-V.
All other virtual machines do not have this problem, so I know that this is not related with physical hardware or virtual switch.
Did anybody experienced similar problem  ?
Comment
Watch Question

Distinguished Expert 2019

Commented:
You ave to configure advanced firewall incoming ports based on the scope applicable to the system, possibly all.


Seen situation even if the firewall is off, the ports are still filtered.
Do you have third party fw?

You shoukd not disable the firewall, just add the ports, TCP or udp as applicable.
Olgierd UngehojerSenior Network Administrator

Author

Commented:
Why not disable firewall for testing ? Can you explain ?
Configuration advance rules does not change anything, as I said in the post.
I do not have any other software firewall installed.
Windows firewall logs does not show that anything is block, so I think that is not related with firewall at all.
Distinguished Expert 2019

Commented:
Point being a test is to resolve an issue, the firewall gets reenabled and the results of your test are worthles.

Have seen with Windows firewall that disabling the firewall, does not open the ports.

Check the scope to which the rule you created versus the network classification.
What is your environment, confirm you do not a hardware firewall on the segment to which you are connected that is managed by another group within your organization.

Try the following

netstat -an |find /i "listen"
Do you have the outline ports of interest to you reflected in the resulting output.
Distinguished Expert 2019

Commented:
are you using an external switch?
what do you mean by external address? ip address of the host? your outside world address?  (you can't use the former, and if the latter you have to configure nat forwarding)
Olgierd UngehojerSenior Network Administrator

Author

Commented:
Tested it from RDS server connected to the same virtual switch and physical workstation as well - not difference.

By external address I mean that if I open local server desktop and I want open browser and connected to address http://127.0.0.1:9676 I can connect but if I open https://10.0.0.254:9676 I have time out. 10.0.0.254 is an IP address statically setup on network interface.

netstat shows
TCP    0.0.0.0:13531          0.0.0.0:0              LISTENING
Distinguished Expert 2019

Commented:
in your advanced firewall rules allow port 9676 HTTP from any to

rem Open TCP Port 9676 inbound and outbound
netsh advfirewall firewall add rule name="SpiceworksTCP Port 9676" dir=in action=allow protocol=TCP localport=9676
netsh advfirewall firewall add rule name="Spicework TCP Port 9676" dir=out action=allow protocol=TCP localport=9676

Open in new window

Distinguished Expert 2019

Commented:
Do you gave access to the host config to see whether the connection is vlaned.

Compare the IPs of the two.

Tracert to the ip in question,

Connecting to the same virtual switch might not be a guarantee that sonething in the config is not what you are expecting.
Distinguished Expert 2019

Commented:
The other part your access attempt is to 9676 yet the only line you posted is for a service on 13531
Olgierd UngehojerSenior Network Administrator

Author

Commented:
I am sure that this is not related with firewall settings at all. Does not matter if I add filter rules to allow. It looks like packets does not touch firewall at all. Wired Shark show only sync packet and application starts process, but there I do not see any other packets and client time out.
Olgierd UngehojerSenior Network Administrator

Author

Commented:
I want to tell you that 2 other senior admins work on it and all of us have over 20 years experience. We see this first time and on Windows server 2019.
Distinguished Expert 2019

Commented:
I've ran into a similar issue, while being absolutely certain if I be thing, but a small errand entry ......

You are in the VM, first to check us to make sure that what you are expecting is actually what is going on.
Check the settings on the hosts virtual switch. Check the VM's network cobfiguration.

Do you have an internal web server to whose life you gave access, make a vonnection attempt from this VM to confirm the Ip it is coming from.

if you do not see inbound traffic, including pings your host virtual switch config needs to be checked on how this and others are connected.
Distinguished Expert 2019

Commented:
Can you connect in the same system that you can access HTTP://127.0.0.1:9676 to connect to http:/10.0.0.254:9676?
Olgierd UngehojerSenior Network Administrator

Author

Commented:
We  even put one more network card to server and created new virtual switch, not share network card with manage system and the result was the same. DNS works, Acrive Directory services works, DFSR works, but anything else has a problem.
Olgierd UngehojerSenior Network Administrator

Author

Commented:
No I cannot connect by https:/10.0.0.254:9676  on the same system.
Distinguished Expert 2019

Commented:
Check network switch to which you are connecting.
Sonething is missing, a slight misconfiguration, make sure you are not natting this VMs network in the configuration.

Can you access the VMs http://10.0.0.254:9676 from the host?
Distinguished Expert 2019

Commented:
If the system can not connect to itelf your network configuration  is an issue
Ipconfig /all

What is the application, problem you did not post the entire list of what netstat -an would output to reflect all services listened on.

Make sure the services in question instead of binding to all IPs is configured to only listen on the localhost ip.
Olgierd UngehojerSenior Network Administrator

Author

Commented:
It look like all application related somehow with MSSQL or MySql.
Distinguished Expert 2019

Commented:
If you can access http://127.0.0.1:9676 and it works as expected, but you can not access http://10.0.0.254:9676 
One explanation, binding miconfiguration.
Obeone option, the ip you think your system has is the wrong ip, I.e. Thus could be a broadcast ip of the segment and is in conflict.
.....
Check from the begining without assumptions..
Olgierd UngehojerSenior Network Administrator

Author

Commented:
WSUS uses WID, Sage 50 uses MySql, Spiceworks  uses SQLite.
Distinguished Expert 2019

Commented:
It reliance on db does explain why the system can not access resources running in it.
Check restrictions within the applications if any.
Sage, tomcat, Apache?
WSUS is running under iis, check sites, bindings
Is this happening in a virtualized environment or physical environment?
Olgierd UngehojerSenior Network Administrator

Author

Commented:
Virtual machine.
Is it possible the ports are blocked on the host machine end?
Olgierd UngehojerSenior Network Administrator

Author

Commented:
It is looks like problem exist if new domain controller was migrated from SBS2011. I see similar problem like this somewhere else as well.
All ports over 6000 does not work.
Senior Network Administrator
Commented:
The problem with it that Direct Access it taking over ports from 6001-47000, there is no information anywhere about this.