Sign in with
Sign up | Sign in
Your question

Windows XP SP2 firewall port exceptions via Group Policy f..

Last response: in Windows 2000/NT
Share
Anonymous
January 13, 2005 6:29:53 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Situation: 300 computers in AD domain running Windows XP SP2. It is
necessary for us to open certain ports in the firewall in order to
accomplish some of our administrative tasks; i.e. port 1761 for
Zenworks Remote Control and port 2607 for Dell's Open Manage IT
Assistant.

Approach: We use the Group Policy Editor to create the appropriate
port exceptions in the Domain Profile and the Standard Profile

Result: If we go to a machine which is a member of the domain and
login, we observe the following:

a) Using regedit, we find that the port exceptions specified via
Group Policy are present in the local registry in the appropriate
location

b) By issuing the command "netsh firewall show state", the port
exceptions (e.g. 1761/2607) do NOT show

c) Similarly, if we look at the Windows Firewall component of the
Security Center control panel applet, we find the port exceptions are
NOT present.

Additional information:

a) issuing the command netsh firewall add portopening tcp 1761
Zenworks does properly create the port exception. This is persistent
between reboots

b) Application exceptions to the firewall specified via Group Policy
ARE successfuly shown in netsh firewall show state and the Windows
Firewall application - it is only the PORT exceptions that are
failing.

Since it is essential to get these port exceptions functioning
properly, we are desperate for a solution.

We would be willing to install registry entries allowing the open
ports (via some method such as login script), but since registry
settings appear to be correct, this is not an option. Obviously,
netsh firewall add portopening is writing SOMETHING to the registry -
if we could find this entry, propagating via this method would be
practical.

At this point, failing to find the cause of failure, our only option
would be to login to each of the 300 machines individually and
manually add the port exceptions - something we are understandably
trying to avoid

GPRESULT, which would presumably be helpful in troubleshooting, will
show that port exceptions are enabled, but does not enumerate the port
exceptions, making it less than effective in developing a solution.

Can anyone assist? We've pretty much exhausted resources here.

TIA
Anonymous
January 13, 2005 10:09:02 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

How to configure a computer to receive Remote Assistance offers in Windows XP
and Windows 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;301527&sd=tech

Here is an example how you can config port exception.

For more info, you can refer to this white paper.

http://download.microsoft.com/download/6/8/a/68a81446-c...

br,
Denis

"Jason Hammer" wrote:

> Situation: 300 computers in AD domain running Windows XP SP2. It is
> necessary for us to open certain ports in the firewall in order to
> accomplish some of our administrative tasks; i.e. port 1761 for
> Zenworks Remote Control and port 2607 for Dell's Open Manage IT
> Assistant.
>
> Approach: We use the Group Policy Editor to create the appropriate
> port exceptions in the Domain Profile and the Standard Profile
>
> Result: If we go to a machine which is a member of the domain and
> login, we observe the following:
>
> a) Using regedit, we find that the port exceptions specified via
> Group Policy are present in the local registry in the appropriate
> location
>
> b) By issuing the command "netsh firewall show state", the port
> exceptions (e.g. 1761/2607) do NOT show
>
> c) Similarly, if we look at the Windows Firewall component of the
> Security Center control panel applet, we find the port exceptions are
> NOT present.
>
> Additional information:
>
> a) issuing the command netsh firewall add portopening tcp 1761
> Zenworks does properly create the port exception. This is persistent
> between reboots
>
> b) Application exceptions to the firewall specified via Group Policy
> ARE successfuly shown in netsh firewall show state and the Windows
> Firewall application - it is only the PORT exceptions that are
> failing.
>
> Since it is essential to get these port exceptions functioning
> properly, we are desperate for a solution.
>
> We would be willing to install registry entries allowing the open
> ports (via some method such as login script), but since registry
> settings appear to be correct, this is not an option. Obviously,
> netsh firewall add portopening is writing SOMETHING to the registry -
> if we could find this entry, propagating via this method would be
> practical.
>
> At this point, failing to find the cause of failure, our only option
> would be to login to each of the 300 machines individually and
> manually add the port exceptions - something we are understandably
> trying to avoid
>
> GPRESULT, which would presumably be helpful in troubleshooting, will
> show that port exceptions are enabled, but does not enumerate the port
> exceptions, making it less than effective in developing a solution.
>
> Can anyone assist? We've pretty much exhausted resources here.
>
> TIA
>
Anonymous
January 14, 2005 2:26:48 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Are you sure you have the syntax of the Port Exception in the Group Policy
Object correct? The configured port exceptions will show up in the GPMC
Settings report. My experience is that this works, but if you don't have
the syntax right, you won't get any error messages or log entries, but it
won't show up in the netsh firewall show state command.

The syntax for TCP port 1761 would be (for example):

1761:TCP:*:enabled:Zenworks

or

1761:TCP:localhost:enabled:Zenworks

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"Jason Hammer" <jhammer@law.tulane.edu> wrote in message
news:86odu09v1n683reqes19h5ismaci1n966a@4ax.com...
> Situation: 300 computers in AD domain running Windows XP SP2. It is
> necessary for us to open certain ports in the firewall in order to
> accomplish some of our administrative tasks; i.e. port 1761 for
> Zenworks Remote Control and port 2607 for Dell's Open Manage IT
> Assistant.
>
> Approach: We use the Group Policy Editor to create the appropriate
> port exceptions in the Domain Profile and the Standard Profile
>
> Result: If we go to a machine which is a member of the domain and
> login, we observe the following:
>
> a) Using regedit, we find that the port exceptions specified via
> Group Policy are present in the local registry in the appropriate
> location
>
> b) By issuing the command "netsh firewall show state", the port
> exceptions (e.g. 1761/2607) do NOT show
>
> c) Similarly, if we look at the Windows Firewall component of the
> Security Center control panel applet, we find the port exceptions are
> NOT present.
>
> Additional information:
>
> a) issuing the command netsh firewall add portopening tcp 1761
> Zenworks does properly create the port exception. This is persistent
> between reboots
>
> b) Application exceptions to the firewall specified via Group Policy
> ARE successfuly shown in netsh firewall show state and the Windows
> Firewall application - it is only the PORT exceptions that are
> failing.
>
> Since it is essential to get these port exceptions functioning
> properly, we are desperate for a solution.
>
> We would be willing to install registry entries allowing the open
> ports (via some method such as login script), but since registry
> settings appear to be correct, this is not an option. Obviously,
> netsh firewall add portopening is writing SOMETHING to the registry -
> if we could find this entry, propagating via this method would be
> practical.
>
> At this point, failing to find the cause of failure, our only option
> would be to login to each of the 300 machines individually and
> manually add the port exceptions - something we are understandably
> trying to avoid
>
> GPRESULT, which would presumably be helpful in troubleshooting, will
> show that port exceptions are enabled, but does not enumerate the port
> exceptions, making it less than effective in developing a solution.
>
> Can anyone assist? We've pretty much exhausted resources here.
>
> TIA
Related resources
Anonymous
January 14, 2005 10:37:40 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Bruce,

You're a lifesaver.

We're idiots :-)

Or at least, literalists.....

It was a syntax problem. We had specified:

1761:TCP:"*":enabled:Zenworks

instead of

1761:TCP:*:enabled:Zenworks

Since the example given in the explanation frame for this
policy option did not give an explicit example of using the wildcard
for scope, we did not read/extrapolate carefully and thought the
quotation marks were there for a reason....

It's always the little things.

Thanks again.


On Thu, 13 Jan 2005 23:26:48 -0800, "Bruce Sanderson"
<bsanders@junk.junk> wrote:

>Are you sure you have the syntax of the Port Exception in the Group Policy
>Object correct? The configured port exceptions will show up in the GPMC
>Settings report. My experience is that this works, but if you don't have
>the syntax right, you won't get any error messages or log entries, but it
>won't show up in the netsh firewall show state command.
>
>The syntax for TCP port 1761 would be (for example):
>
>1761:TCP:*:enabled:Zenworks
>
>or
>
>1761:TCP:localhost:enabled:Zenworks
February 9, 2005 4:57:38 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

they could have said "sans the quotes" or something. jeez...

-J
!