Windows XP SP2 firewall port exceptions via Group Policy failing

[Jason Hammer]

Situation: 300 computers in AD domain running Windows XP SP2. It is
necessary for us to open certain ports in the firewall in order to
accomplish some of our administrative tasks; i.e. port 1761 for
Zenworks Remote Control and port 2607 for Dell's Open Manage IT
Assistant.

Approach: We use the Group Policy Editor to create the appropriate
port exceptions in the Domain Profile and the Standard Profile

Result: If we go to a machine which is a member of the domain and
login, we observe the following:

a) Using regedit, we find that the port exceptions specified via
Group Policy are present in the local registry in the appropriate
location

b) By issuing the command "netsh firewall show state", the port
exceptions (e.g. 1761/2607) do NOT show

c) Similarly, if we look at the Windows Firewall component of the
Security Center control panel applet, we find the port exceptions are
NOT present.

Additional information:

a) issuing the command netsh firewall add portopening tcp 1761
Zenworks does properly create the port exception. This is persistent
between reboots

b) Application exceptions to the firewall specified via Group Policy
ARE successfuly shown in netsh firewall show state and the Windows
Firewall application - it is only the PORT exceptions that are
failing.

Since it is essential to get these port exceptions functioning
properly, we are desperate for a solution.

We would be willing to install registry entries allowing the open
ports (via some method such as login script), but since registry
settings appear to be correct, this is not an option. Obviously,
netsh firewall add portopening is writing SOMETHING to the registry -
if we could find this entry, propagating via this method would be
practical.

At this point, failing to find the cause of failure, our only option
would be to login to each of the 300 machines individually and
manually add the port exceptions - something we are understandably
trying to avoid

GPRESULT, which would presumably be helpful in troubleshooting, will
show that port exceptions are enabled, but does not enumerate the port
exceptions, making it less than effective in developing a solution.

Can anyone assist? We've pretty much exhausted resources here.

TIA

 

[Guest]

How to configure a computer to receive Remote Assistance offers in Windows XP
and Windows 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;301527&sd=tech

Here is an example how you can config port exception.

For more info, you can refer to this white paper.

http://download.microsoft.com/download/6/8/a/68a81446-cd73-4a61-8665-8a67781ac4e8/wf_xpsp2.doc

br,
Denis

 

[Bruce Sanderson]

Are you sure you have the syntax of the Port Exception in the Group Policy
Object correct? The configured port exceptions will show up in the GPMC
Settings report. My experience is that this works, but if you don't have
the syntax right, you won't get any error messages or log entries, but it
won't show up in the netsh firewall show state command.

The syntax for TCP port 1761 would be (for example):

1761:TCP:*:enabled:Zenworks

or

1761:TCP:localhost:enabled:Zenworks

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.

 

[Jason Hammer]

Bruce,

You're a lifesaver.

We're idiots

Or at least, literalists.....

It was a syntax problem. We had specified:

1761:TCP:"*":enabled:Zenworks

instead of

1761:TCP:*:enabled:Zenworks

Since the example given in the explanation frame for this
policy option did not give an explicit example of using the wildcard
for scope, we did not read/extrapolate carefully and thought the
quotation marks were there for a reason....

It's always the little things.

Thanks again.

 

[Jason]

they could have said "sans the quotes" or something. jeez...

-J