Windows Firewall is Blocking BES Traffic - Windows Vista / Windows 2008 / Windows 7 / Windows 2008R2 - BES Relay/Server >= 7.0
| 0 Votes |
Description
| Windows Firewall replaced Internet Connection Firewall starting in Windows XP SP2 and Windows 2003 SP1. The listed computers have the Windows Firewall enabled and configured to block inbound traffic on the port used by BES (BES uses port 52311 by default). Note: There are currently performance issues and functional limitations associated with the relevance of this fixlet. |
Property Details
| 245 | |
| Windows Firewall is Blocking BES Traffic - Windows Vista / Windows 2008 / Windows 7 / Windows 2008R2 - BES Relay/Server >= 7.0 | |
| Support | |
| 0 | |
| BigFix | |
| <Unspecified> | |
| Important | |
| 3/18/2008 12:00:00 AM | |
| BES Firewall Relays Note policy | |
| besSupport on 10/17/2012 1:14:38 PM | |
| danielheth on 10/17/2012 1:14:38 PM | |
| 6043 Views / 4 Downloads | |
* Average over 0 ratings.
** Log In or Register to add your rating.
|
Relevance
exists relay service OR exists main gather service
| Used in 2 fixlets | * Results in a true/false |
(it = "WinVista" or it = "Win2008" or it = "Win7" or it = "Win2008R2") of name of operating system
| Used in 2 fixlets | * Results in a true/false |
firewall enabled of current profile of local policy of firewall
| Used in 2 fixlets | * Results in a true/false |
NOT (inbound connections allowed of current profile of local policy of firewall OR (exist key "HKLM\Software\Policies\Microsoft\WindowsFirewall\FirewallRules" whose ((exists value whose (it as string as lowercase contains "|action=allow|" and it as string as lowercase contains "|active=true|" AND it as string as lowercase contains "|dir=in|" and NOT (it as string as lowercase contains "|protocol=") AND ((it as string as lowercase contains "|profile=" & (if (current profile type of firewall = domain firewall profile type) then "domain|" else if (current profile type of firewall = public firewall profile type) then "public|" else if (current profile type of firewall = private firewall profile type) then "private|" else "INVALID")) OR not (it as string as lowercase contains "|profile")) ) of it)) of native registry))
| Used in 1 fixlet | * Results in a true/false |
if exists regapp "BESRelay.exe" then (if version of regapp "BESRelay.exe" >= "8.0" as version then (NOT ((exists rule whose (inbound of it and enabled of it and name of it = "BES Relay") of it) AND (exists rule whose (inbound of it and enabled of it and name of it = "BES Relay (ICMPv4)") of it) AND (exists rule whose (inbound of it and enabled of it and name of it = "BES Relay (ICMPv6)") of it)) of firewall) else true) else true
| Used in 1 fixlet | * Results in a true/false |
NOT (((exists rule whose ((NOT exists local ports string of it OR local ports string of it contains (value "ListenPort" of key "HKLM\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions" of registry as string) OR local ports string of it = "*") AND (((application name of it ends with "\BESRelay.exe") AND NOT (service name of it = "BESRelay")) OR (regex "^(\s)*$" = application name of it AND regex "^(\s)*$" = service name of it)) and enabled of it and protocol of it = udp and inbound of it and profile (current profile type of firewall) of it) of firewall) OR (exists internet connection firewall whose (enabled of it AND exists port mapping whose (enabled of it AND protocol of it = "udp" AND internal port of it as string = (value "ListenPort" of key "HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions" of registry) as string) of it) of adapters of network) OR (exist key "HKLM\Software\Policies\Microsoft\WindowsFirewall\FirewallRules" whose ((exists value whose (it as string as lowercase contains "|action=allow|" and it as string as lowercase contains "|active=true|" AND it as string as lowercase contains "|dir=in|" and (it as string as lowercase contains "|protocol=17|" or NOT (it as string as lowercase contains "|protocol")) AND (it as string as lowercase contains "|lport=" & (value "ListenPort" of key "HKLM\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions" of registry as string) & "|" OR not (it as string as lowercase contains "|lport=")) AND (not ((it as string as lowercase contains "|app=")) OR (it as string as lowercase contains "|app=" and it as string contains "\BESRelay.exe|")) AND ((it as string as lowercase contains "|profile=" & (if (current profile type of firewall = domain firewall profile type) then "domain|" else if (current profile type of firewall = public firewall profile type) then "public|" else if (current profile type of firewall = private firewall profile type) then "private|" else "INVALID")) OR not (it as string as lowercase contains "|profile"))) of it)) of native registry) OR (((exists key ("HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & (if (current profile type of firewall = domain firewall profile type) then "DomainProfile" else "StandardProfile") & "\GloballyOpenPorts") whose (exists value whose ((name of it as lowercase = "enabled") AND (it = 1)) of it) of it) AND (exists key ("HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & (if (current profile type of firewall = domain firewall profile type) then "DomainProfile" else "StandardProfile") & "\GloballyOpenPorts\List") whose (exists value whose ((name of it starts with value "ListenPort" of key "HKLM\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions" of x32 registry as string & ":") AND (regex "^(\d)+:UDP:(.+)?:enabled:(.+)$" = name of it)) of it) of it)) of native registry) OR (((exists key ("HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & (if (current profile type of firewall = domain firewall profile type) then "DomainProfile" else "StandardProfile") & "\AuthorizedApplications") whose (exists value whose ((name of it as lowercase = "enabled") AND (it = 1)) of it) of it) AND (exists key ("HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & (if (current profile type of firewall = domain firewall profile type) then "DomainProfile" else "StandardProfile") & "\AuthorizedApplications\List") whose (exists value whose ((regex "^(.+)?\\BESRelay.exe:(.+)?:enabled:(.+)$" = name of it)) of it) of it)) of native registry)) AND ((exists rule whose ((NOT exists local ports string of it OR local ports string of it contains (value "ListenPort" of key "HKLM\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions" of registry as string) OR local ports string of it = "*") AND (((application name of it ends with "\BESRelay.exe") AND NOT (service name of it = "BESRelay")) OR (regex "^(\s)*$" = application name of it AND regex "^(\s)*$" = service name of it)) and enabled of it and protocol of it = tcp and inbound of it and profile (current profile type of firewall) of it) of firewall) OR (exists internet connection firewall whose (enabled of it AND exists port mapping whose (enabled of it AND protocol of it = "tcp" AND internal port of it as string = (value "ListenPort" of key "HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions" of registry) as string) of it) of adapters of network) OR (exist key "HKLM\Software\Policies\Microsoft\WindowsFirewall\FirewallRules" whose ((exists value whose (it as string as lowercase contains "|action=allow|" and it as string as lowercase contains "|active=true|" AND it as string as lowercase contains "|dir=in|" and (it as string as lowercase contains "|protocol=6|" or NOT (it as string as lowercase contains "|protocol")) AND (it as string as lowercase contains "|lport=" & (value "ListenPort" of key "HKLM\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions" of registry as string) & "|" OR not (it as string as lowercase contains "|lport=")) AND (not ((it as string as lowercase contains "|app=")) OR (it as string as lowercase contains "|app=" and it as string contains "\BESRelay.exe|")) AND ((it as string as lowercase contains "|profile=" & (if (current profile type of firewall = domain firewall profile type) then "domain|" else if (current profile type of firewall = public firewall profile type) then "public|" else if (current profile type of firewall = private firewall profile type) then "private|" else "INVALID")) OR not (it as string as lowercase contains "|profile"))) of it)) of native registry) OR (((exists key ("HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & (if (current profile type of firewall = domain firewall profile type) then "DomainProfile" else "StandardProfile") & "\GloballyOpenPorts") whose (exists value whose ((name of it as lowercase = "enabled") AND (it = 1)) of it) of it) AND (exists key ("HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & (if (current profile type of firewall = domain firewall profile type) then "DomainProfile" else "StandardProfile") & "\GloballyOpenPorts\List") whose (exists value whose ((name of it starts with value "ListenPort" of key "HKLM\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions" of x32 registry as string & ":") AND (regex "^(\d)+:TCP:(.+)?:enabled:(.+)$" = name of it)) of it) of it)) of native registry) OR (((exists key ("HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & (if (current profile type of firewall = domain firewall profile type) then "DomainProfile" else "StandardProfile") & "\AuthorizedApplications") whose (exists value whose ((name of it as lowercase = "enabled") AND (it = 1)) of it) of it) AND (exists key ("HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & (if (current profile type of firewall = domain firewall profile type) then "DomainProfile" else "StandardProfile") & "\AuthorizedApplications\List") whose (exists value whose ((regex "^(.+)?\\BESRelay.exe:(.+)?:enabled:(.+)$" = name of it)) of it) of it)) of native registry)) AND ((exists key ("HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & (if (current profile type of firewall = domain firewall profile type) then "DomainProfile" else "StandardProfile") & "\IcmpSettings") whose (exists value whose (name of it = "AllowInboundEchoRequest" and it = 1) of it) of native registry) OR (((exists rule whose ((enabled of it and (protocol of it = internet protocol 1) and inbound of it and profile (current profile type of firewall) of it and (regex "^(\s)*$" = application name of it OR application name of it ends with "\BESRelay.exe") AND regex "^(\s)*$" = service name of it)) of firewall) OR (exist key "HKLM\Software\Policies\Microsoft\WindowsFirewall\FirewallRules" whose (exists value whose (it as string as lowercase contains "|action=allow|" and it as string as lowercase contains "|active=true|" AND it as string as lowercase contains "|dir=in|" and (it as string as lowercase contains "|protocol=1|" or NOT (it as string as lowercase contains "|protocol")) AND (it as string as lowercase contains "|lport=" & (value "ListenPort" of key "HKLM\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions" of registry as string) & "|" OR not (it as string as lowercase contains "|lport=")) AND (not ((it as string as lowercase contains "|app=")) OR (if (it as string as lowercase contains "|app=") then (it as string contains "\BESRelay.exe|") else true) AND ((it as string as lowercase contains "|profile=" & (if (current profile type of firewall = domain firewall profile type) then "domain|" else if (current profile type of firewall = public firewall profile type) then "public|" else if (current profile type of firewall = private firewall profile type) then "private|" else "INVALID")) OR not (it as string as lowercase contains "|profile"))) of it) of it) of native registry)) AND ((exists rule whose ((enabled of it and (protocol of it = internet protocol 58) and inbound of it and profile (current profile type of firewall) of it and (regex "^(\s)*$" = application name of it OR application name of it ends with "\BESRelay.exe") AND regex "^(\s)*$" = service name of it)) of firewall) OR (exist key "HKLM\Software\Policies\Microsoft\WindowsFirewall\FirewallRules" whose (exists value whose (it as string as lowercase contains "|action=allow|" and it as string as lowercase contains "|active=true|" AND it as string as lowercase contains "|dir=in|" and (it as string as lowercase contains "|protocol=58|" or NOT (it as string as lowercase contains "|protocol")) AND (it as string as lowercase contains "|lport=" & (value "ListenPort" of key "HKLM\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions" of registry as string) & "|" OR not (it as string as lowercase contains "|lport=")) AND (not ((it as string as lowercase contains "|app=")) OR (if (it as string as lowercase contains "|app=") then (it as string contains "\BESRelay.exe|") else true) AND ((it as string as lowercase contains "|profile=" & (if (current profile type of firewall = domain firewall profile type) then "domain|" else if (current profile type of firewall = public firewall profile type) then "public|" else if (current profile type of firewall = private firewall profile type) then "private|" else "INVALID")) OR not (it as string as lowercase contains "|profile"))) of it) of it) of native registry)))))
Actions
Action 1
Action Link Click
here for information on how to make this action a "policy" action that will automatically open the BES port on any computer that has this Fixlet message relevant.
Script Type
URL
http://support.bigfix.com/cgi-bin/kbdirect.pl?id=113
Action 2
Action Link Click
here to leave Windows Firewall enabled, but also allow incoming traffic on the port reserved for BES.
Script Type
BigFix Action Script
wait "{pathname of system folder}\netsh.exe" advfirewall firewall add rule name="BES - UDP" dir=in action=allow description="BigFix Enterprise Client" enable=yes profile="{(if (current profile type of firewall = domain firewall profile type) then "domain" else (if (current profile type of firewall = public firewall profile type) then "public" else "private"))}" protocol=udp localport={value "ListenPort" of key "HKLM\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions" of registry} interfacetype=any
wait "{pathname of system folder}\netsh.exe" advfirewall firewall add rule name="BES - TCP" dir=in action=allow description="BigFix Enterprise Client" enable=yes profile="{(if (current profile type of firewall = domain firewall profile type) then "domain" else (if (current profile type of firewall = public firewall profile type) then "public" else "private"))}" protocol=tcp localport={value "ListenPort" of key "HKLM\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions" of registry} interfacetype=any
wait "{pathname of system folder}\netsh.exe" advfirewall firewall add rule name="BES - ICMP" dir=in action=allow description="BigFix Enterprise Client ICMPv4" enable=yes profile="{(if (current profile type of firewall = domain firewall profile type) then "domain" else (if (current profile type of firewall = public firewall profile type) then "public" else "private"))}" protocol=ICMPv4 interfacetype=any
wait "{pathname of system folder}\netsh.exe" advfirewall firewall add rule name="BES - ICMPv6" dir=in action=allow description="BigFix Enterprise Client ICMP" enable=yes profile="{(if (current profile type of firewall = domain firewall profile type) then "domain" else (if (current profile type of firewall = public firewall profile type) then "public" else "private"))}" protocol=ICMPv6 interfacetype=any
regset "{"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\" & (if (current profile type of firewall = domain firewall profile type) then "DomainProfile]" else (if (current profile type of firewall = private firewall profile type) then "StandardProfile]" else "PublicProfile]"))}" "DoNotAllowExceptions"=dword:00000000
delete restart_services.bat
appendfile @echo off
appendfile net stop "Windows Firewall"
appendfile net start "Windows Firewall"
move __appendfile restart_services.bat
wait "{pathname of client folder of site "BESSupport" & "\RunQuiet.exe"}" restart_services.bat
Success Criteria
This action will be considered successful when the applicability relevance evaluates to false.
Action 3
Action Link Click
here to disable Windows Firewall for the current network profile.
Script Type
BigFix Action Script
if {current profile type of firewall = domain firewall profile type}
regset "{"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]"}" "EnableFirewall"=dword:00000000
elseif {current profile type of firewall = private firewall profile type}
regset "{"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]"}" "EnableFirewall"=dword:00000000
else
regset "{"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]"}" "EnableFirewall"=dword:00000000
endif
delete restart_services.bat
appendfile @echo off
appendfile net stop "Windows Firewall"
appendfile net start "Windows Firewall"
move __appendfile restart_services.bat
wait "{pathname of client folder of site "BESSupport" & "\RunQuiet.exe"}" restart_services.bat
Success Criteria
This action will be considered successful when the applicability relevance evaluates to false.
Action 4
Action Link Click
here for more information about Windows Firewall for Windows Vista.
Script Type
URL
http://www.microsoft.com/windows/products/windowsvista/features/details/firewall.mspx
Action 5
Action Link Click
here for information on how to make this action a "policy" action that will automatically open the BES port on any computer that has this Fixlet message relevant.
Script Type
URL
http://support.bigfix.com/cgi-bin/kbdirect.pl?id=113
Sharing
| Social Media: |
