Windows Firewall is Blocking BES Traffic - BES Client
0 Votes |
Description
Windows Firewall replaced Internet Connection Firewall starting in Windows XP SP2 and Windows 2003 SP1. The listed computers have the Windows Firewall enabled and configured to block inbound UDP traffic on the port used by BES (BES uses port 52311 by default). The BES Server and BES Relays send UDP packets to the BES Clients to notify them that there is new information available such as new Fixlet messages, actions, and computer refreshes. BES Clients on relevant computers will not receive UDP notification packets and therefore will not see new actions or new Fixlet messages until they gather the new actionsite, which is by default, once a day. After configuring Windows Firewall to allow inbound UDP traffic on the BES Listen Port, BES Clients will resume normal communication with the BES Server and BES Relays. Note: After this action is applied, affected BES Clients will not report until they have performed their standard once-per-day gather or until the BES Client is restarted. Important Note: If the listed computers' firewall settings are being administered through a domain group policy, the results of this action may be overwritten by that policy. The actions below will only affect the local firewall policy, and will not affect any group firewall policy settings that may have been applied by a domain administrator. If your firewall has been configured via a domain group policy, these actions may report back as 'Failed', and the firewall must be disabled or configured through group policy instead. |
Property Details
542 | |
Windows Firewall is Blocking BES Traffic - BES Client | |
Support | |
0 | |
BigFix | |
<Unspecified> | |
Important | |
6/13/2005 12:00:00 AM | |
BES Firewall UDP Clients policy | |
besSupport on 10/17/2012 1:16:08 PM | |
danielheth on 10/17/2012 1:16:08 PM | |
7244 Views / 10 Downloads | |
* Average over 0 ratings. ** Log In or Register to add your rating. |
Relevance
Used in 221 fixlets | * Results in a true/false |
(if exists property "in proxy agent context" then ( not in proxy agent context ) else true )
version of client >= "5.1"
Used in 24 fixlets | * Results in a true/false |
((if (version of client >= "8.0") then (windows of it) else (name of it starts with "Win")) AND platform id of it != 3) of operating system
Used in 2 fixlets | * Results in a true/false |
not ((exists relay service) OR (exists main gather service))
Used in 4 fixlets | * Results in a true/false |
(not exists module "inspect.dll") OR (exists module "inspect.dll" AND (version string "ProductVersion" of module "inspect.dll" as version != "4.1.8.05" as version) AND (version string "ProductVersion" of module "inspect.dll" as version != "4.1.8.04" as version))
Used in 3 fixlets | * Results in a true/false |
((name of it = "WinXP" AND (it != "" AND last 1 of it > "1") of csd version of it) OR ((name of it = "Win2003" OR name of it = "WinXP-2003") AND csd version of it != "")) of operating system
Used in 3 fixlets | * Results in a true/false |
(not exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall" of registry AND firewall enabled of current profile of local policy of firewall) OR (exists key ("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & (if (current profile type of firewall = domain firewall profile type) then ("DomainProfile") else ("StandardProfile"))) whose (value "EnableFirewall" of it = 1) of registry)
Used in 1 fixlet | * Results in a true/false |
exists key (if (exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall" of registry) then ("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\") else ("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\") & (if (current profile type of firewall = domain firewall profile type) then ("DomainProfile") else ("StandardProfile"))) whose (value "DoNotAllowExceptions" of it = 1) of registry OR ((not exists globally open port whose (port of it as string = (value "ListenPort" of key "HKLM\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions" of registry as string) AND protocol of it = udp AND enabled of it) of it AND not exists authorized application whose (process image file name of it as lowercase ends with "besclient.exe" AND enabled of it) of it) of current profile of local policy of firewall AND exists internet connection firewall whose (enabled of it AND not exists port mapping whose (enabled of it AND protocol of it = "udp" AND internal port of it as string = (value "ListenPort" of key "HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions" of registry) as string) of it) of adapters of network)
Actions
Action 1 (default)
Action Link Click
here to leave Windows Firewall enabled, but also allow incoming traffic on the port reserved for BES.
Script Type
BigFix Action Script
wait "{pathname of client folder of site "BESSupport" & "\RunQuiet.exe"}" "{pathname of system folder}\netsh.exe" firewall add portopening protocol=UDP port={value "ListenPort" of key "HKLM\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions" of registry} name="BES Client" mode=ENABLE profile=ALL
regset "{"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\" & (if (current profile type of firewall = domain firewall profile type) then ("DomainProfile") else ("StandardProfile")) & "]"}" "DoNotAllowExceptions"=dword:00000000
Success Criteria
This action will be considered successful when the applicability relevance evaluates to false.
Action 2
Action Link Click
here for information on how to make this action a "policy" action that will automatically open the BES port on any computer that has this Fixlet message relevant.
Script Type
URL
http://support.bigfix.com/cgi-bin/kbdirect.pl?id=113
Action 3
Action Link Click
here for more information about the Internet Connection Firewall from Microsoft.
Script Type
URL
http://support.microsoft.com/kb/320855
Action 4
Action Link Click
here to disable Windows Firewall.
Script Type
BigFix Action Script
regset "{"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\" & (if (current profile type of firewall = domain firewall profile type) then ("DomainProfile") else ("StandardProfile")) & "]"}" "EnableFirewall"=dword:00000000
Success Criteria
This action will be considered successful when the applicability relevance evaluates to false.
Action 5
Action Link Click
here for more information about Windows Firewall from Microsoft.
Script Type
URL
http://support.microsoft.com/kb/320855
Sharing
Social Media: |