Windows Firewall is Blocking BES Traffic - BES Relay/Server
Log In or Register to download the BES file, and more.

0 Votes

Description

Windows Firewall replaced Internet Connection Firewall starting in Windows XP SP2 and Windows 2003 SP1. The listed computers have the Windows Firewall enabled and configured to block inbound traffic on the port used by BES (BES uses port 52311 by default).

Both UDP and TCP packets are used by the BES Server and BES Relays to send information about new actions and fixlets. After configuring Windows Firewall to allow inbound traffic on the BES Listen Port, BES Servers and BES Relays will resume normal communication.

Note:
After this action is applied, affected BES Relays will not report until they have performed their standard once-per-day gather or until the BES Relay is restarted.

Important Note: If the listed computers' firewall settings are being administered through a domain group policy, the results of this action may be overwritten by that policy. The actions below will only affect the local firewall policy, and will not affect any group firewall policy settings that may have been applied by a domain administrator. If your firewall has been configured via a domain group policy, these actions may report back as 'Failed', and the firewall must be disabled or configured through group policy instead.


Property Details

ID558
TitleWindows Firewall is Blocking BES Traffic - BES Relay/Server
CategorySupport
Download Size0
SourceBigFix
Source ID<Unspecified>
Source SeverityImportant
Source Release Date10/3/2005 12:00:00 AM
KeywordsBES Firewall Relays policy firewall
Added by on 10/17/2012 1:16:11 PM
Last Modified by on 10/17/2012 1:16:11 PM
Counters 5571 Views / 3 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 85 fixlets and 9 analyses   * Results in a true/false
Show indented relevance
exists relay service OR exists main gather service
Used in 5 fixlets   * Results in a true/false
Show indented relevance
exists file "netsh.exe" of system folder
Used in 3 fixlets   * Results in a true/false
Show indented relevance
((name of it = "WinXP" AND (it != "" AND last 1 of it > "1") of csd version of it) OR ((name of it = "Win2003" OR name of it = "WinXP-2003") AND csd version of it != "")) of operating system
Used in 3 fixlets   * Results in a true/false
Show indented relevance
(not exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall" of registry AND firewall enabled of current profile of local policy of firewall) OR (exists key ("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & (if (current profile type of firewall = domain firewall profile type) then ("DomainProfile") else ("StandardProfile"))) whose (value "EnableFirewall" of it = 1) of registry)
Used in 1 fixlet   * Results in a true/false
Show indented relevance
version of client >= "5.1.1.50"
Used in 1 fixlet   * Results in a true/false
Show indented relevance
exists key (if (exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall" of registry) then ("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\") else ("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\") & (if (current profile type of firewall = domain firewall profile type) then ("DomainProfile") else ("StandardProfile"))) whose (value "DoNotAllowExceptions" of it = 1) of registry OR ((not exists globally open port whose (enabled of it AND port of it as string = (value "ListenPort" of key "HKLM\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions" of registry as string) AND protocol of it = tcp) of current profile of local policy of firewall) AND (exists internet connection firewall whose (enabled of it AND (not exists port mapping whose (enabled of it AND protocol of it = "tcp" AND internal port of it as string = (value "ListenPort" of key "HKLM\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions" of registry as string)) of it)) of adapters of network) AND (not exists authorized application whose (enabled of it AND (it ends with "besrelay.exe" OR it ends with "filldb.exe") of (process image file name of it as lowercase)) of current profile of local policy of firewall)) OR ((not exists globally open port whose (enabled of it AND port of it as string = (value "ListenPort" of key "HKLM\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions" of registry as string) AND protocol of it = udp) of current profile of local policy of firewall) AND (exists internet connection firewall whose (enabled of it AND (not exists port mapping whose (enabled of it AND protocol of it = "udp" AND internal port of it as string = (value "ListenPort" of key "HKLM\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions" of registry as string)) of it)) of adapters of network) AND (not exists authorized application whose (enabled of it AND (it ends with "besclient.exe") of (process image file name of it as lowercase)) of current profile of local policy of firewall))

Actions

Action 1 (default)

Action Link Click here to leave Windows Firewall enabled, but also allow incoming traffic on the port reserved for BES.
Script Type BigFix Action Script
wait "{pathname of client folder of site "BESSupport" & "\RunQuiet.exe"}" "{pathname of system folder}\netsh.exe" firewall add portopening protocol=UDP port={value "ListenPort" of key "HKLM\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions" of registry} name="BES Client" mode=ENABLE profile=ALL
wait "{pathname of client folder of site "BESSupport" & "\RunQuiet.exe"}" "{pathname of system folder}\netsh.exe" firewall add portopening protocol=TCP port={value "ListenPort" of key "HKLM\SOFTWARE\BigFix\EnterpriseClient\GlobalOptions" of registry} name="BES Relay" mode=ENABLE profile=ALL
regset "{"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\" & (if (current profile type of firewall = domain firewall profile type) then ("DomainProfile") else ("StandardProfile")) & "]"}" "DoNotAllowExceptions"=dword:00000000
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.

Action 2

Action Link Click here for information on how to make this action a "policy" action that will automatically open the BES port on any computer that has this Fixlet message relevant.
Script Type URL
http://support.bigfix.com/cgi-bin/kbdirect.pl?id=113
    

Action 3

Action Link Click here for more information about the Internet Connection Firewall from Microsoft.
Script Type URL
http://support.microsoft.com/kb/320855
    

Action 4

Action Link Click here to disable Windows Firewall.
Script Type BigFix Action Script
regset "{"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\" & (if (current profile type of firewall = domain firewall profile type) then ("DomainProfile") else ("StandardProfile")) & "]"}" "EnableFirewall"=dword:00000000
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!