J
Jason Hammer
Situation: 300 computers in AD domain running Windows XP SP2. It is
necessary for us to open certain ports in the firewall in order to
accomplish some of our administrative tasks; i.e. port 1761 for
Zenworks Remote Control and port 2607 for Dell's Open Manage IT
Assistant.
Approach: We use the Group Policy Editor to create the appropriate
port exceptions in the Domain Profile and the Standard Profile
Result: If we go to a machine which is a member of the domain and
login, we observe the following:
a) Using regedit, we find that the port exceptions specified via
Group Policy are present in the local registry in the appropriate
location
b) By issuing the command "netsh firewall show state", the port
exceptions (e.g. 1761/2607) do NOT show
c) Similarly, if we look at the Windows Firewall component of the
Security Center control panel applet, we find the port exceptions are
NOT present.
Additional information:
a) issuing the command netsh firewall add portopening tcp 1761
Zenworks does properly create the port exception. This is persistent
between reboots
b) Application exceptions to the firewall specified via Group Policy
ARE successfuly shown in netsh firewall show state and the Windows
Firewall application - it is only the PORT exceptions that are
failing.
Since it is essential to get these port exceptions functioning
properly, we are desperate for a solution.
We would be willing to install registry entries allowing the open
ports (via some method such as login script), but since registry
settings appear to be correct, this is not an option. Obviously,
netsh firewall add portopening is writing SOMETHING to the registry -
if we could find this entry, propagating via this method would be
practical.
At this point, failing to find the cause of failure, our only option
would be to login to each of the 300 machines individually and
manually add the port exceptions - something we are understandably
trying to avoid
GPRESULT, which would presumably be helpful in troubleshooting, will
show that port exceptions are enabled, but does not enumerate the port
exceptions, making it less than effective in developing a solution.
Can anyone assist? We've pretty much exhausted resources here.
TIA
necessary for us to open certain ports in the firewall in order to
accomplish some of our administrative tasks; i.e. port 1761 for
Zenworks Remote Control and port 2607 for Dell's Open Manage IT
Assistant.
Approach: We use the Group Policy Editor to create the appropriate
port exceptions in the Domain Profile and the Standard Profile
Result: If we go to a machine which is a member of the domain and
login, we observe the following:
a) Using regedit, we find that the port exceptions specified via
Group Policy are present in the local registry in the appropriate
location
b) By issuing the command "netsh firewall show state", the port
exceptions (e.g. 1761/2607) do NOT show
c) Similarly, if we look at the Windows Firewall component of the
Security Center control panel applet, we find the port exceptions are
NOT present.
Additional information:
a) issuing the command netsh firewall add portopening tcp 1761
Zenworks does properly create the port exception. This is persistent
between reboots
b) Application exceptions to the firewall specified via Group Policy
ARE successfuly shown in netsh firewall show state and the Windows
Firewall application - it is only the PORT exceptions that are
failing.
Since it is essential to get these port exceptions functioning
properly, we are desperate for a solution.
We would be willing to install registry entries allowing the open
ports (via some method such as login script), but since registry
settings appear to be correct, this is not an option. Obviously,
netsh firewall add portopening is writing SOMETHING to the registry -
if we could find this entry, propagating via this method would be
practical.
At this point, failing to find the cause of failure, our only option
would be to login to each of the 300 machines individually and
manually add the port exceptions - something we are understandably
trying to avoid
GPRESULT, which would presumably be helpful in troubleshooting, will
show that port exceptions are enabled, but does not enumerate the port
exceptions, making it less than effective in developing a solution.
Can anyone assist? We've pretty much exhausted resources here.
TIA
