Help Sorting out a Firewall Issue
-
Hey guys, hope everyone is doing well.
I'm trying to troubleshoot a firewall issue I'm having between a server and a client.
This is to due with 'Asset Discovery' which the server will perform a TCP handshake with the client, and then hop ports to a random port to collect information about that machine, or at least that's how I understand it.
I'm watching the traffic hit the client on 135, two way TCP traffic on 135, and then a swap of ports to a random port, let's say 63595 incoming to the client from the server, so I'm assuming the handshake went swimmingly. Problem is, as soon as traffic on 63595 is hitting the client from the server, the connection times out.
I'm not well-versed in firewall configurations, and would love some help on the matter.
To troubleshoot, I've taken down the domain level firewall profile on the server temporarily. I've enabled the Windows Management Instrumentation (DCOM-In) Local Port 135 TCP and Remote Port ANY on the client.
After that wasn't cutting it, I added an outbound rule for Local Port 135 and Remote Port ANY on the client, and even swapped those two values to be sure I wasn't getting it backwards.
I'm not having any luck.
I'm still trying to read more to get a "warm and fuzzy" for Firewall configs, but am finding myself struggling to grasp Inbound Local and Remote vs Outbound Local and Remote.
Also, I've triple checked the DNS records and the forward & reverse pointer is there and the IP of the client is static.
Any help would be appreciated.
-
Are you sure that the firewall is the issue? Typically you don't need to allow outbound traffic, that's open by default 99% of the time. Otherwise "nothing" works and you are having loads and loads of issues.
Often asset discovery tools don't work over the WAN, they require an open LAN.
What actual protocol and firewall are we looking at here?
-
@mr-jones said in Help Sorting out a Firewall Issue:
I'm still trying to read more to get a "warm and fuzzy" for Firewall configs, but am finding myself struggling to grasp Inbound Local and Remote vs Outbound Local and Remote.
This depends on the specific firewall, so we need to know the details. Every firewall has its own terms and way of functioning.
-
@mr-jones said in Help Sorting out a Firewall Issue:
Also, I've triple checked the DNS records and the forward & reverse pointer is there and the IP of the client is static.
You've ruled these out as issues from your testing above.
-
Sounds like Windows firewall is involved.
What software solution are you using to do this inventory?
Assuming the server is what is reaching out to the client - the client is likely where the incoming random port needs to be open - but that will be challenging since it's a random port. If there is an agent on the client machine - the agent could open the port on the fly.
-
@scottalanmiller said in Help Sorting out a Firewall Issue:
Are you sure that the firewall is the issue?
@scottalanmiller Yea, using "Windows Firewall with advanced security" on Client. Turning it off on client solves the issue, but that's not a solution I'm comfortable deploying across the entire domain.
-
@dashrender said in Help Sorting out a Firewall Issue:
Sounds like Windows firewall is involved.
What software solution are you using to do this inventory?
...SW Web Help DeskAssuming the server is what is reaching out to the client - the client is likely where the incoming random port needs to be open - but that will be challenging since it's a random port. If there is an agent on the client machine - the agent could open the port on the fly.
Yea that was my hang-up, how do you allow a random port number? I tried allowing all traffic from the server IP as a workaround to test it, but either I'm not doing it right, or it doesn't fix the issue. Probably the former.
Mini Remote agent is deployed already in most cases, I'm wondering if there isn't an avenue there.
-
@mr-jones said in Help Sorting out a Firewall Issue:
@scottalanmiller said in Help Sorting out a Firewall Issue:
Are you sure that the firewall is the issue?
@scottalanmiller Yea, using "Windows Firewall with advanced security" on Client. Turning it off on client solves the issue, but that's not a solution I'm comfortable deploying across the entire domain.
OH Okay. That helps narrow down the problem.
Have you added the APPLICATION to the firewall. Rather than a port? Windows Firewall is "meant" to be done that way, so that it monitors the application itself rather than assigning ports statically.
-
@mr-jones said in Help Sorting out a Firewall Issue:
Yea that was my hang-up, how do you allow a random port number?
You don't, that's not a thing. You either have regular TCP communications that does this with the firewall naturally (like how you do with an every day web page) which requires nothing on your end. Or you have a situation like you often get with RTP because SIP sets up the RTP externally and you have to just have all available ports left open. Those are the two options.
EIther you do nothing, or you have to open the potential range.
-
@scottalanmiller said in Help Sorting out a Firewall Issue:
@mr-jones said in Help Sorting out a Firewall Issue:
Yea that was my hang-up, how do you allow a random port number?
You don't, that's not a thing. You either have regular TCP communications that does this with the firewall naturally (like how you do with an every day web page) which requires nothing on your end. Or you have a situation like you often get with RTP because SIP sets up the RTP externally and you have to just have all available ports left open. Those are the two options.
Can you expand on that? I don't have the full port range open on my Firewall for RTP ports for my phones. I thought this is what ALG was supposed to solve (but instead often more frequently breaks). I assumed more modern firewalls were doing a deep packet inspection to see the RTP port and then setting a temporary rule to get that traffic back to the specific internal IP.
If you just left RTP completely open - how would it know which internal IP to go to?
-
Make sure you're not confusing the port on the sender and the port on the receiver.
For instance a web browser connecting to a webserver will use a random port on the client to connect to port 80 or 443 on the server.
The primary reason to allocate a random port in this case is so it can support multiple client connections at the same time.
-
@dashrender I think you are confused.
-
@mr-jones said in Help Sorting out a Firewall Issue:
This is to due with 'Asset Discovery' which the server will perform a TCP handshake with the client, and then hop ports to a random port to collect information about that machine, or at least that's how I understand it.
I'm watching the traffic hit the client on 135, two way TCP traffic on 135, and then a swap of ports to a random port, let's say 63595 incoming to the client from the server, so I'm assuming the handshake went swimmingly. Problem is, as soon as traffic on 63595 is hitting the client from the server, the connection times out.What is defined as the server and what defined as the client here?
I mean it's common to say server when you take about a physical or virtual server and client for a workstation. But when we are talking about client/server communication it's different.
Your description that the communication is hopping to a different random incoming port doesn't really make sense.
-
@dashrender said in Help Sorting out a Firewall Issue:
I don't have the full port range open on my Firewall for RTP ports for my phones.
They aren't servers, either.
-
@dashrender said in Help Sorting out a Firewall Issue:
I thought this is what ALG was supposed to solve (but instead often more frequently breaks).
ALG has no real world purpose. There is no problem to solve.
-
@dashrender said in Help Sorting out a Firewall Issue:
If you just left RTP completely open - how would it know which internal IP to go to?
You can't port map RTP for your phones like that, so as you figured out, the entire point is moot. That's an unrelated set of issues.
-
@pete-s said in Help Sorting out a Firewall Issue:
@mr-jones said in Help Sorting out a Firewall Issue:
This is to due with 'Asset Discovery' which the server will perform a TCP handshake with the client, and then hop ports to a random port to collect information about that machine, or at least that's how I understand it.
I'm watching the traffic hit the client on 135, two way TCP traffic on 135, and then a swap of ports to a random port, let's say 63595 incoming to the client from the server, so I'm assuming the handshake went swimmingly. Problem is, as soon as traffic on 63595 is hitting the client from the server, the connection times out.What is defined as the server and what defined as the client here?
I mean it's common to say server when you take about a physical or virtual server and client for a workstation. But when we are talking about client/server communication it's different.
Your description that the communication is hopping to a different random incoming port doesn't really make sense.
Agreed - from the description - it seems like the end user device becomes the "server" it's what the server is trying to connect to on a random port. Is that the case?
-
Have you added the APPLICATION to the firewall. Rather than a port? Windows Firewall is "meant" to be done that way, so that it monitors the application itself rather than assigning ports statically.
Damnit, Scott. Take my upvote.
I was able to add a custom rule to allow the Windows Management Instrumentation SERVICE, and that solved it. Now, I know you said APPLICATION, and now I'm wondering if that's basically what you meant, and if not, what the security concern is now that I've whitelisted a whole service. Got some reading to do!
-
@mr-jones said in Help Sorting out a Firewall Issue:
Have you added the APPLICATION to the firewall. Rather than a port? Windows Firewall is "meant" to be done that way, so that it monitors the application itself rather than assigning ports statically.
Damnit, Scott. Take my upvote.
I was able to add a custom rule to allow the Windows Management Instrumentation SERVICE, and that solved it. Now, I know you said APPLICATION, and now I'm wondering if that's basically what you meant, and if not, what the security concern is now that I've whitelisted a whole service. Got some reading to do!
That's the ONLY way you should be doing it if possible. Of course you want the application whitelisted, because if it uses a port, it needs to be open. If it doesn't use a port, it shouldn't be open. There are only security risks to using ports instead of applications. Whitelisting an application is the most secure option short of keeping everything closed and not allowing things to work. Application listing is the minimum necessary. Ports is "more than necessary", except, sometimes it is necessary.
-
The entire point of opening a port is to get access to an application. The problem with opening a port is that if that application crashes, is hijacked, turns off, doesn't start, etc then the port could be used by another service and the port would stay open to it. So there is a risk opening a port rather than just the application. It's a small risk, but it is real. Listing an application is the proper way and the way Microsoft intends. Using ports is a fallback for when you can't do that.
