Results 1 to 7 of 7

Thread: Server 2008 with Hyper-V - domain controller - Firewall GUI's show firewall ON, but netsh reports firewall OFF

  1. #1
    Bruce Sanderson Guest

    Server 2008 with Hyper-V - domain controller - Firewall GUI's show firewall ON, but netsh reports firewall OFF

    I've worked with the Windows Firewall since it was introduced in Windows XP
    SP2 and Windows 2008 since it went to beta.

    But, now I'm confused (the system is working fine - its just that netsh
    appears to give inconsistent results - see question at the end of this
    post).

    The server is running Windows Server 2008 64 bit with Hyper-V. In the
    "parent" VM, I have AD Domain Services and WSUS installed with the firewall
    configured via GPO (this is a small domain I have at home for testing etc.).

    If I run the Start, Administrative Tools, Windows Firewall with Advanced
    Security it tells me:
    For your security, some settings are controlled by Group Policy
    Domain Profile is Active
    Windows Firewall is on.
    Inbound connections that do not match a rule are blocked
    Outbound connections that do not match a a rule are allowed

    If I run Control Panel, Windows Firewall, it tells me:
    For your security, some settings are controlled by Group Policy
    Windows Firewall is on.
    Inbound connections that do not have an exception are blocked.
    Display a notification when a program is blocked: Yes
    Network Location: Domain network

    If I click Change Settings, the Windows Firewall Settings dialog tells me:
    For your security, some settings are controlled by Group Policy
    the On radio button is selected, but grayed out
    the Exceptions tab shows several exceptions, some set by Group Policy
    and some set locally
    [I've allowed local exceptions in the Group Policy]

    If I run this command (I get the same result in a "normal" and "elevated"
    command prompt window)

    netsh firewall show state

    I get this:

    Firewall status:
    -------------------------------------------------------------------
    Profile = Domain
    Operational mode = Enable
    Exception mode = Enable
    Multicast/broadcast response mode = Enable
    Notification mode = Enable
    Group policy version = Windows Firewall
    Remote admin mode = Enable

    Ports currently open on all network interfaces:
    Port Protocol Version Program
    -------------------------------------------------------------------
    500 UDP Any (null)
    4500 UDP Any (null)
    88 UDP Any (null)
    88 TCP Any (null)
    80 TCP Any (null)
    53212 TCP Any (null)
    53211 TCP Any (null)
    53 UDP Any (null)
    53 TCP Any (null)
    389 UDP Any (null)
    389 TCP Any (null)
    3268 TCP Any (null)
    123 UDP Any (null)

    All of the above conforms to my understanding of what I have configured.

    If I run this command (I get the same result in a "normal" and "elevated"
    command prompt window)

    netsh advfirewall show currentprofile

    I get this:

    Domain Profile Settings:
    ----------------------------------------------------------------------
    State OFF
    Firewall Policy BlockInbound,AllowOutbound
    LocalFirewallRules N/A (GPO-store only)
    LocalConSecRules N/A (GPO-store only)
    InboundUserNotification Enable
    RemoteManagement Disable
    UnicastResponseToMulticast Enable

    Logging:
    LogAllowedConnections Enable
    LogDroppedConnections Enable
    FileName
    C:\Windows\system32\LogFiles\Firewall\pfirewall.log
    MaxFileSize 4096

    Ok.

    So what does "State OFF" mean when all other indications are that the
    firewall is ON?

  2. #2
    Bill Grant Guest

    Re: Server 2008 with Hyper-V - domain controller - Firewall GUI's show firewall ON, but netsh reports firewall OFF

    That definitely doesn't look right. I just ran the same command on this
    machine (Vista in a workgroup) and the output shows

    Private Profile Settings:

    State ON

    If I disable the firewall from the GUI it changes to OFF.

    It could have something to do with Hyper-V. Do you have a virtual
    network linked to the NIC? This makes pretty major changes to the way the
    NIC works. The host actually connects to the network through the virtual
    switch.

    Microsoft actually recommends that you do not run any role except
    Hyper-V in the parent partition.

  3. #3
    George Yin Guest

    RE: Server 2008 with Hyper-V - domain controller - Firewall GUI's show firewall ON, but netsh reports firewall OFF

    Hello,

    Yes, we do not recommend installing other services or applications on the
    parent partition except the Hyper-V role.

    I have a Hyper-V server running in my domain environment. I have checked
    all the firewall setting and they are working fine. The Domain Profile
    Settings State shows ON.

    This "state off" usually means that the relevant profile has been turned
    off. Would you please try manually turning on the profile to see how it
    goes? Try the following command to see if it can help:

    Netsh advfirewall set currentprofile state on

    If this cannot help. I would suggest that you check the Event Viewer,
    located at the sections under "Applications and Services
    Logs\Microsoft\Windows" starting with words "Hyper-V-", to see if any
    errors or warnings exist.

    You may also need to check firewall settings to see if any incorrect
    configuration exist.

    If possible, I would also suggest that you try removing other services and
    applications, or try reinstalling the Hyper-V server (without any other
    applications or services) to see if the problem remains.

    Besides, if you have any questions or problems relating to Hyper-V, I would
    like to suggest that you post in our Hyper-V forum. People there have
    better knowledge on Hyper-V and they may share some useful information with
    you.

    http://social.technet.microsoft.com/...yperv/threads/

    Sincerely,
    George Yin
    Microsoft Online Support
    Microsoft Global Technical Support Center

    Get Secure! - www.microsoft.com/security
    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.


  4. #4
    Bruce Sanderson Guest
    Bill, thanks for your reply.

    This physical computer has only one network adapter and there are virtual
    machines that (when they are running) communicate with each other, other LAN
    attached computers and the Internet (via a router), so yes, there is a
    virtual network linked to the NIC.

    I ran the netsh advfirewall show currentprofile on another Windows Server
    2008 Domain Controller (single DC in experimental domain) installation and
    it shows:

    Domain Profile Settings
    --------------------------------------------
    State ON

    So, looks like you're supposition that Hyper-V is causing the discrepancy is
    most likely bang on.

    In a "production" installation, I wouldn't recomend using the Hyper-V parent
    partition as a Domain Controller either. In my simple home installation,
    the server is mostly to be a domain controller and WSUS server - running
    Virtual Machines is secondary, but I wanted to get some experience with
    Hyper-V, so added that role.

    I find many references in forums, articles etc. that say "Microsoft
    recommends" not running applications in the Parent vm, but I can't find any
    Microsoft document that says this (not that it/they don't exist, just I
    can't find them!). Do you know where such recommendations by Microsoft can
    be found? I'd like to have it handy for future reference.

  5. #5
    Bruce Sanderson Guest

    Re: Server 2008 with Hyper-V - domain controller - Firewall GUI's show firewall ON, but netsh reports firewall OFF

    Sorry to take so long to reply - been kind of busy and out of touch lately.

    1. Why is there no Hyper-V newsgroup? I know I am not alone in finding web
    "forums" slow and clumsy to use, including the Microsoft TechNet forums - I
    avoid using web forums whenever possible because it is too slow navigating
    around, viewing posts etc. Newsgroups are much quicker and easier to use
    via a newsgroup reader (e.g. Windows Mail or Outlook Express). Please
    suggest to whoever manages the Microsoft newsgroups (e.g.
    msnews.microsoft.com) or Hyper-V that a newsgroup for Hyper-V (e.g.
    microsoft.public.windows.server.hyper-v) would be useful.

    2. Why does netsh say the firewall is OFF when all the firewall related GUIs
    (e.g. Windows Firewall with Advanced Security) show that the firewall is ON?
    Is there an document somewhere that explains this difference? Also, all
    other evidence is that the firewall is indeed blocking unwanted traffic and
    is thus ON. For example, if I remove the check mark (in the Windows
    Firewall Control Panel aplet) for Remote Service Management, attempting to
    view or manage services remotely (e.g. via Computer Management) from another
    computer fails (RPC service not available). When I add the check mark back
    again, I can again view and manage services remotely.

    3. I see no Event Log entries about any problems with the firewall
    configuration or Hyper-V (or other services) in any event logs.

    4. This is a very small installation (just the one server), so it is not
    practical for me to remove the Active Directory or other services (e.g.
    several file shares)from this server. I'll consider moving these services
    to a child partition, but then, since the only domain controller will be a
    virtual machine running on this server, I won't be practical to make the
    hyper-v parent partition a domain member, which will be awkward.

    5. as suggested, I executed the command netsh advfirewall set currentprofile
    state on. Apart from the fact that the netsh advfirewall show
    currentprofile command now reports Status: ON, I can not detect any change
    in behaviour of the firewall, the server or the services running on it -
    everything is still working as it was before, including Active Directory,
    WSUS, file sharing etc.

  6. #6
    George Yin Guest

    Re: Server 2008 with Hyper-V - domain controller - Firewall GUI's show firewall ON, but netsh reports firewall OFF

    Hello Bruce,

    Thank you for the updating.

    Regarding the question 1.
    ====================

    I can fully understand your concern.

    However, forum is considered as the next generation of communication
    platform and, all the current newsgroups will be migrated to forum.

    I have heard from the forum product group that they are doing a lot of jobs
    to improve the forum. Some similar tools, like OE that can be used in
    newsgroup, are also being developed. This may take a little longer, but I
    am sure that you will enjoy it.

    I am sorry if it brings any inconvenience right now.

    Regarding the questions 2, 3 and 5.
    =========================

    Did you configure the Group Policy for Windows Firewall with Advanced
    Security like this?

    The Firewall state is set to 'On (recommended)', on the Domain Profile tab,
    of the Windows Firewall with Advanced Security.

    If you did, the Firewall state of the Windows Firewall with Advanced
    Security on the client computers is greyed out. This means that any changes
    on the client side will be overridden by the Group Policy (you can still
    add new rules), even you can turn the profile on or off. However, that
    doesn't really affect the current settings and doesn't really turn the
    profile on or off.

    So, please check if the Group Policy is really applied to the client
    machine (including all the rules set in the Group Policy)

    If it is, you can ignore the output of the "netsh advfirewall show
    currentprofile", as it doesn't really affect the current settings.
    Actually, the Group Policy does.

    If not, you may need to check the network settings. Try "gpupdate /force"
    on the client machine to see how it goes.

    Regarding the question 4.
    ====================

    I would agree with you. That may be much better than putting Active
    Directory into a child partition.

    Sincerely,
    George Yin
    Microsoft Online Support
    Microsoft Global Technical Support Center

    Get Secure! - www.microsoft.com/security
    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.


  7. #7
    George Yin Guest

    Re: Server 2008 with Hyper-V - domain controller - Firewall GUI's show firewall ON, but netsh reports firewall OFF

    Hello,

    I am just writing to see how everything is going. If you have any updates
    or need any further assistance on this issue, please feel free to let me
    know. I am glad to be of assistance.

    Sincerely,
    George Yin
    Microsoft Online Support
    Microsoft Global Technical Support Center

    Get Secure! - www.microsoft.com/security
    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.


Similar Threads

  1. Replies: 5
    Last Post: 19-12-2011, 05:17 PM
  2. Replies: 6
    Last Post: 27-08-2009, 09:56 AM
  3. Domain Controller - Firewall Ports
    By chupparustam in forum Active Directory
    Replies: 2
    Last Post: 20-08-2009, 05:09 AM
  4. Netsh Winsock Reset to fix Windows Firewall error
    By ZeDaX in forum Operating Systems
    Replies: 3
    Last Post: 28-05-2009, 01:32 PM
  5. Replies: 2
    Last Post: 26-04-2009, 11:28 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,711,633,348.32516 seconds with 17 queries