Re: Group Policy - WinXp firewall

I installed the patches to SBS to make Group Policy WinXPSP2 aware and that solved my problem.
Thanks

Dale

"Dale" <DaleatCCSMN@xxxxxxxxxx> wrote in message news:uVDahOWRFHA.3288@xxxxxxxxxxxxxxxxxxxxxxx
I'm not sure that the patches to make Group Policy WinXPSP2 aware are applied. I will check that. That could explain everything :o)

Dale

"Roger Heim" <nospam@xxxxxxxxxxxxx> wrote in message news:%234MDFeSRFHA.1172@xxxxxxxxxxxxxxxxxxxxxxx 
Dale,

OK, I wrote a step by step for setting this (see below) when I re-read your OP. If you're saying these options are not available on the server then I'll ask you if you installed the patches to SBS to make Group Policy WinXPSP2 aware? There were a couple of patches for SBS (not offered through WU) that added ADM templates for WinXPSP2. Without these templates you won't see all the settings.

If you've got those patches, here's the step-by-step...


On the server open Group Policy Management (I prefer to open it directly from Administrative Tools but you can open it from Server Management if you want.) Expand the Forest, Domains, your domain.local, then Group Policy Objects. Right click Group Policy Objects and select New; give the new policy an appropriate name. Right click the newly created policy and select Edit; this will open the Group Policy Object Editor with the new policy open.

Drill down into Computer Configuration/Administrative Templates/Network/Network Connections/Windows Firewall/Domain Profile. Right click "Windows Firewall: Define port exceptions" and select properties. Click "Enabled", then the "Show" button. In the "Show Contents" dialog, click the Add button.

The syntax for a port exception is <Port>:<Transport>:<Scope>:<Status>:<Name> (this is shown in the setting property page. In your case I believe the correct setting should be:
"6719:TCP:localsubnet:enabled:Database Application"
without the quotes. The setting "localsubnet" determines which part of your network the port should be open for; localsubnet will open it for all computers on the same sub net.

Now drill down into Computer Configuration/Administrative Templates/System/Logon and enable "Always wait for the network at computer startup and logon"; this will make the client wait for the network to be available before trying to apply policy. Close the Group Policy Object Editor.

Now go back to Group Policy Management and right click one of the nodes under MyBusiness and select "Link an Existing GPO" and select the Group Policy Object you created above. Which node to right-click depends on what OU you want to apply the GPO to. After you've applied it to a node, expand the node you applied it to and click the linked GPO in the tree; you'll see the details on the right side of the Group Policy Management Window. At the bottom, under "WMI Filtering" change it to "PostSP2"; this will restrict the policy just to WinXPSP2 computers.

It may take a time or two for the clients to reboot and log in before it 'takes.'

Dale, I just did this myself last week on a new network and it did exactly what I wanted. If this still doesn't answer your questions then I'm sorry, I'm just not understanding your problem.

Roger

Dale wrote:
*YES!*
But , as I explained, on this server at least, the only option is either to allow a local administrator to make changes or not. I want to enforce the opening of the specific port # 6719 on all computers. That option is not available in this tree of the GP. I am asking if anyone knows the correct method of enforcing the opening of specific ports.
And that is NOT what you explained.

Dale

"Roger Heim" <nospam@xxxxxxxxxxxxx> wrote in message news:uLnJ5vgQFHA.3076@xxxxxxxxxxxxxxxxxxxxxxx

I know.  That's what I explained.

Do you know how to use GPO on the server?

Roger


RoadRunner wrote:

I found the policy that allows administrators to use the Windows Firewall component in Control Panel to define local Port Exceptions.
I am looking for the one that will Define Port Exceptions through a Group Policy Setting at the server for a group (OU) of connected computers.

Dale

"Roger Heim" <nospam@xxxxxxxxxxxxx> wrote in message news:%23w8aODSQFHA.3416@xxxxxxxxxxxxxxxxxxxxxxx

Yes, the settings for GP are under "Computer Configuration/Administrative Templates/Network/Network Connections/Windows Firewall/Domain Profile/Windows Firewall: Define port exceptions"

Roger

Dale wrote:

I have a client that installed a database and client that wants to communicate over port 6719.
The DB vendor first suggested that the Xp firewall be turned off, but then setteled on having TCP port 6719 open in both directions at each client PC and the server. All attempts to allow the database client progam to connect to the database fail. All telnet connection attempts to port 6719 on the Xp workstations fail.
Can we open port 6719 by using a group policy?

Dale 




.