RE: Workstation Firewall / Group Policy

Hello Cooper,

Thanks for posting here.

From your problem description, I understand your issue to be: you want to
configure the clients' firewall by SBS GPO to let network backup software
ARCservit can create connection properly. If I am off base, please do not
hesitate to let me know.

First, I have to expect that this issue is most related with the
third-party software, if it is narrowed down to the network backup software
side, you may need to contact the software vendor.

Please try to directly disable Windows Firewall on one XP workstation, and
then monitor this issue.

If it still can not work, that means the issue is not related with XP
firewall, please contact your software vendor for further investigation.

If it work fine, that means the issue is related with XP firewall, you can
go through the following steps.

Generally, you could try to edit the GPO '' Small Business Server Windows
Firewall'' on SBS to configure the firewall on client. However, before the
operation, you need to confirm the following things first.

After you install the Windows XP SP2 in your SBS 2k3 network, you may need
to install the Update for SBS 2k3 server first, please refer to the
following article.

872769 You cannot configure Windows Firewall settings or Security Center
http://support.microsoft.com/?id=872769

If you want to modify the Group Policy setting that is configured when you
installed the Windows Small Business Server 2003 Update for Windows XP SP2,
install the hotfix that is described in the following Microsoft Knowledge
Base article:

842933 "The following entry in the [strings] section is too long and has
been truncated" error message when you edit or view Group Policy in Windows
Server 2003, in Windows XP, or in Windows 2000
http://support.microsoft.com/default.aspx?kbid=842933

Install both the Windows Small Business Server 2003 Update for Windows XP
SP2 (872769) and the hotfix that is described in the article 842933 only if
you want to modify the Group Policy setting that is configured when you
installed the Windows Small Business Server 2003 Update for Windows XP SP2.
If you do not install the hotfix that is described in article 842933 after
you install the Windows Small Business Server 2003 Update for Windows XP
SP2, you receive the following error message when you try to manage Group
Policy settings:

The following entry in the [strings] section is too long and has been
truncated.

After installing the above 2 hotfixes, then please connect your ARCservit
vendor, ask them what ports the software connect needed, then add these
exceptions ports for clients firewall via GPO:

Please use the following steps to add exceptions ports for clients:

1. Start -> Administrative Tools -> Group Policy Management
2. Expand Domains -> Your Domain
3. Right click the Small Business Server Windows Firewall and click Edit
4. Computer configuration>Administrative templates>Network>Network
connections> Windows Firewall> Domain Profile;
5. Double click "Windows Firewall: Define port exceptions", select Enabled
6. Click Show button, then add the except ports in the box. Click OK twice
time.
7. Run Gpupdate /force on your XP2 client
8. Logon and logoff your client and test your issue again.

If add these exceptions ports do not resolve the issue, please try to
disable all clients firewall via GPO

Please use the following steps to disable client XP sp2 ICF:

1. Start -> Administrative Tools -> Group Policy Management
2. Expand Domains -> Your Domain
3. Right click the Small Business Server Windows Firewall and click Edit
4. Computer configuration>Administrative templates>Network>Network
connections> Windows Firewall> Domain Profile;
5. In "Windows Firewall: Protect all network connections" should be set to
''Disable''
6. Run Gpupdate /force on your XP2 client
7. Logon and logoff your client and test your issue again.

The following image may help you to configure it.

http://www.sbslinks.com/XPsp2.htm

==============================
This response contains a reference to a third party World Wide Web site.
Microsoft can make no representation concerning the content of these sites.
Microsoft is providing this information only as a convenience to you: this
is to inform you that Microsoft has not tested any software or information
found on these sites and therefore cannot make any representations
regarding the quality, safety, or suitability of any software or
information found there. There
==============================

Additional info:
HOW TO: Delegate Authority for Editing a Group Policy Object (GPO)
http://support.microsoft.com/?id=221577

Administering Group Policy with the GPMC
http://www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspx

Frequently Asked Questions About the Group Policy Management Console
http://www.microsoft.com/windowsserver2003/gpmc/gpmcfaq.mspx

Enterprise Management with the Group Policy Management Console
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

Hope these steps will give you some help.

Thanks and have a nice day!

Best regards,

Terence Liu(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Thread-Topic: Workstation Firewall / Group Policy
| thread-index: Acc7TxLRebwbuDHOTfC2/1KFANA2EQ==
| X-WBNR-Posting-Host: 74.92.4.169
| From: =?Utf-8?B?Y29vcGZhYg==?= <coopfab@xxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: Workstation Firewall / Group Policy
| Date: Thu, 18 Jan 2007 14:22:00 -0800
| Lines: 13
| Message-ID: <B7111DA1-D2EB-45AF-965C-9321E64F1393@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:11290
| NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Our network backup software, Arcservit, cannot connect to our XP
workstations
| with the workstation's Firewall ON. We have allowed an exception on the
| firewall Exceptions tab for the backup agent running on the workstations
and
| still cannot connect. On the server, I think I have the appropriate
settings
| disabled in the Group Policy Management area but obviously not. Would
| someone please review with me the settings that should be disabled or
direct
| me to a tech dock that will explain the Group Policy Management area.
|
| Thanks in advance for your help.
|
|
| --
| M. Cooper
|

.