Microsoft

Why does Windows Server 2008 Firewall "forget" exceptions?

Mark Pimperton describes an irritating flaw nobody else seems to know or care about.

Sometimes you need to tell Windows Firewall to allow traffic in on specific ports. I have two particular apps that needed this and until I realized what was going on, the firewall's apparent ability to forget what I told it confused the heck out of me.

Yosemite Server Backup

Our backup software is installed on a server we'd picked as the "master" and on all other servers to be backed up as a "client". You can configure and use the software from the master or a client, provided the "client" servers can talk back to the master server - which they do on a specific port (3817 in this case). To make this work, we added an exception to Windows Firewall on our Windows Server 2008 "master" server, as shown in Figure A.

Figure A

The problem came after the first server maintenance session following the installation of Yosemite Server Backup. (This is where we install Windows Updates, etc. and reboot each of our servers.) That night's backups failed to run. On going into Yosemite on the master server, we found all the "client" servers and devices marked as offline, as shown in Figure B.

Figure B

Trying to start Yosemite on a "client" server gave a communications error. I went back to Windows Firewall on the master server and double-checked the port number. After some head-scratching I thought I'd try "reapplying" the firewall exception by changing data in either of the fields; in the case of Figure C it's been done by adding a space to the end of the name, but you can also do it by adding, then deleting, an extra digit on the port number. The editing makes the "OK" button active so you can reapply the exception.

Figure C

After a couple of attempts, and waiting a couple of minutes, the Yosemite clients and backup devices started to show as online again. This annoying behavior happened again after the next reboot of the master server. Same problem, same solution.

A web search drew a blank. Nobody else seemed to have encountered this. That was a couple of years ago and a more recent search still didn't give me any results. Still, once I knew the score I just added it to my maintenance routine.

APC PowerChute

This was the other app that caught me out. It too required a firewall exception (this time for port 3052) to log into a Web interface where you can check the status of your APC UPS. Instead what I got is the depressing "Internet Explorer cannot display the webpage."

I got a couple of clues this time: For starters, I had no problem with the same interface to a Windows 2003 server. Second, if I logged in to the Windows 2008 server and browsed to the relevant page from there - no problem. I "reapplied" the port exception in Windows Firewall and could access the web interface once again.

Summary

This is a reproducible and very annoying flaw. I haven't tested it on Windows Server 2008 R2 so maybe it's been fixed but I'm amazed nobody else seems to have suffered from it. Unless you know differently...

About

Mark Pimperton BSc PhD has worked for a small UK electronics manufacturer for over 20 years in areas as diverse as engineering, technical sales, publications, and marketing. He's been involved in IT since 1999, when he project-managed implementation ...

Editor's Picks