Windows optimize

Why does Windows Server 2008 Firewall "forget" exceptions?

Mark Pimperton describes an irritating flaw nobody else seems to know or care about.

Sometimes you need to tell Windows Firewall to allow traffic in on specific ports. I have two particular apps that needed this and until I realized what was going on, the firewall's apparent ability to forget what I told it confused the heck out of me.

Yosemite Server Backup

Our backup software is installed on a server we'd picked as the "master" and on all other servers to be backed up as a "client". You can configure and use the software from the master or a client, provided the "client" servers can talk back to the master server - which they do on a specific port (3817 in this case). To make this work, we added an exception to Windows Firewall on our Windows Server 2008 "master" server, as shown in Figure A.

Figure A

The problem came after the first server maintenance session following the installation of Yosemite Server Backup. (This is where we install Windows Updates, etc. and reboot each of our servers.) That night's backups failed to run. On going into Yosemite on the master server, we found all the "client" servers and devices marked as offline, as shown in Figure B.

Figure B

Trying to start Yosemite on a "client" server gave a communications error. I went back to Windows Firewall on the master server and double-checked the port number. After some head-scratching I thought I'd try "reapplying" the firewall exception by changing data in either of the fields; in the case of Figure C it's been done by adding a space to the end of the name, but you can also do it by adding, then deleting, an extra digit on the port number. The editing makes the "OK" button active so you can reapply the exception.

Figure C

After a couple of attempts, and waiting a couple of minutes, the Yosemite clients and backup devices started to show as online again. This annoying behavior happened again after the next reboot of the master server. Same problem, same solution.

A web search drew a blank. Nobody else seemed to have encountered this. That was a couple of years ago and a more recent search still didn't give me any results. Still, once I knew the score I just added it to my maintenance routine.

APC PowerChute

This was the other app that caught me out. It too required a firewall exception (this time for port 3052) to log into a Web interface where you can check the status of your APC UPS. Instead what I got is the depressing "Internet Explorer cannot display the webpage."

I got a couple of clues this time: For starters, I had no problem with the same interface to a Windows 2003 server. Second, if I logged in to the Windows 2008 server and browsed to the relevant page from there - no problem. I "reapplied" the port exception in Windows Firewall and could access the web interface once again.

Summary

This is a reproducible and very annoying flaw. I haven't tested it on Windows Server 2008 R2 so maybe it's been fixed but I'm amazed nobody else seems to have suffered from it. Unless you know differently...

About

Mark Pimperton BSc PhD has worked for a small UK electronics manufacturer for over 20 years in areas as diverse as engineering, technical sales, publications, and marketing. He's been involved in IT since 1999, when he project-managed implementation ...

4 comments
albevier
albevier

I have notice the problem for years and put the problem down to MS security updates resetting the firewall to its default settings. Whenever possible I got in the habit of installing my own firewall and turning off Windows firewall. Installing my own firewall is not always possible, however, and I just experienced and can recreate the problem you describe on one of my client's SBS 2008 servers. The problem came about when configuring the server for Quickbooks which needs a range of ports open. I can configure exceptions but they are "forgotten" by the firewall sometimes within minutes and sometimes within weeks. If someone finds a solution, please let me know.

HAL 9000
HAL 9000

Try reposting this in the 'Q&A' forum. The 'Discussion' forum is for matters of general discussion, not specific problems in search of a solution. The 'Water Cooler' is for non-technical discussions. You can submit a question to 'Q&A' here: http://www.techrepublic.com/forum/questions/post?tag=mantle_skin;content There are TR members who specifically seek out problems in need of a solution. Although there is some overlap between the forums, you'll find more of those members in 'Q&A' than in 'Discussions' or 'Water Cooler'. Be sure to use the voting buttons to provide your feedback. Voting a '+' does not necessarily mean that a given response contained the complete solution to your problem, but that it served to guide you toward it. This is intended to serve as an aid to those who may in the future have a problem similar to yours. If they have a ready source of reference available, perhaps won't need to repeat questions previously asked and answered. If a post did contain the solution to your problem, you can also close the question by marking the helpful post as "The Answer". .

tech
tech

I caught a similar behavior while beta testing Windows 7 and 2008. My experience was that manually added firewall exceptions were removed after updates were applied. I now run R2 and have not encountered it, but recently had a client with XP that had this happen and I cannot tell what caused it. I believe it was updates or installation of Microsoft security essentials, but I was unable to reproduce the issue and it happened on several machines across different hardware. It was odd that the firewall kept a ton of HP exceptions, java, etc., but the ones I'd added manually (as AN administrator - not THE administrator) were all gone. I then did a gpupdate /force which applied the group policy firewall exceptions, but did not show the manual ones I'd added. I have added exceptions using netsh command in the past, but I don't think those were effected - I could be mistaken. I noticed an old GUI issue with DNS and DHCP, etc. on Microsoft 2003 and R2 which made me lean towards doing many things by command line and I'm trying to do more by powershell so in conclusion this could be a GUI specific issue? Just one suggestion. Good luck with that. If it were me and I had to call support I'm pretty sure "re-install" would be their "best" answer - haha, but not funny! Stop laughing!

natem
natem

I had this problem with terminal servers and just ended up turning the firewall off. Not the best option I know but I'm sure that's what most people do.