Open Ports In Windows Firewall

[gustaav]

Hello everyone! I'm basically new in managing Windows 2008 Server R2. I'm trying to open a port for a specific application in Windows Firewall (in domain group policies), so I create an "inbound rule" allowing traffic to the specific port. The problem is that the connection is not working. I disabled the firewall, I turn down the antivirus, and the connection is somehow blocked. When I run netstat -an and add the filter to show the "listening" ports, the port that I opened before in the inbound rules is not appearing. I tried with other ports and the results are the same.

Any idea of what could be the problem?

Thanks in advance!

 

[ICTCity]

Hi,

I think your problem is not the firewall or AV but the program itself.

If a port is blocked by the firewall, it can still be able to "listen" but not to initiate a connection. That means if you start (for example) a web server, it listen on port 80 regardless of what you've specified on your firewall. In other words, this port appears in netstat. Then, if the firewall is not configured to pass connections on that port, your server will not respond to requests.

Check your program first, then the firewall.

 

[gustaav]

Thanks a lot for your response! If I understand well, you are saying that if I open a port by creating an inbound rule on Windows Firewall it will no appear on netstat results?

Well, to be specific, I need to conect remotely to a SQL Server Analysis Services cube. Because I'm using a named instance, I need to open TCP port 2382 and UDP port 1434 for SQL Browser. Somehow, 2382 port is in listening mode, and when I run "Advanced Port Scanner" it show its opened. But I don't know how to open 1434 UDP port, as I said I've added this port to Windows Firewall, and nothing happens. I know this could be SSAS configuration, and that's another topic but my question is, what if i want to "close" 2382 port? Just for testing I've blocked 2382 port in Windows Firewall, and the port scanner shows it opened!

 

[ICTCity]

Netstat is the tool used to show the LOCAL CONNECTIONS (active, timed out, listening, ...). I can install a web server on my PC, the port 80 will be in a "LISTENING" state and I should be able to reach my web server by typing http://localhost/ (http is by default on port 80). If this work and you run netstat, you should see localhost and your IP (private IP) listening on port 80. If you have a firewall, it should block every port unless you specify others settings. In this case, the port 80 CANNOT be contacted from the outside (outside your PC), but LOCALLY it must work! In netstat output you can't understand if a port is blocked by firewall or not.

So, first of all answer to the following questions:

1) From the server running the service "Analysis for SQL", can you test if the application is working properly? I mean, can you connect to that service?
2) When you say "remotely", you say "from the internet" or from the other pc on another lan? In others words, do you have a firewall on that server which is windows firewall, but are there others firewall active? (usually network firewall)?
3) if you disable (temporarly) your firewall, does the application work?

 

[gustaav]

Ok, I get it now! Thanks for your explanation. Then is there a way to validate the ports blocked by a firewall through command line?

So, answering your questions:

1) Yes, I installed Excel on the server and I could connect to an Analysis Services cube with no problems.
2) No, I'm trying to connect from a pc to the server in the same LAN, there's no other firewalls active.
3) I turned off the firewall in all profiles in Group Policy (I'm running the server in a domain), and even stopped the service and the problem remains.

I really don't know what else to do. Thanks again for your help.

 

[ICTCity]

Remember you can disable firewall for local network (LAN) and enable just for public network. But this is another story.

Anyway, try this command on the server and post the output:

netstat -anb |find /i "listening"

Just to know, here you can find a guide on how to configure windows firewall for SQL analysis service:
http://msdn.microsoft.com/en-us/library/ms174937.aspx

To manage your firewall you can use the netsh command.

To display the current state of your firewall (also ports), type the following:

netsh firewall show state

firewall seems to be deprecated... (the hell?!) on a command line type the following:

netsh
advfirewall
now just type HELP and at the end you can find the "commands in this context" section.

Let me know.

 

[gustaav]

Ok. This is the output of the command you mentioned:

TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 512
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 780
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 512
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 512
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 780
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 512
TCP 0.0.0.0:2103 0.0.0.0:0 LISTENING 576
TCP 0.0.0.0:2105 0.0.0.0:0 LISTENING 576
TCP 0.0.0.0:2107 0.0.0.0:0 LISTENING 576
TCP 0.0.0.0:2179 0.0.0.0:0 LISTENING 3120
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 512
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 512
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 2512
TCP 0.0.0.0:5722 0.0.0.0:0 LISTENING 1576
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 1484
TCP 0.0.0.0:32843 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:32844 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:35259 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 416
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 872
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 512
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 920
TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 512
TCP 0.0.0.0:49158 0.0.0.0:0 LISTENING 512
TCP 0.0.0.0:49177 0.0.0.0:0 LISTENING 1648
TCP 0.0.0.0:49184 0.0.0.0:0 LISTENING 576
TCP 0.0.0.0:49207 0.0.0.0:0 LISTENING 504
TCP 0.0.0.0:49214 0.0.0.0:0 LISTENING 2292
TCP 0.0.0.0:54321 0.0.0.0:0 LISTENING 5648
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 1648
TCP 127.0.0.1:61374 0.0.0.0:0 LISTENING 6096
TCP 192.168.113.19:53 0.0.0.0:0 LISTENING 1648
TCP 192.168.113.19:139 0.0.0.0:0 LISTENING 4
TCP 192.168.113.19:1801 0.0.0.0:0 LISTENING 576
TCP [::]:80 [::]:0 LISTENING 4
TCP [::]:88 [::]:0 LISTENING 512
TCP [::]:135 [::]:0 LISTENING 780
TCP [::]:389 [::]:0 LISTENING 512
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:464 [::]:0 LISTENING 512
TCP [::]:593 [::]:0 LISTENING 780
TCP [::]:636 [::]:0 LISTENING 512
TCP [::]:2103 [::]:0 LISTENING 576
TCP [::]:2105 [::]:0 LISTENING 576
TCP [::]:2107 [::]:0 LISTENING 576
TCP [::]:2179 [::]:0 LISTENING 3120
TCP [::]:3268 [::]:0 LISTENING 512
TCP [::]:3269 [::]:0 LISTENING 512
TCP [::]:3389 [::]:0 LISTENING 2512
TCP [::]:5722 [::]:0 LISTENING 1576
TCP [::]:9389 [::]:0 LISTENING 1484
TCP [::]:32843 [::]:0 LISTENING 4
TCP [::]:32844 [::]:0 LISTENING 4
TCP [::]:35259 [::]:0 LISTENING 4
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49152 [::]:0 LISTENING 416
TCP [::]:49153 [::]:0 LISTENING 872
TCP [::]:49154 [::]:0 LISTENING 512
TCP [::]:49155 [::]:0 LISTENING 920
TCP [::]:49157 [::]:0 LISTENING 512
TCP [::]:49158 [::]:0 LISTENING 512
TCP [::]:49177 [::]:0 LISTENING 1648
TCP [::]:49184 [::]:0 LISTENING 576
TCP [::]:49207 [::]:0 LISTENING 504
TCP [::]:49214 [::]:0 LISTENING 2292
TCP [::]:54321 [::]:0 LISTENING 5648
TCP [::1]:53 [::]:0 LISTENING 1648
TCP [::1]:61374 [::]:0 LISTENING 6096
TCP [fe80::4d68:1246:315d:f90%10]:1801 [::]:0 LISTENING
576
TCP [fe80::b98b:5014:712b:5ee4%13]:1801 [::]:0 LISTENING
576

The netsh command saids that the firewall is not running... so... I don't know what else to do. Everything seems to be OK.

 

[ICTCity]

It looks like the 2382 port is not opened.

Take a look here
http://blogs.msdn.com/b/karang/arch...ver-analysis-services-port-sql-2005-2008.aspx

Are you sure the service is working fine? Do you use IP or service name to connect?

 

[gustaav]

Well. After trying almost everything and the fact that I'm really urged to deploy cubes, I decided to install SQL Server on another server and now it works with no problems!

I'm assuming that the problem was installing SQL Server on the same server running Active Directory, Group Policies and DNS services, but I'm not really sure.

Thanks a lot for all your help!

 

[ICTCity]

I think the problem was a bad installation... I think there's no problem installing SQL with those services...

 

[gustaav]

Just found out the problem! Finally! It turns that the PC from where I was trying to connect to the server was connected to the domain but it was still running on a "local" user Windows profile, so I logged off and logged in with an administrator domain account and then I finally could connect with no problems.

I thought that setting up "Impersonation info" to the domain administrator account was enough for that, but that wasn't.

 

[khalnayak]

Hey guys you all can check out the solutions that has been mentioned here for opening ports in the windows firewall. Just check it out and see if it helps!