Windows Firewall via GPO an Inventory Scan Failing

lee7246 · 2014-01-10T12:59:56.000Z

I cannot get the inventory scan to work on a machine that is a member of an OU with Windows Firewall enabled. I have followed the documentation to open ports TCP 135 and 445 and UDP 137. If I disable the firewall, the scan works just fine. Disabling the firewall for every machine is not an option. Are they any other ports that I am missing? Please advise. Thanks in advance!

bryandoe · 2014-01-10T13:59:20.000Z

You’ll need to also allow ICMP, WMI, and remote management. See here: http://community.spiceworks.com/help/Is_My_Firewall_Software_Getting_In_The_Way%3F

lee7246 · 2014-01-10T14:07:51.000Z

I have enabled both Windows Firewall: Allow remote administration exception and Windows Firewall: Allow ICMP exceptions but it still is not working. What an i missing? Thx

lee7246 · 2014-01-14T11:34:39.000Z

Firewall is still blocking the inventory scan. Do I have to explicitly define open ports in gpo?

Ben-B-Spiceworks · 2014-01-14T18:35:07.000Z

Hi findaway, could you try this test command (wmic) and let us know what the error message is?

http://community.spiceworks.com/help/Resolving_Unknown_Devices#Windows

lee7246 · 2014-01-15T13:43:03.000Z

Thank you for the response. I am getting the following:

ERROR:
Description = The RPC server is unavailable.

lee7246 · 2014-01-15T14:06:38.000Z

It it possible that UAC on Windows 7 is the culprit. Can that be disabled via a gpo?

Ben-B-Spiceworks · 2014-01-15T18:15:56.000Z

This error message typically means either:

the remote device is offline
the remote device firewall is blocking inbound WMI requests
DNS problems are causing the request to be routed to the wrong device on the network (hostname/IP mismatched)

Did you test with both hostname and IP address, same issue? It might sound strange, but could you test all three of these with the WMIC? For example, let’s say the device info is: [reception-pc], [192.168.1.25]

Test these values for “node”:

192.168.1.25
192.168.1.25.
reception-pc

Notice the second one has a trailing period after the IP address. If you’re curious more on that here (under the comments section).

lee7246 · 2014-01-15T19:51:07.000Z

same all 3 - rpc service unavailable

if I turn off the firewall, it will work!

I have followed the documentation and double-checked, yet still the same issue.

I have an audit software product on the same box that I am demoing and it works no problem w/ the firewall enabled

Cannot figure this one out???

Thx for your assistance!

Ben-B-Spiceworks · 2014-01-15T19:57:53.000Z

Thanks for testing that out - it sounds like the GP isn’t applying, if you can disable the firewall and the WMIC works properly.

Could you try RSoP to confirm GP is applied properly?

(start with step 10: http://community.spiceworks.com/how_to/show/22635-use-group-policy-to-enforce-windows-firewall-configuration#10)

Do you see your new firewall policy listed as Applied?

Are there any other policies that also enforce firewall rules - i.e. could there be a policy conflict?

lee7246 · 2014-01-15T20:07:24.000Z

You da man. It was a policy conflict with an old gpo that I didn’t even realize existed. Working now! Thank you very much.

Cheers!

christophergimbel2971 · 2014-02-04T13:58:08.000Z

What if I get the serial number but the workstations still won’t inventory - Firewall is disabled.

Ben-B-Spiceworks · 2014-02-04T15:47:07.000Z

Hi Christopher, be sure you’re running the latest version of Spiceworks and try rescanning. Check the Network Scan settings page to confirm your Windows credentials are stored. You might also try deleting devices that have scan errors or are not scanned properly, and then rescan the network.

If you still have problems let us take a look at your scan logs:

http://community.spiceworks.com/help/Contact_Support#Log

christophergimbel2971 · 2014-02-04T21:17:16.000Z

Took over management at a new firm… i figured it out, their reverse DNS was jacked up. Cleaned that up and the PCs were able to be inventoried.