I am going crazy with firewall rules

Hi Everyone

Let me state that I am new to Eset Remote Administrator and Smart Security 4.x

Anyway I managed to install ERAS and ERAC onto Windows 2003 SBS SP2 Server successfully.

Have configured a Smart Security Package, Default Policy for Clients, and also setup the Mirror server so that clients get their updates from the local server rather than Eset's servers.

I have pushed 9 remote installations successfully with firewall enabled.

The problem is that after that I cannot ping any pcs, no remote desktop, non vnc access.

I did edit the Client's Default Profile and created some rules under Rules Setup (config editor) to open port 3389, port 5900 and allow ICMP echo reply request for the trusted zone.

But all this does not work at all probably due to my lack of knowledge in setting up the firewall rules.
I noticed that if I click DEFAULT in rules it inserts a set of default rules, this also happens with zones.

Can someone who is an expert on this point me in the right direction in setting up some basic Firewall rules in order to VNC, PING and RDP into the client?

In the mean time I have disabled the firewall completely and re-applied the policy to the clients so that I have some access to them.

Thanks in advance.

Regards

Ipnotech

 

Any takers?

 

Could you make a screenshot of the rule(s) so we can see if its configured correctly? I don't use ESS in my networks at all but it shouldn't be too difficult to open some ports. You opened both local and remote port 5900 and 3389 ?

Can you confirm or deny that the rules are displayed in the clients configuration after you pushed them to them? (..or after they are picked up from the policy)

 

Hi Thanks for your reply.

The problem is that I am not really sure how to configure this.

I launched Policy Editor for the policy I am working on, then I went to Rules Setup under the Firewall section of the policy configuration editor and under rules I clicked add and created 2 rules for inbound and outbound for port 3389 and port 5900.

This alone does not work.

If you click the DEFAULT button under the RULES window it inserts a lot of rules which are default.

I tried to add the port exceptions but it still does not work.

I cannot find a piece of documentation from ESET that explains the configuration editor in detail. It is a bit of a deficiency of Eset's behalf.

I cannot even find some examples in their knowledge base how to do this.

I know I to configure the ports interactively from the ADVANCED SETUP of the program but not through a POLICY template.

To summarize again I need to create 2 ports exceptions for port 3389 (RDP) , port 5900 (VNC) and allow ICMP echo reply (so that I can ping the client and get a reply) .

The ports exceptions are required so that I can remotely access the clients in order to provide maintenance of applications etc.

If there is a GURU out there that can explain it to me, I would greatly appreciate this and recommend ESET products to even more people.

Thanks and regards

Ipnotech

 

So you say the rules do work when you enter them manually? Since configuring firewall rules on the client or with the configuration editor in ERA is pretty much the same thing so I assume you are configuring those rules correctly.

Then ill come back to my earlier question; Do you see the rules being displayed on the client when you have altered your policy?
If not it more likely to be a issue with policy setup then it has to do with the firewall rules setup.

 

Policy based mode firewall setup

Hi All

I have been trying for the last 2 weeks to configure a policy to allow RDP (port 3389) and VNC (port 5900) into my ESS clients but I have been unsuccessful.

I am running version 4.x of everything.

I did create 2 rules under the Rules setup of the configuration editor, 1 for rdp and 1 for vnc and setup inbound ports on both local and remote, allowed in, but for some reason the firewall still blocks the connection.

Therefore I have reconfigured the policy for the clients to have the firewall completely disabled.

This is only a temporary measure so that my clients can have some protection.

I still want to re-enable the firewall eventually with exceptions for RDP, VNC and ICMP echo reply.

The eset ERAS/C manual is atrocious in this regard as there is hardly any examples on how to do this.

The ESET knowledge base is not much better.

I am surprised that a company like ESET does not provide policy based configuration examples for their firewall rules.

Has anyone been successful on this forum to manage to setup a Policy to allow RDP at least to connect to the PC with ESS remotely?

If so can you please show how you did it?

Thanks and regards

Ipnotech

 

Re: Policy based mode firewall setup

Based on the responses (nothing) I have received so far, I can safely assume nobody on this forum has tried this yet and eset support are showing their complete indifference and silently admitting their guilt in not answering so far.

 

Re: Policy based mode firewall setup

You still have another topic running with the same question where I am trying to help but you are not answering questions.

We can keep guessing what it is though, if thats how you like it .

Trusted zones configured correctly?

 

Re: Policy based mode firewall setup

Hi Brambb

Sorry for multi posting but I am getting to the point of desperation and frustration.

I have not answered your questions yet because I am not sure myself what answers to give.

I have never had experience with Eset Remote Administrator before and this is my first install I am doing.

I am very confused about configuring firewall settings for client's policies. I am not sure where to start in order to configure a POLICY that enables me to open port 3389, port 5900 and allow ICMP echo reply so that I can ping my client.

It would be great if someone could show me a sample config for this situation.

I noticed that when I push an installation for the server or the client's in goes under "Default Parent Policy" by default.

Then I have to add manually the client or the server to the appropriate policy I want to use. I understood you can create policy rules for this to happen automatically, but I have not reached that far yet.

I noticed that for some reason even after I apply my server policy to the server (the w2k sbs server) no all settings are applied to it.

For example I do not want to use a password to protect my server, but I do for my workstation's policy. It seems that the server still gets the password setting from the workstation's policy even though I am using the server policy without the password.

Here is the image of my policy manager and please tell me if I am wrong if I structured it incorrectly.

http://img194.imageshack.us/img194/643/policymanager.jpg

Uploaded with ImageShack.us

I know what a Trusted Zone is for the firewall but I have a very vague idea how to implement this in the policy template for the firewall.

I understand it is under rules setup.

Please enlighten me, show me the way with some pratical example to achieve what I am trying to achieve.

Thanks

Cheers

Ipnotech

 

Re: Policy based mode firewall setup

And this is the snapshot of my ERAC:

http://img806.imageshack.us/img806/3387/eracconsole.jpg

Uploaded with ImageShack.us

And there is also a small collection of xml files to look at.

 

Makes sense to keep it all in one thread. The other topic is now contained in the original (this) one

 

I think the rules ain't working cause the configuration for the firewall is set to "Automatic mode".
Also the firewall in your configuration (clientpolicy.xml) is turned off and rules are not filled in - you also need to edit those first (but I think you know that)?

See this: ESET Smart Security Personal firewall behavior and user interaction (4.x)
At the bottom of the page there is a explanation of all different modes.

Automatic mode doesn't use user-defined rules, you need to have at least automatic mode with exceptions enabled. As admin your best choice would be policy based mode, but you can read and decide whats best for you above.

 

this might help you a little. i would advise you to go to the one of the clients, turn the firewall to interactive mode, use all applications - remember and allow all required rules, export setting to xml and use them on thers

 

I temporarily disabled the firewall because if it were enabled , I could not contact my clients anymore therefore it is everything of ESS minus the firewall part for the moment until I figure out how to setup the rules.

I thought it was just a matter of going into rules setup and add the two port exceptions for 3389 and 5900 only but obsviously there are more rules to setup to get it working properly.

 

Is there a real reason why you would want firewalls enabled on the PC's?

I know that if one was extreme about security it would make sense, but I think having them disabled first is the way to proceed.

Also, the other suggestion of trying one unit to connect with firewall on and then using it's policy for all units does indeed make sense, and is worth a try if you insist on having firewalls enabled. (Post 13 by nonoise: https://www.wilderssecurity.com/showpost.php?p=1708608&postcount=13)

On the other hand, I *do* agree with you that this configuration *should* be possible to do on the admin side and not have to "play around" on the clients!

 

The easiest solution if you don't know how to configure rules is to switch the firewall to learning mode in which all rules will be created automatically as necessary during the learning period.