I have an environment that is running Windows Server 2012 R2 and runs a variety of Java based IBM applications. There is a group policy in place that blocks local Windows Firewall rules from being created, but due to a system process the rule is added at the system level and supersedes the GPO. We have also added an explicit GPO to allow the Java JRE inbound/outbound through Windows Firewall, but the block rule is still added and impacts the applications.
I would like to know how I can determine why Windows Firewall is blocking the application?
How can I stop this from happening?
- GPO is in place to allow Java.exe inbound and outbound.
- GPO is in place to not allow local firewall rules.
- GPO is in place to not allow user interaction upon blocking a program.
- Local rule is added by a system process that is likely triggered by user action.
- Local rule supersedes the GPO since it is added by a system authority.
Example Event Log:
Added Rule:
Rule ID: UDP Query User{8C6B2819-E805-459B-9483-821B8B51D772}D:\ibm\isa\isa5_jvm\jre\bin\javaw.exe
Rule Name: Java(TM) Platform SE binary
Origin:
Local
Active: Yes
Direction: Inbound
Profiles: Domain
Action:
Block
Application Path:
D:\ibm\isa\isa5_jvm\jre\bin\javaw.exe
Service Name:
Protocol: UDP
Security Options:
None
Edge Traversal:
None
Modifying User:
NT SERVICE\MpsSvc
Modifying Application:
C:\Windows\System32\svchost.exe
This rule gets added despite having a program exception for both inbound/outbound for the specific JRE path
Best Answer
If i wanted to prove if the windows firewall is dropping a connection, i would turn on logging. open MMC and add the snap-in on local machine for windows defender firewall. You can right-click on the line-item now and set properties for it. On the first page is logging settings where you can cause allowed AND denied connections to be logged and where the logfile goes. Review this.
If this doesn't get you what you want, fire up Wireshark to capture the traffic that is actually happening. If you set your firewall rules properly like you are saying so, maybe traffic isn't actually getting to the server or there is some other failure like packet loss or fragmentation.
If all above checks out, check event logs for your application for reasons why it might decide not to respond.