Network usage blocked after installation?

OilMan · May 10, 2010, 9:47pm

Hello,

I will try to keep this as short as I can though I am quickly getting desperate so I am here hoping someone out there has already found ( or can help me find ) a solution to this issue.

We have recently installed Comodo Firewall on a number of laptops however during these installations we have come across a hand full of users who after installation simply cannot connect back to the domain… primarily the issue shows itself in one of two ways.

The user attempts to sign in using their domain account and it claims to be logging in but eventually simply times out after say 15-20 minutes of hanging attempting to “aquire settings”.
It allows the user to login however when they launch programs they seem to get automatically blocked or severely delayed. One recent examply being a copy of outlook took 45 minutes to connect to an exchange server located directly below their office.

Our process is to remove the existing firewall… restart the machine and login as a local administrator then install Comodo after which we disable defence+ as well as all automatic update options and restart the machine again. Then once again we login as either a local account to accept all the prompts regarding a new network being detected etc because if they attempt to login using their domain account before accepting those prompts as a local user it never works because Comodo seems to block our domain by default.

Given that it is a handful of users and not all of them I cannot squarely blame this on the firewall but if we remove the firewall all of these issues vanish so any suggestions anyone might have will be greatly appreciated.

Citizen_K · May 10, 2010, 10:57pm

Can you post screenshots of the firewall logs and Global Rules of one of the effected machines? The logs can be found under Firewall → Common Tasks → View Firewall Events. The Global Rules are under Firewall → Advanced → Network Security Policy.

WxMan1 · May 10, 2010, 11:31pm

How Domain Controllers Are Located in Windows XP (http://support.microsoft.com/kb/314861)

Clearly CIS is implicated in the domain logon process somehow (since the issue goes away w/out CIS). I wonder if the issue with the “problem childs” pertains to that of roaming profiles. If so, it needs to be established what is different in those circumstances compared to those that are working without issue.

It would seem prudent to establish zones of IP addresses for the various associated domain servers implicated in the foregoing process, e.g., DNS, LDAP, WINS, etc. and for associated protocols whether UDP or TCP.

I’d configure CIS on the clients to utilize “safe-mode” (alert setting: high) firewall security, clear out all application specific (except for system & SVCHOST) and Global Rules. Now an alert should get generated concerning any outgoing IP connection atttempts (by application - and for every port). The first thing to do is to “allow” and “remember this” for any new arbitrary application. That’ll establish a Network Security rule “Allow All any any”. Now change that rule to ask & log. Add a specific rule for the particular alert that was initially generated and drag it ahead of the ask & log rule. Any time a new alert comes up for the same application, permission can be granted to allow access to that particular IP - but uncheck “remember this” - and then query the log to see what happened. That IP can then be placed into zone zone that is appropriate. Then the particular application that generated that alert can have a new rule established to allow IP access to that zone (ensure that all new rules get dragged before the “ask & log” rule). After awhile it becomes apparent that IP ranges or IP masks are more suitablely used within a particular zone. Doing that will minimize subsequent appearance of alerts for IP’s that are considered “trusted”.

Once you get all that horned out, you can establish application and port profiles that can appropriately be shared; its a whole lot easier working with profiles (zones, port profiles, application groups, etc.) than specifying the same ■■■■ over and over and over again for different apps that essentially are hitting the same IPs/ports. If you determine that a bunch of applications have the same IP, protocol & port rules, then create an application group in My Protected Files (Defense +), and establish a pre-defined security policy for that application group (in advanced Firewall Tasks), and then establish Network Security rules for that application group using the predefined security “profile”.

Once you’ve gotten the Network Security shaken out, then its time to focus on the Computer Security (by application), i.e., access rights for any arbitrary application.

Bottom line is to utilize the logs as judiciously as possible for effective diagnostic purposes; firewall logs will tell IP pertainant issues, and Defense + logs will tell you specifics about particular applcation access attempts.

WxMan1 · May 10, 2010, 11:51pm

FWIW (hope this may shed more light on the issue):

How to configure a firewall for domains and trusts (Configure firewall for AD domain and trusts - Windows Server | Microsoft Learn)

How to configure Windows Server 2003 SP1 firewall for a Domain Controller (http://support.microsoft.com/kb/555381)

Active Directory Replication over Firewalls (Active Directory Replication over Firewalls | Microsoft Learn)