RDP Problems [Closed - Resolved]

I’m having some problems getting RDP through Comodo. I may have overlooked something obvious. Here’s the setup I have.

OS: WinXP SP3
Comodo: 3.10.102363.531

Network Zones:
[Trusted]

  • IP in range 192.168.100.10 - 192.168.100.20

Global Rules:

  1. Allow IP In from In [Trusted] to IP Any Where Protocol is Any
  2. Allow IP Out from IP Any to In [Trusted] Where Protocol is Any
    3-7. (Default Comodo rules blocking various ICMP types)

Application Rules:
[c:\windows\system32\svchost.exe]

  1. Allow IP In from In [Trusted] to IP Any Where Protocol is Any
  2. Allow IP Out from IP Any to IP Any Where Protocol is Any

In the Firewall event viewer, however, I’m still seeing the firewall blocking the inbound connection attempt. I can’t figure out what rule is blocking it. The log entries read:

c:\windows\system32\svchost.exe Blocked TCP 192.168.100.11 55091 192.168.100.10 3389 9/8/2009 11:04:23
c:\windows\system32\svchost.exe Blocked TCP 192.168.100.11 55090 192.168.100.10 3389 9/8/2009 11:03:58
c:\windows\system32\svchost.exe Blocked TCP 192.168.100.11 55089 192.168.100.10 3389 9/8/2009 11:03:21

I’ve even tried the following:

  • Replace rule 1 in Global Rules with “Allow IP In/Out from IP Any to IP Any where Protocol is Any”
  • Replace rule 1 in Application Rules for svchost.exe with “Allow IP In/Out from IP Any to IP Any where Protocol is Any”
  • Uninstall/reinstall Comodo
  • Set Firewall Behavior Settings to “Disable” (this actually does allow RDP to connect, which leads me to believe there is some rule somewhere blocking the connection attempt)

Any ideas? Thanks.

From what i can see CIS should not be blocking thos ports
I have you tried a reboot?

Is this a new install of CIS?
I have seen something similar once on my system with an install and it was fixed with an uninstall restall.
Latest version of CIS is 3.11.108364.552

I’ve tried rebooting after changing the firewall rules and uninstall/reinstall (which requires a reboot anyways).

Are there any other applications or other Comodo-related services (antivirus, Defense+, etc.) that could be blocking things? Are there perhaps other executables or processes that are related to RDP that must also be allowed through? Currently, the applications I have in my Network Security Policy and their corresponding policy are (in the order they appear):

  • System - Trusted Application
  • svchost.exe - Custom (see rules above)
  • Comodo Internet Security - Outgoing Only
  • Windows Updater Applications - Outgoing Only
  • wgatray.exe - Outgoing Only

Right now, I pretty much have a clean install of Comodo with just the rules mentioned above. The firewall is in “Safe” mode, but I’ve also tried “Training” to no avail. With firewall alerting set to “very high”, I still don’t get any detailed alerting or logging other than the one-liners mentioned above. The AV is in “stateful” mode with recent definitions, and Defense+ is in “Clean PC” mode. The machine itself is also pretty close to a clean install of WinXP (OS from CD followed by Windows Updates).

Remote Desktop Protocol This is what you are refering to by RDP, I hope.

From Microsoft - Frequently Asked Questions About Remote Desktop
I don’t see any thing about the ports you are recording as blocked

Q. What port does Remote Desktop use? Does everything go over port 3389?
A. Port 3389 is the only port you need to open. Windows will attempt to stream sound through User Datagram Protocol (UDP) first. If no port is available for UDP, sound will stream through a virtual channel in Remote Desktop Protocol, which uses port 3389.

Can you export your logs and send them to me by PM.

I will ask the other mods to look at you posts and see if they have any ideas

Maybe if it is not solved soon I will set up a test network with VMs and see if I can duplicate you problem. If not, possibly one of the other mods or users can, I know some have live test networks.

X

You can also download a config reporting script from
Comodo Firewall Pro/CIS Configuration Reporting Script [Latest Version is 0.723]
Not exactly sure how well it works with 3.11 but it should. Save the resullts as a text file and PM them if you would like. The might be private info you would rather not post so I suggest you do not post pubicaly logs or config.

Can you try to see if it works if you put the Firewall Security Level to disabled ?

Can you use the “View Active Connections” and see if it’s listening for traffic on 3389 ?

It works fine if the firewall security level is set to disabled (and with Comodo uninstalled as well). The active connections in Comodo does show svchost listening on 3389 (confirmed by netstat as well).

And yes, by RDP, I was referring to Remote Desktop Protocol. I was pretty sure it only needed TCP 3389. I’ve been able to get it working through on other hardware (port forwarding on NAT boxes) and software firewalls (iptables, ipfw, etc), as well as other installations of Comodo on different machines. This is the first time I’ve actually run into this problem though, which is why I am stumped.

Usually I have Defense+ de-activated (and I’ve tried that as well this time to no avail), so I was wondering if svchost or whatever it calls to spawn the RDP session might be getting blocked. That’s why I was asking about other processes or apps that may be related.

Is there something in Comodo that will tell you what rule/policy generated each log event? If not, perhaps it would be a useful feature request, as it would point out where exactly the packet is being blocked.

Providing you are allowing TCP inbound to 3389 in Global rules, you should be ok. However, there is one thing to try:

Open Firewall/Advanced/Attack Detection Settings/Miscellaneous/

Untick ‘Block Fragmented IP Datagrams’

Try to connect again.

Good suggestion Quill

I reviewed your config and log. all looks good except
Date/Time, Application, Action, Source IP, Source Port,
Destination IP, Destination Port, Protocol,
9/8/2009 10:52:59 AM, C:\WINDOWS\system32\svchost.exe, Blocked, 192.168.100.12, 39330, 192.168.100.10, 3389, TCP
9/8/2009 10:53:02 AM, C:\WINDOWS\system32\svchost.exe Blocked, 192.168.100.12, 39330, 192.168.100.10, 3389, TCP
9/8/2009 10:53:07 AM, C:\WINDOWS\system32\svchost.exe, Blocked, 192.168.100.12, 39331, 192.168.100.10, 3389, TCP

This should be allowed with the rules you have in the internet security config
Is this what you use as the active config???

The config log says you have four configs which is what i would expect, but it shows details for only
Configuration ID: 0 Name: COMODO - Internet Security

I did find one time when my problem was my config I don´t know why. just changing configs fixed it. I’d have to go back and review all my posts to find out exactly what had hapened but I remember my rules were not working correctly and changing configs fixed it. try this below

If that does not work try this Export any one of your configurations other than your current active one (misc > Manage my configurations > Export) name it test.cfg but can name it any thing with any extension or none if you like. remember what you call it. and where it is saved.

Reimport the config and when asked to name it call it test.

delete all the rules Global, Network and D+ rules

Example
Firewall to “training mode”
D+ settings to “training mode”
Check your Monitor Settings just to know what they are you can play with them later if you like they should not affect it but it´s good to know what youve got

this will be almost like a clean install

have you been importing configs when you do major upgrades

If that fails uninstall with something like revo uninstaller
and upgrade to the latest version of 3.11. you can export you current config from 3.10 but get it working and export your working 3.11 config before you import your old 3.10 config.[tr][td]

Deleting the configs and re-creating them seems to have fixed the problem. I did as you suggested for the application and global rules and simply disabled the AV and D+ components to rule them out entirely. I deleted and re-created the following:

  • Port Sets
  • Network Zones
  • Predefined Firewall Policies
  • Global Rules
  • Application Rules

Now, it works… It’s a bit strange, since uninstalling and re-installing should have effectively started me off with a clean slate, but at least it’s working now. I suppose it could also have been a bug with the particular version I’m running that’s since been fixed.

My thanks to everyone for your help.

In the past when you deleted and reinstalled did you import your old configs?

If not it must have been leaving a bit in the registry or by some fluke Windows/ or CIS would recreate the corrupt configs.

thanks X

On this particular machine, this was a new install. I created all the rules manually. During my uninstall and re-install attempts, I did not export/import the configs. They were done manually. I did not, however, check the registry to see if running the uninstall had cleared out all Comodo-related items. When Comodo re-installed, though, it did start me off with a blank set of rules, so I assume it cleared out the old configs. ???

Thanks

as you said it is strange that reinstall did not fix it
Oh well, I will try to remember that trick. It has worked twice now that I know of once for me and once for you.

X

%lock%