Win XP Clients Hang During Login for "Roaming Profile" Users

Howdy, new to COMODO and dumping ZA (Hate the nags). At home I have recently switched from a Workgroup type setup to a true Server (Intranet Domain) environment for me, my wife and 8 kids. During the process (web research) I came upon COMODO. I started from scratch with fresh copies of XP on each client so there are no old ZA files on anything in my network. I am still learning, but with home networks becoming more prevalent I figured others will run into this same problem eventually.

System hangs at login screen when a user of “Roaming Profiles” with “Redirected Folders” attempts to log in.

The symptoms are the same whether the user has an established “Roaming Profile” on the server or is establishing one for the first time at initial login.

For example, I’ve tried this on several clients; during the login for a new “Roaming Profile” each client appears to be trying to process something because I see the login animation still moving, but that’s it. 5 minutes into this, the login window disappears and I am left with just a blank blue Windows screen (not BSOD). I’ve waited up to 20 more minutes just to see what may happen, but nothing.

I then have to force a powered re-boot. I’ll go in as local admin, and find that no aspect of the new profile has been started. I then change CPF to “Allow All” and attempt the new user login again which then gets set up just fine on any client. All aspects of each users’ profile functions flawlessly thereafter on every client machine. But any time the firewall is set back to “Custom” again, users are no longer able to login. When testing the same CPF settings logged in using a local profile as “admin” or “user” on any client, COMODO works fine (Internet/Server access good). It just won’t allow network “Roaming Profiles” to login or become established.

I’m certain it’s my lack of knowledge configuring the firewall to allow the necessary communications/packets needed between my local server and each client for “Roaming Profiles".

So I ask that someone please provide a step-by-step guide for this particular setup when networking using “Roaming Profiles” with “Redirected Folders”. No, I have not extensively tested different COMODO settings as I don’t want to ■■■■■ anything up. Yes, I have read many other posts on configuring filter rules, but have not found any topics specifically regarding servers using “Roaming Profiles” in a local server/networked environment. Any help is appreciated.

My network details…

Server: Win 2000 Server SP4 (Latest Security Updates)
Using Active Directory configured as the only Domain Controller, DNS and DHCP.

Clients: Win XP Pro SP2 (Latest Security Updates)

COMODO Firewall version running on each XP client.

COMODO is configured at each client to the “Set it and leave it” instructions from this forum. COMODO is not installed on the server.

Anti-Virus: Norton AV Corp (All clients managed/pushed from server).

Each XP user profile is set from the server to use server stored “Roaming Profiles” with “Redirected Folders”. I currently have a very simple security setup on the network shares and will tighten it up later after I get COMODO figured out…

Each user’s roaming profile points to a network share as:


The root share on the server for roaming profile permissions are:
“Everyone” (Full), “System” (Full), and “Administrator” (Full).
NTFS Security on the share is the same.

Each user’s redirected folders are on a network share as:

\server\data$%username%\Application Data
\server\data$%username%\My Documents
\server\data$%username%\Start Menu

The root share on the server for redirected folders permissions are:
“Everyone” (Full), “System” (Full), and “Administrator” (Full).
NTFS Security on the share is the same.


Primary Router: Vonage (Motorola) wired Router w/Basic default config. Acts as Internet Gateway for all clients and internal network traffic. Internet access for each client is not controlled by the server other than passing on Internet DNS queries to the WAN through this router.

Secondary Internal Router: Linksys Wireless Router-Basic default config. Used only for wireless connections on 2 laptop clients within the network.

3 Trendnet switches extends the wired network throughout our home to all other clients.

WAN:COX Broadband Modem (12MB Service).

All routers, servers, clients and NICs are properly configured within the same subnet running at 100Mbps. Routers and Servers configured with static IPs. All clients configured for DHCP IPs assigned through AD from the server.

I have 2 other boxes in this network running WinXP Pro, but they are not used as clients but rather as a stand-alone print server and a file server. I do not think they have anything to do with this problem and function fine with CPF.

Note: I have set new user profiles to be created from a pre-configured default profile located on the server from the standard SYSVOL…/scripts/Default User. Profiles are set through GPO to be deleted from the client each time a user logs off. None of the accounts/profiles are ever established/created on the local machines, they all come from the server. I want them all to remain purely roaming because I never know which of my kids will need to be on which computer at any given time.

And finally… Go easy on me. No, I am not a Sys Admin. I learned all this from the Internet and fix/build PCs as a hobby.

Again, any help is greatly appreciated.

Have you tried logging in to the computer as Domain Admin first to see if it is a permissions based problem or not?

If you can’t get in as Domain Admin then it could be that the firewall doesn’t like the hidden shares possibly. You might try writing a rule using the share path under Host to point it to the exact share where it needs to start looking.

Just some suggestions to try.


Final Answer!!!

Thanks for the input Jasper. It appears to not be a permissions or hidden share problem at all.

The answer was actually one check box:

Click “Security” then click “Advanced”. Within “Advanced Attack Detection and Prevention” click the “Configure” button. Select the “Miscellaneous” Tab and un-check “Do protocol analysis”.

All “Roaming Profile” users can now login with CPF on, and appear to function normally.

The description of this function when enabled is:

“Analyzes all incoming and outgoing packets to verify that they have the correct parameters according to the specific protocol’s standards and stop them if found suspicious.”

The question now is, how detrimental is it to over-all security by un-checking this on all the clients? I really have no choice if I want my network (which is completely “Roaming Profile” based) to work. Can someone please elaborate?

Unchecking that box takes away the firewalls ability to find any bad packets. It would turn the firewall into a basic packet filter which will make you much more dependent on other security software on the pc’s to keep you protected.


Well, I don’t see an alternative. I really want to stick with COMODO and this seems to be the only solution to get it to work with my type of network. I can only hope that the Devs pick up on this post and find a better solution for users with “Roaming Profiles”. Again, thanks for your help.

You might try setting up CFP3 beta on one of the pcs to see if it will let the profiles load correctly. That way when it is out of beta you could switch over to it.

Have a good one.


Do not worry about this. “Do protocol analysis” give a lot of problems with remote desktop login, wifi, gprs, umts connections and with filesharing apps. It is ok if you disable it, especially when you are behind a router. :wink:

OK. I am still in the process of fine tuning my new network. As soon as I reach a point where I feel the network is stable, I will test CFP3 beta on one of my clients to see if I can re-enable the “Do protocol analysis” checkbox. And conduct further testing.

Yes, my network is indeed behind a router with built in NAT and other firewall features so I feel comfortable leaving the “Do protocol analysis” disabled for now. In the mean time I’m quite pleased that I found a solution that allows me to continue using COMODO as I really like it, and this company’s philosophy along with the rapid forum responses to the problem. I hope this post will serve to help others with similar problems. Thanks guys/gals.