Data Security Software Since 1985
www.reflex-magnetics.co.uk
home
news
products
services
support
corporate
downloads
online sales
Using Reflex Disknet Pro 4.x with Microsoft Windows XP Professional Service Pack 2
After Microsoft Windows XP Professional Service Pack 2 has been installed, the enhanced Windows Firewall is turned on by default.
This document outlines the configuration changes needed to ensure that Reflex Disknet Pro retains its full functionality after the installation of Microsoft Windows XP Professional Service Pack 2.
Reflex Magnetics Ltd
March 2005
1. Windows Firewall settings on a Reflex Disknet Pro client computer
1.1 Reflex Disknet Pro client-to-server communications
TCP port 9738 is the default port used by a Reflex Disknet Pro client computer when communicating with a remote Reflex Disknet Pro Server. Apart from some Internet Control Message Protocol (ICMP) messages, the Windows Firewall does not drop outgoing traffic, so any communication initiated by the local Reflex Disknet Pro client computer to the remote Reflex Disknet Pro Server will not be blocked.
Hence, all Reflex Disknet Pro client-to-server events will continue to occur without requiring any configuration to the Windows Firewall:
the downloading of a user's Reflex Disknet Pro profile from the Reflex Disknet Pro Server when the user logs onto a Reflex Disknet Pro client computer;
a forced Reflex Disknet Pro profile update by the logged-on user (using the Reflex Disknet Pro system tray);
the synchronisation of the local Reflex Disknet Pro logfile with the Reflex Disknet Pro Server;
Note: if you chose to use a port number different from the default 9738 when installing the Reflex Disknet Pro Server, any traffic initiated by the local client computer to the Reflex Disknet Pro Server will still be unimpeded by the Windows Firewall's default settings.
1.2 Reflex Disknet Pro server-to-client communications
The default port used by the Reflex Disknet Pro Server when it initiates communication with a remote Reflex Disknet Pro client computer is UDP 9738.
A Reflex Disknet Pro Server initiates a connection with a remote Reflex Disknet Pro client computer when an Administrator attempts to use the Reflex Disknet Pro Management Console on the Reflex Disknet Pro Server to do the following:
disable or enable a Reflex Disknet Pro service (e.g. PSG) on a remote Reflex Disknet Pro client computer;
reload a user's Reflex Disknet Pro profile on a remote Reflex Disknet Pro client computer.
As the Reflex Disknet Pro client computer does not initiate the communications outlined above, the Windows Firewall's default setting on the client computer will be to block the incoming, unsolicited traffic from the Reflex Disknet Pro Server. Therefore, it is not possible to perform any remote administration of Reflex Disknet Pro from a Reflex Disknet Pro Server when the Windows Firewall on a Reflex Disknet Pro client computer is running with it default settings.
To rectify this, you will need to configure the Windows Firewall on the client computer to accept incoming traffic on UDP port 9738 (or for your custom port number if you chose not to use the default port when installing the Reflex Disknet Pro Server). For additional security, you should limit the Scope of the exemption to include only the IP addresses of your Reflex Disknet Pro Server(s). This can be done either manually on each Windows XP client computer with Service Pack 2 (see Appendix A) or centrally via group policies if the Windows XP client computers are members of a Windows 2000/2003 Active Directory domain (see
Appendix B
).
2. Windows Firewall settings on a Reflex Disknet Pro Server
2.1 Reflex Disknet Pro client-to-server communications
If you have installed the Reflex Disknet Pro Server on a computer running Microsoft Windows XP Pro Service Pack 2 which has the Windows Firewall active, then it will be necessary create a Windows Firewall exemption to restore client-to-server communications.
Reflex Disknet Pro client computers communicate with the Reflex Disknet Pro Server on TCP port 9738. As noted in section 1.1, Reflex Disknet Pro client computers will initiate a connection to the Reflex Disknet Pro Server on this port to download a user's Reflex Disknet Pro profile or to upload the Reflex Disknet Pro client logfile. As this traffic is initiated by the remote Reflex Disknet Pro client computer, it will be blocked by default by the Windows Firewall on the Reflex Disknet Pro Server.
To restore the client-to-server communication, you will need to add a Windows Firewall exemption on the Reflex Disknet Pro Server for TCP port 9738 (or for your custom port number if you chose not to use the default port when installing the Reflex Disknet Pro Server). See
Appendix A
for details.
2.2 Reflex Disknet Pro server-to-client communications
As noted in section 1.1, the Windows Firewall does not affect outbound traffic initiated by the local computer. Hence, for the administration of remote Reflex Disknet Pro client computers, no Windows Firewall exemption is needed on the Reflex Disknet Pro Server as all the remote administration traffic connections (UDP 9738) is initiated locally by the Reflex Disknet Pro Server.
2.3 Reflex Disknet Pro remote management console communications
The Reflex Disknet Pro Management console can be used to connect to, and administer, remote Reflex Disknet Pro Servers. Like Reflex Disknet Pro client computers, the Reflex Disknet Pro Management console will initiate a connection to a remote Reflex Disknet Pro Server on TCP port 9738 (or for your custom port number if you chose not to use the default port when installing the Reflex Disknet Pro Server). Therefore, if you envisage the need to remotely administer your Reflex Disknet Pro Server using a Reflex Disknet Pro Management console on a remote computer, then you will need to ensure the Reflex Disknet Pro Server has a Windows Firewall exemption for TCP port 9738.
Note: if you chose to use a port number different from the default 9738 when installing the Reflex Disknet Pro Server, then the Reflex Disknet Pro Management console must be configured to use your custom port number. Likewise, the Windows Firewall exemption on the Reflex Disknet Pro Server must be configured with your custom port number.
2.4 Reflex Disknet Pro Server communications with a remote MySQL database
The Reflex Disknet Pro Server stores all user profiles and settings in a MySQL database. The MySQL database can be installed on the same computer as the Reflex Disknet Pro Server, or on a separate computer.
If installed on a separate computer, the Reflex Disknet Pro Server will initiate connections to the MySQL database computer on TCP port 3306. The MySQL database will never initiate connections to the Reflex Disknet Pro Server computer.
As such, if the MySQL database is installed on a separate computer running Windows XP Professional and the Windows Firewall is active on that computer, then the Windows Firewall on the MySQL database computer will, by default, block the incoming unsolicited connections from the remote Reflex Disknet Pro Server.
To restore access to the MySQL database, you will need to create a Windows Firewall exemption for TCP port 3306 on the MySQL database computer. For additional security, you should set the Scope to limit access to this port to only those IP addresses of your Reflex Disknet Pro Servers. See
Appendix A
for more details.
Note. If the MySQL database and the Reflex Disknet Pro Server are both installed on the same computer, no Windows Firewall exemptions are needed.
Appendix A
Summary of the Windows Firewall exemptions needed by computers running various components of the Reflex Disknet Pro.
Local computer
Windows Firewall Exemption(s)
Notes
Reflex Disknet Pro client computer
UDP 9738
Allows a remote Administrator to dynamically control the Reflex Disknet Pro components on the local computer
Reflex Disknet Pro Server
TCP 9738
Allows remote Reflex Disknet Pro client computers to download Reflex Disknet Pro user profiles and to upload logfiles; also allows administrators to administer the Reflex Disknet Pro Server from a remote computer running the Reflex Disknet Pro MMC
MySQL database (when installed on a computer separate from the Reflex Disknet Pro Server)
TCP 3306
Allows a remote Reflex Disknet Pro Server to connect to the MySQL database
Manually configuring the Windows Firewall on a Windows XP Professional computer
To manually configure the Windows Firewall settings on a Windows XP Professional computer to restore Reflex Disknet Pro communications:
log onto the Windows XP computer with an account which has administrative rights;
open Control Panel -> Windows Firewall to bring up the Windows Firewall settings;
click on the Exceptions tab;
click Add Port… From here you configure the Windows Firewall to accept incoming Reflex Disknet Pro traffic:
Port number: 9738 this is the Reflex Disknet Pro default port. If you configured your Reflex Disknet Pro Server(s) to use a different port number when you installed your Reflex Disknet Pro Server(s), then enter your chosen port number instead; 3306 this is the default port used by the Reflex Disknet Server service to connect to a remote MySQL database
Port type: UDP used for server-to-client connections TCP used for client-to-server connections; also for Reflex Disknet Pro Management consoles to connect to remote Reflex Disknet Pro Servers; and Reflex Disknet Pro Servers to connect to remote MySQL database computers.
Name: enter a descriptive name; e.g. Reflex Disknet Pro Server.
Scope: this enables you to limit the IP addresses which are permitted to connect to the port. When configuring client computers, the Scope should be limited to the individual IP addresses of your Reflex Disknet Pro Server(s). When configuring Reflex Disknet Pro Server(s), the Scope should be limited to those subnets containing client computers.
click OK until all the dialogue windows are closed.
For further information on manually configuring the Windows Firewall, read:
Appendix B
Configuring the Windows Firewall via Group Policies
If your Windows XP client computers are centrally managed via group policies in a Windows 2000/2003 domain, you can configure the Windows Firewall settings via your domain group policy objects. Windows XP Service Pack 2 contains 609 additional Administrative Template policy settings, which include settings for managing the Windows Firewall.
To install the new Administrative Template policy settings to your group policy objects:
log on to a Windows XP computer with Service Pack 2 installed;
open the Group Policy Management Console and click the domain that contains the GPOs you want to upgrade;
click the Group Policy Objects container. This contains all the GPOs in the domain;
right-click the GPO you want to upgrade and select Edit. The GPO opens in the Group Policy Object Editor. This upgrades the GPO with the latest .adm files from your local Windows XP computer. These .adm files are then automatically replicated to domain controllers throughout your environment;
open each GPO that you want to upgrade.
For further information about updating your group policy objects, download the detailed Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2 document from Microsoft:
NB. Once you have updated the GPOs, the following operating systems will need a hotfix in order for the group policy settings to appear correctly in their Group Policy Object Editor:
Windows 2000
Windows XP
Windows XP with Service Pack 1
Windows 2003
For further information, including how to obtain the hotfixes, read: Once updated, open the relevant GPO within the Group Policy Management Console. To enable the incoming Reflex Disknet Pro Server traffic to be unblocked by the Windows Firewall, you will need to define a port exception:
Navigate to: Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall -> Domain Profile
enable the group policy setting Windows Firewall: Define Port Exceptions
*
. On the Setting tab, scroll down and click the Show button. From here, you can define a port which the Windows Firewall will unblock;
click Add… and enter the relevant information. The format is in the form of:
:
:
:
:
For example:
9738:UDP:localsubnet:enabled:Reflex Disknet Pro Server
If you have configured your Reflex Disknet Pro Server to use a different port number during its installation, then enter your chosen port number instead of the default 9738.
* This particular group policy setting can only be accessed from a client running Windows XP Professional SP2. As noted in :
"You can use Group Policy Object Editor version 5 in Windows XP SP2 to prevent the display of some settings and to separate the Windows XP SP2 version of Group Policy Object Editor from earlier versions. Therefore, any setting with a version of 5 or a later version will not be displayed when you view Group Policy settings from a client computer where Group Policy Object Editor cannot interpret this version. In particular, Windows 2000 clients cannot view settings with Group Policy Object Editor version 5 or a later version."
For more information about all the new group policy settings, you can download a document from Microsoft titled Group Policy Setting Reference for .adm files included with Windows XP Professional Service Pack 2
Home
|
News
|
Products
|
Support
|
Links
|
Contact Us
|
Site Map
|
Employment
|
Downloads
|
Press releases
|
E-Sales
© Reflex Magnetics 2002-2006. All rights reserved
News Menu
Strategic Partnership between Inter Engineering and Reflex Magnetics
Insecure Removable Media Devices Threaten the Liberation of Data
Reflex Magnetics Targets European Channel Expansion
Reflex Disknet PRO 4.70 released!
Discovering the threats of USB devices in your network system
Reflex Magnetics Secures NATO Business
Reflex Disknet Pro To Support Microsofts Network Access ProtectionTech...
How big does the disaster need to get before we secure our endpoints
Reflex Disknet Pro Could Avoid Front-Page News - Afghans selling US ar...
New Release of Reflex Disknet Pro 4.60
Information
Definition File Updates
Product Updates
Support Menu
Reflex Knowledge Base
Reflex FAQs
Reflex Whitepapers
Scanner Libraries
Technotes Archive
Product Updates
Products Menu
Reflex Disknet Pro
Reflex DataVault Corp.
Reflex Optimum
Reflex Deployment Server
Reflex MailSafe
Reflex ScreenMail
Reflex DataVault (HMG)
Reflex MailSafe (HMG)
Services Menu
Reflex Disknet Implementation Support
Reflex Product and Admininstration Training
Reflex Media Duplication and Fulfilment
Corporate Information Menu
About Us
How To Find Us
Reflex's Clients
User Endorsements
Careers
Contact Us
Links To Security Related Sites
Reflex UK & INT Partners
See Us At
In The Press
Third Party Accreditations
Awards
Downloads Menu
Evaluation Software
Licensed Customers
