If you can't find what you need using the site search on the toolbar above, or if you need more detailed help or just need to be pointed in the right direction, post your question to the newly opened kadaitcha.cx forums. Membership is free.

Windows Firewall Problems

When reading the Knowledgebase articles, be aware that Internet Connection Firewall (ICF) refers to the firewall in XP prior to Service Pack 2. In Service Pack 2 the firewall was renamed to Windows Firewall.

    


This article describes the Windows Firewall feature in Microsoft Windows XP Service Pack 2 (SP2). Windows Firewall is the updated software firewall in Windows XP SP2 that replaces the Internet Connection Firewall (ICF) feature.
    


Microsoft Windows XP Service Pack 2 (SP2) introduces a new firewall that helps make your system less vulnerable to attack by malicious users or by malicious software, such virus software. We recommend that you always run with a firewall. Without a firewall, you may be more prone to security issues. We do not recommend that you turn off Windows Firewall, but an option exists to do this. This article describes how to disable the Windows Firewall. If you turn off Windows Firewall, take appropriate additional steps to help protect your system. We recommend that you turn off Windows Firewall only when you really have to and only after you have explored all options to make your system more secure.
    

Despite the word 'settings' being the the only difference between the names of the next two articles, they are not the same document.

    


Microsoft Windows XP Service Pack 2 (SP2) includes Microsoft Windows Firewall, the updated firewall software that replaces Internet Connection Firewall (ICF). If Microsoft Windows Firewall is blocking a port that is used by a service or by a program, you can configure the Windows Firewall to create an exception. Windows Firewall may be blocking a program or a service if the following conditions are true: Programs do not respond to a client's request. Client programs do not receive data from the server.
    
Troubleshooting Windows Firewall in Microsoft Windows XP Service Pack 2

The Windows Firewall feature of Microsoft® Windows® XP Service Pack 2 (SP2), a replacement for the Internet Connection Firewall (ICF) in previous versions of Windows XP, is a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighbouring network devices on a private network. This article describes how Windows Firewall works, the common problems with using Windows Firewall, and the set of tools used to troubleshoot Windows Firewall issues. This article is intended for network administrators and advanced users who are familiar with Windows XP and Transmission Control Protocol/Internet Protocol (TCP/IP).
    


You are using a Microsoft Windows XP Service Pack 2 (SP2)-based computer that has more than one network adapter. On this computer, Windows Firewall may drop Internet Control Message Protocol (ICMP) packets when ICMP is enabled in the firewall configuration. In this scenario, Windows Firewall drops the ICMP reply message. Additionally, information that is similar to the following appears in the firewall log:

DateTime DROP ICMP 169.168.25.1 10.10.1.1 - - 60 - - - - 0 0 - SEND
    


When you use a Netmeeting client to connect to a remote Netmeeting client on a Windows XP-based computer that is running Internet Connection Firewall (ICF), the connection may seem slow and it does not appear to disconnect when the Netmeeting client disconnects.
    


The Windows Firewall feature in Microsoft Windows XP Service Pack 2 (SP 2) accepts a three-second unicast response from any source address. This response is not subject to any filtering.


If you configure your computer that is running Microsoft Windows XP Professional Service Pack 2 (SP2) as the endpoint of a Tunnel mode Internet Protocol security (IPSec) connection, packets are dropped. This symptom occurs if you turn on the Windows Firewall feature. Additionally, packets are dropped even though you have configured the Windows firewall feature to allow ICMP packets.
    


When you install the Media Center Extender for Microsoft Windows XP Media Center Edition 2005, and then you configure a firewall on your system, the Extender may not work.
    


This article describes how Windows Firewall affects the Microsoft Windows UPnP framework in Microsoft Windows XP Service Pack 2 (SP2). This article also describes the changes that have been made in Windows XP SP2 to minimize these effects.
    


You cannot ping a computer that is running Microsoft Windows XP Service Pack 2 (SP2), Microsoft Windows XP Professional x64 Edition, Microsoft Windows Server 2003 Service Pack 1 (SP1), or an x64-based version of Microsoft Windows Server 2003. If you view the Windows Firewall service in the Services snap-in, the Windows Firewall/Internet Connection Sharing service has not started. This symptom occurs even if the startup type is set to automatic. If the Windows Firewall service cannot start, all incoming connections are refused until the Windows Firewall service starts successfully. Additionally, the status of the Network Connections service and the COM+ Event System service may be in a pending state.
    


After you install Microsoft Windows XP Service Pack 2 (SP2), you cannot start the Windows Firewall service. You may experience one or more of the following symptoms:

When you click Windows Firewall in Control Panel, you may receive the following error message:

Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service?

If you click Yes, you receive the following error message:

Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) service.

If you try to manually start the Windows Firewall service by using Services, you may receive the following error message:

Could not start the Windows Firewall/Internet Connection Sharing (ICS) service on Local Computer.

Error 0x80004015: The class is configured to run as a security id different from the caller

 The following events may appear in the system event log:

Event ID: 7036
Event Source: Service Control Manager
Event Type: Information Event
Category: None
Description: The Windows Firewall/Internet Connection Sharing (ICS) service entered the stopped state.
Event ID: 7023
Source: Service Control Manager
Type: Error
Description: The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The class is configured to run as a security id different from the caller
 
   


Describes some programs that require you to manually open ports so that the programs can work correctly.
    


When an expert attempts to connect to a novice's computer, the expert may receive the following error message: A Remote Assistance connection could not be established.
    


When you start or shut down your Windows XP-based computer, the Internet Connection Firewall (ICF) does not filter or provide firewall services. During the startup or shutdown process, users can connect to your computer or to any program or service that may be available. Note that other than these two times, ICF works correctly.
    


Explains how to turn on or turn off the firewall feature in Windows XP.
    


Explains that turning on a firewall may keep you from searching or sharing files with other computers on a home network.


Describes an issue where the default configuration of the Windows Firewall program in Windows XP SP2 blocks incoming traffic on port 445.
    


Describes how to manually open ports in Internet Connection Firewall (ICF) in Windows XP to make sure that the programs work correctly when ICF is in use on the local computer or on the gateway computer.
    


If you create an exception by modifying the registry on a computer that is running Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1), the exception may not show up in the Windows Firewall graphical user interface.
    


Consider the following scenario.

The following conditions are true:
  • You are logged on to a computer that is running Microsoft Windows XP with
  • You are logged on to a computer by using a domain user account that has no administrative rights.
  • You start a program that listens on a port.
 After you start the program that listens on a port, a Windows Firewall notification dialog box appears. The Windows Firewall notification dialog box has a Do not display the message after this program check box. You click to select the Do not display the message after this program check box, and then click OK. After you click OK, the program that listens on a port is added to the exceptions list. The exceptions list is located in the Programs and Services box on the Exceptions tab in the Windows Firewall dialog box. However, the program that listens on a port is not checked, and the program that listens on a port appears unavailable.
    


On a computer that is running Microsoft Windows XP Service Pack 2 (SP2) and America Online (AOL) software, you may not be able to perform either of the following tasks:
  • Modify Windows Firewall settings.
  • Use Network Connections in Control Panel to turn off Windows Firewall for an AOL dial-up network connection.
When you right-click the AOL dial-up network connection, the Properties command does not appear on the shortcut menu.


After you install Microsoft Windows XP Service Pack 2 (SP2) on a client computer, you may experience the following symptoms when you log on to the network:
  • Windows Firewall is disabled. You cannot use the Windows Firewall tool in Control Panel to turn on Windows Firewall or to configure Windows Firewall settings on the Windows XP SP2 client computer. When you try to configure Windows Firewall settings, some options are appear dimmed, and you may receive the following message:
    • For your security, some settings are controlled by Group Policy.
You experience this symptom even if you previously clicked On (recommended) in the Windows Firewall dialog box to turn on Windows Firewall.
  • You cannot use the Security Center item in Control Panel on the Windows XP SP2 client computer to manage security settings.
  • These symptoms occur if either of the following conditions is true:
    • You install Windows XP SP2 on a client computer that is located in a Microsoft Windows Small Business Server (SBS) 2003-based network.
    • You have joined a client computer that is running Windows XP SP2 to a Windows SBS 2003-based network.
    


On a Microsoft Windows XP Professional Service Pack 2 (SP2)-based computer, you use Group Policy to configure Windows Firewall settings. You use the Windows Firewall component that is available in the system administrative template to define firewall program exceptions. However, the firewall program exceptions that are more than 260 characters cannot be configured by using Group Policy.

Note: You can define firewall program exceptions that are more than 260 characters by using the Windows Firewall program interface.
    


With Microsoft Windows XP Service Pack 2 (SP2), the Windows Firewall has been updated so that you can enable it on network bridge connections. This article describes how to enable, disable, and configure the Windows Firewall on network bridge connections.
    


This article describes how to play Windows-based Internet games through a network firewall or proxy server. These games include Internet Backgammon, Internet Checkers, Internet Hearts, Internet Reversi, and Internet Spades.
    


After you install Microsoft Windows XP Service Pack 2 (SP2), you cannot start the Windows Firewall service. Specifically, you experience one or more of the following symptoms:
  • Windows Firewall/Internet Connection Sharing (ICS) is not displayed in the Services list in Control Panel.
  • Windows Firewall/Internet Connection Sharing (ICS) is displayed in the Services list, but you cannot start this service.
  • You receive the following error message when you try to access Windows Firewall settings:
    • Due to an unidentified problem, Windows cannot display Windows Firewall settings.


This article describes the firewall ports that you must open for an Xbox 360 console to work correctly with a computer that is running Microsoft Windows XP Media Center Edition.
    


After you install Windows XP Service Pack 2 (SP2), some programs may seem not to work. By default, Windows Firewall is enabled and blocks unsolicited connections to your computer. This article discusses how to make an exception and enable a program to run by adding it to the list of exceptions. This procedure enables the program to work as it did before the service pack was installed.
    


You cannot turn on or turn off the Windows Firewall setting on a Microsoft Windows XP Service Pack 2 (SP2)-based computer.
    


If you turn on Windows Firewall and then select Allow this computer to use a network scanner in the Scanner and Camera window in Control Panel, you cannot use the Scanner and Camera Wizard to access a network scanner.
    


After you add exceptions to Windows Firewall by using Remote Assistance while you are logged in to Microsoft Windows Messenger or Microsoft MSN Messenger, you notice that the exceptions have not taken effect.


When you try to save a file in a Microsoft Office 2007 or Microsoft Office 2003 program to an FTP server, you receive the following Microsoft Windows Security Alert:

Windows Security Alert

To help protect your computer, the Windows Firewall has blocked some features of this program.

Do you want to keep blocking this program?

Name: program name
Publisher: publisher name

Windows Firewall has blocked this program from accepting connections from the Internet or network. If you recognize the program or trust the publisher, you can unblock it.
    


When you use a multiple-homed Windows XP-based computer with the Personal Firewall feature enabled, remote users may not be able to connect to the computer in response to a Remote Assistance request.

Also, if you are using a Windows XP-based computer with one network adapter and a modem with the Personal Firewall feature enabled, Remote Assistance does not open the firewall port on the modem connection.
    


When you use the Windows XP, Help and Support, Offer Remote Assistance feature to offer assistance to a novice using a computer running Windows XP Service Pack 2, the Remote Assistance connection can not be created.
    


Microsoft Windows XP Service Pack 2 (SP2) includes Windows Firewall. Windows Firewall is an enhanced version of Internet Connection Firewall (ICF). By default, Windows Firewall is enabled on computers that are running Windows XP Service Pack 2. Windows Firewall will block some network connections that use TCP/IP, that use Named Pipes, or that use Multiprotocol Remote Procedure Call (RPC). This blocking can affect Microsoft Data Engine (MSDE), Microsoft SQL Server 2000, and Microsoft SQL Server 2005.

If you have an application that requires SQL Server or MSDE to have access to the network by using Named Pipes, by using TCP/IP, or by using RPC, you can use the scripts that are provided in the "More Information" section to open the required ports programmatically instead of using Windows Firewall.

Two scripts are included in this article. The first script programmatically configures Windows Firewall to allow SQL Server to listen on the network on all protocols. The second script programmatically configures Windows Firewall to allow SQL Server to listen on TCP/IP only.
    


When you try to start Windows Messenger after you install Microsoft Windows XP Service Pack 2 (SP2), Windows Messenger does not start, and you receive the following warning message:

Security Alert
To help protect your computer, Windows Firewall has blocked this program from receiving unsolicited information from the Internet or a network.
Name: Windows Messenger
Publisher: Microsoft Corporation


When you disable the Windows Firewall service on your Microsoft Windows XP Service Pack 2 (SP2)-based computer, the Computer Browser service stops after five minutes and the following event is logged in the Event Viewer System log:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: <Date>
Time: <Time>
User: N/A
Computer: <Computer Name>
Description: The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
    


Consider this scenario: You send a Remote Assistance invitation to a Windows XP-based Internet Connection Sharing host computer from a Windows XP-based Internet Connection Sharing client computer. The client computer has the Internet Connection Firewall (ICF) feature enabled. You receive an error message that is similar to the following:

Remote Assistance failed. Please try again.
    


When you host a Web site on a computer that is running Microsoft Internet Information Services (IIS) version 5.1, and you apply Microsoft Windows XP Professional Service Pack 2 to the computer, you may receive the following error message when you access the site:

The page cannot be displayed. Can't find server or DNS error.

If you use the local browser, you can display the page.
    


When you run the ipconfig /renew command at a command prompt, you may receive the following error message:

An error occurred while renewing interface local area connection: The system cannot find the file specified.
    


This article describes how to determine if SQL Server is using a static or a dynamic port, and how to manually enable TCP/IP on Microsoft Windows XP Service Pack 2 for Microsoft SQL Server 2000.

By default, Windows Firewall is enabled on computers that are running Windows XP Service Pack 2. Windows Firewall closes ports such as 445 that are used for file and printer sharing to prevent Internet computers from connecting to file and print shares on your computer or to other resources. When SQL Server is configured to listen for incoming client connections by using named pipes over a NetBIOS session, SQL Server communicates over TCP ports and these ports must be open. SQL Server clients that are trying to connect to SQL Server will be not be able to connect until SQL Server is set as an exception in Windows Firewall. To configure Windows Firewall in Windows XP Service Pack 2 to allow SQL Server 2000 to listen for TCP/IP traffic on a static port, use the steps that are listed in the "More Information" section.


If your Microsoft Windows XP-based computer is running Routing Information Protocol (RIP) Listener, RIP Listener may not update the route table with new route information.

This issue may occur if a firewall is preventing RIP Listener from receiving route information that is sent by routers that are using RIP version 1. When you install Windows XP Service Pack 2 (SP2), Windows Firewall is turned on. If your computer has Windows Firewall or another firewall turned on, incoming UDP port 520 may be blocked.
    


After you install Microsoft Windows XP Service Pack 2 (SP2), you no longer receive Print status notification messages when you print to a network printer. This problem occurs even though all the following conditions are true:
  • The File and Printer Sharing option is selected on the Exceptions tab of the Windows Firewall dialog box.
  • The appropriate ports are opened for the subnet for the File and Printer Sharing option.
  • The client computer and the print server are both on the same local subnet.
    


On a client computer that is running Microsoft Windows XP with Service Pack 2 (SP2), Windows Firewall may drop the connection request when the host computer tries to connect to the client computer. This problem occurs if the following conditions are true:
  • The client computer uses a program that is located on a file server.
  • The program is in the client computer's Windows Firewall exception list.
  • The shared folder on the file server is mapped to a drive letter.
  • The path of the file server is a Distributed File System (DFS) path.
  • The file server program authenticates against a host computer.
    


After you install Windows XP Service Pack 2 (SP2), you cannot start the Windows Firewall service. You may experience one or more of the following symptoms:

When you click Windows Firewall in Control Panel, you may receive the following error message:

Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service?

If you click Yes, you receive the following error message:

Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) service.

If you try to manually start the Windows Firewall service by using Services, you may receive the following error message:

Could not start the Windows Firewall/Internet Connection Sharing (ICS) service on Local Computer.

Error 0x80004015: The class is configured to run as a security id different from the caller