It shouldn't make a difference if there is a program rule and a general
rule -- Symantec Firewall goes through the rulesets (Zone, General,
Program, pRules) and applies the rule for the first match. But when
these is no logged in user, it skips the Program and pRules.
If you want to see where the traffic is being blocked or allowed, turn
on logging for your Remote Desktop rules and examine the logs. When
traffic is blocked because no user is logged in and Program rules aren't
being processed, you will see this in the logs.
-- Allison Henry Communication and Network Services University of California, Berkeley Steven Longenbohn wrote: > So in this case, on one machine I have (but not available for testing), > we have both the port set for 3389 in the general section > and > a program rule for mstsc.exe and inituser.exe > > Are you saying that both is bad and it should only be configured in > General Section? > I did try that on my test computer, and we were not able to connect. > We're adding the two program rules after lunch and will test again. > > > > At 10:46 AM 2/24/2006, Allison Henry wrote: > >> If you define a Program rule in Symantec Firewall, allowing access to >> the Remote Desktop application, the rule will not apply when there is no >> logged in user and the traffic will be denied. This caused us big >> headaches with the Tivoli scheduler service until we figured it out. If >> you define the rule under the General section, as a packet filter rule >> allowing connections to port 3389, it will work when there is no logged >> in user. >> >> -- >> Allison Henry >> Communication and Network Services >> University of California, Berkeley >> >> David Lee wrote: >> > We are having the same problem and I have isolated it down to the >> > firewall. We use Symantec Security Client. One of the built-in >> > defaults, which I have not figured out how to modify, is when there is >> > no logged-in user, everything is denied. And I also need a way around >> > this, as more and more of my suers are remoting in. >> > >> > At 10:07 AM 2/24/2006, you wrote: >> > >> >> Hi Steve, >> >> >> >> What firewall software are you using? >> >> >> >> I am using SCS 3, and have not run into the problem you describe. >> >> >> >> To be clear, is this what you have set up right now? >> >> >> >> 1. Users are connecting to XP Pro desktops from remote locations. >> >> 2. Users are either local admins or have been entered into the "allow >> >> remote >> >> control" group >> >> 3. Firewall is allowing either all IP addresses to connect to TCP 3389 >> >> OR >> >> 3b. Firewall is only allowing the campus VPN address range to >> connect to >> >> 3389 >> >> >> >> Is that accurate so far? >> >> >> >> Sounds like there might be some service that is not starting on system >> >> startup, but is starting after a user logs into that machine. >> >> >> >> ~R >> >> >> >> >> >> On 2/24/06 10:01 AM, "Steven Longenbohn" <drsteve@berkeley.edu> wrote: >> >> >> >> > Greetings, >> >> > >> >> > in our department we have a large percentage of the staff who access >> >> > their work computer from home using Remote Desktop in Windows XP >> Pro. >> >> > >> >> > The Windows Automatic Updates often require a reboot at 3am. >> >> > After the reboot, remote desktop will not reconnect. >> >> > The message is that the machine is not available or receptive for >> >> connections. >> >> > >> >> > Currently someone (at the office) has to go to the comptuer at work, >> >> > logon, call the user at home, have them use Remote Desktop and bump >> >> > off the person at work. Then they can logon and logoff and logon as >> >> > many times as they want ... until the next windows update and >> >> > reboot. Then we start all over again. >> >> > >> >> > Please please please does anyone know if there is some adjustment >> >> > that can be made to the computer settings that will make this >> problem >> >> > go away and enable Remote Desktop to connect after a reboot without >> >> > the need for a second staff person to logon to re-enable Remote >> >> Desktop???? >> >> > >> >> > Thanks ! >> >> > >> >> > >> >> > >> >> > >> >> > >> >> >> ****************************************************************************** >> >> >> > ********** >> >> > * Steve "DrSteve" Longenbohn IS&T: Administrative >> >> Systems Dept >> >> > * >> >> > * CalNet Deputy System Administrator >> >> > * CalAgenda Admin PC Doctor & Troubleshooter >> >> > * >> >> > * Office: 510-643-9777 Cell: 510-812-0256 >> >> > * 2111 Bancroft Way, Room 409D (Banway Bldg) >> >> > >> >> >> ****************************************************************************** >> >> >> > ********** >> >> > >> >> > >> >> > >> ------------------------------------------------------------------------ >> >> > The following was automatically added to this message by the list >> >> server: >> >> > >> >> > For information about Micronet, including subscribing to >> >> > or unsubscribing from its mailing list and finding out >> >> > about upcoming meetings, please visit the Micronet Web site: >> >> > < http://micronet.berkeley.edu/>. >> >> >> >> ******************************************************************* >> >> Robert Hiramoto >> >> IT Manager >> >> Institute of Industrial Relations >> >> University of California, Berkeley >> >> 2521 Channing Way >> >> Berkeley, CA 94720-5555 >> >> >> >> >> >> Phone: (510) 643-3903 >> >> Fax: (510) 642-6432 >> >> >> >> >> >> Office Hours: >> >> Monday - Friday: 8:00 am to 4:00 pm >> >> >> >> >> >> >> >> >> ------------------------------------------------------------------------ >> >> The following was automatically added to this message by the list >> server: >> >> >> >> For information about Micronet, including subscribing to >> >> or unsubscribing from its mailing list and finding out >> >> about upcoming meetings, please visit the Micronet Web site: >> >> < http://micronet.berkeley.edu/>. >> > >> > David D. Lee >> > Computer Resource Specialist II >> > Office of Undergraduate Admissions >> > ouarshlp@uclink4.berkeley.edu >> > 2-6417 >> > >> >> ------------------------------------------------------------------------ >> The following was automatically added to this message by the list server: >> >> For information about Micronet, including subscribing to >> or unsubscribing from its mailing list and finding out >> about upcoming meetings, please visit the Micronet Web site: >> <http://micronet.berkeley.edu/>. > > > > **************************************************************************************** > > * Steve "DrSteve" Longenbohn IS&T: Administrative Systems > Dept > * > * CalNet Deputy System Administrator > * CalAgenda Admin PC Doctor & Troubleshooter > * > * Office: 510-643-9777 Cell: 510-812-0256 > * 2111 Bancroft Way, Room 409D (Banway Bldg) > **************************************************************************************** > > ------------------------------------------------------------------------ The following was automatically added to this message by the list server: For information about Micronet, including subscribing to or unsubscribing from its mailing list and finding out about upcoming meetings, please visit the Micronet Web site: <http://micronet.berkeley.edu/>.Received on Fri Feb 24 16:42:49 2006
This archive was generated by hypermail 2.1.8 : Fri Feb 24 2006 - 16:42:50 PST