Known Issues for Managing Firewall Rules

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Review the following known issues before you manage Windows Firewall exceptions.

  • Do not use the My network (subnet) only scope setting unless you understand how this scope setting restricts the scope of an exception. For more information, see Configuring Scope Settings.

  • Verify that you are configuring exceptions in the correct profile.

  • You might have to enable Internet Control Message Protocol (ICMP) settings if you want to use the ping command. By default, Windows Firewall blocks all incoming ICMP traffic. For more information about enabling the ping command, see The Ping Command Times Out.

  • Windows Firewall does not display a Windows Security Alert dialog box (notification) when a system service attempts to listen for unsolicited incoming traffic. You must use the security event log to identify system services that attempt to listen for unsolicited incoming traffic.

  • If a computer is running Windows Server 2003 and the preconfigured Remote Desktop exception is enabled on a per-connection basis, the Remote Desktop exception will be enabled globally after you apply Service Pack 1 (SP1).

  • You can use program exceptions to allow unsolicited incoming traffic through Windows Firewall only if the program uses Windows Sockets (Winsock) to create port assignments. If a program does not use Winsock to assign ports, you must determine which ports the program uses and add those ports to the exceptions list.

  • You cannot use the Custom list scope setting to specify Internet Protocol version 6 (IPv6) addresses. You must use the Any computer (including those on the Internet) or My network (subnet) only settings to change the scope of an exception that receives IPv6 traffic.

  • When you upgrade from Windows Server 2000 to Windows Server 2003, two shared fax folders, Faxclient$ and Fxssrvcp$, are created. The presence of these shared folders causes Windows Firewall to enable the File and Printer Sharing exception and the Allow incoming echo request setting.

  • Some remote administration tools require you to configure exceptions on the server that is being managed and on the client that is being used to manage the server. For more information about remote administration tools and exceptions, see article ID 840634 on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=45342). This article describes why Windows Firewall might prevent you from remotely managing a computer and how you can configure Windows Firewall to overcome this problem.

  • Some programs might stop working properly when you use Windows Firewall. For more information about the exceptions that are required for popular programs, see article ID 842242 on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=45343). The article describes why some program might not work properly with Windows Firewall and how you can configure Windows Firewall to overcome the problem.

  • If you create an exception by modifying the registry, the exception might not show up in the Windows Firewall graphical user interface. In addition, you will need to stop and then start the Windows Firewall/Internet Connection Sharing service.

  • If you modify the registry to create an exception and do not provide a name for the exception, the exception might not show up in the Windows Firewall graphical user interface. To see all exceptions, use the netsh firewall show state verbose=enable command. For more information, see article ID 897663 on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=47734). The article describes why an exception might not show up in the graphical user interface and how you can configure the registry to overcome the problem.