re-push (update changed policy) to clients fails.

Hi.

FSPMC 11.x on Windows 2012 R2 domain with mix of Win7X/Win8X clients.

When originally set up, first push of policy to clients was successful - no issues. Policy has been changed and needs to be re-pushed to clients (update clients with new policy) but fails with error 53. It turns out the F-Secure firewall on the clients is blocking the push. This is proven by turning off the F-Secure firewall on the clients, then pushing out the policy which is then successful. Can anyone tell me what I need to open on the F-Secure firewall (modify the firewall policy settings) in order to have push be successful without having to turn the F-Secure firewall off.

Thanks!

Chris.

Find more posts tagged with

Comments

Mercury

Hello Roberto.

Sorry for my delayed response - had a couple of weeks off!

OK, so Windows firewall is turned off when F-Secure is on - I checked this.

Machines can communicate to PMS (http://<server_name>:79) and I get the F-Secure message.

Some machines fail the policy update still and I think I know why: I inherited the system and F-Secure is new to me. All new PC's have had the policy server URL entered during the initial push that I did to them, so know where to check for policy updates - and they all show they have the latest policy on the Summary tab in the console so policy updates must be working for them.

Machines that were set up by previous IT did not have the correct URL for PMS and also it was not set at all on the Cetralized Management tab, hence there was no way for them to get policy updates. The only way I can see forward is to go to each failed machine, turn off the F-Secure firewall and then push a new install with the correct PMS URL set. This way, they should then be able to correctly poll the PMS for subsequent updates.

I will mark yours as the answer since you put me in the right direction. Thanks Roberto!

KR, Chris.

Chu

Hi,

Sorry about the wrong answer, I undertood you want push install.

To verify your distribute policy issue, my suggestion is:

1. Check if your Policy Manager is configured to disable Windows firewall

2. Verify in the machines if they can communicate with Policy Manager without any problem (just go to the machine and open the browser. In the browser put http://<IP of the Policy Manager>:<Port configured to comunication Host-PMS>

The browser must show F-Secure message!

3. Check the alerts, if dont have any alert

4. Cancel any policy distribute (because if you change the policy and another administrator change in the same tima, the Policy Manager dont know what Policy to use, and because of this, the Policy Manager cant distribute correctly the policy). To do this action, go to Files -> Discard policy change. So AFTER discarted the policy, you can create a new policy and distribute him (Ctrl+D)

5. Check the Policy Manager (Firewall module) if dont have a rule blocking the port where is used to communicate between host and Policy Manager.

Ah! Almost forget:

Its important you check your proxy (if you uusing a proxy cache). This can block correct communication between Host and Policy Manager (Proxy Cache usually intercept communication to PolicyManager).

Att,

Roberto Chu

Vad

Hello Mercury,

Using "Distribute Policies" button is a correct way to provide changed policies to clients.

For this scenario you don't need to tune F-Secure firewall.

Polling intervals can be configured on "Centralized management" tab in Policy Manager Console, Anti-Virus mode.

Best regards,

Vad

Chu

Hi,

You need:

Rights to install in the machine (administrator rights);
Service of Remote registry activated in the machine;
Try access $admin to check access
Verify the ports open in firewall:
RPC (TCP 135)
NwtBIOS (137-139)
SMB (TCP 445)

Att,

Roberto Chu

Mercury

....Maybe I don't need to re-push; found on advanced view, a "Distribute Policies" button. Clients will "collect" policies on ther next poll interval (when ever that is - how do I find out?).

Thanks!

Chris.