Allowing Windows clients to communicate through Areohive Firewall

  • 1
  • Question
  • Updated 3 years ago
  • (Edited)

I’m having trouble allowing Windows 7 clients to function
normally while on wifi.  They currently have login delays and mapped drives are not automatically getting reconnected.  I can reconnect if I click on a drive and re-enter my credentials.

I’m setting up a new wireless network with AP121 and 141 access points. To allow Windows clients to work through the firewall I’ve been opening ports using the firewall policy in HiveManager.  Because RPC uses dynamic port allocation, I used the instructions in this article https://support.microsoft.com/en-us/kb/224196 to statically assign the ports as 49912 for NTDS and 59912 for Netlogon.  I’ve set up rules for other AD related ports such as 135, 389, 1025-1026, 53, and 445.

I can confirm 49912 is working with netstat.  Other Windows functions like group policies process correctly on the clients.  The problem seems to focus around NetLogon.  When trying to connect to a mapped drive, for example, there will be a message from Windows about detecting possible security problems thus forcing me to re-enter my domain credentials prior to me accessing the drive.  There is also a noticeable delay when logging into the machine initially.

I’d appreciate any advice one might have with supporting full Windows 7 clients through the basic HiveManager firewall.  Thanks!

Photo of Nathan Tefft

Nathan Tefft

  • 3 Posts
  • 0 Reply Likes
  • Exhausted

Posted 3 years ago

  • 1
Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
Netlogon also uses UDP 137 and 138.
Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
What you also may find useful is enabling logging on your deny rule, and looking for any traffic from the endpoint back to the DCs that is getting blocked.
Photo of Nathan Tefft

Nathan Tefft

  • 3 Posts
  • 0 Reply Likes
I'll look into enabling logging for clues.  UDP 137 and 138 are used for NetBIOS which I have disabled.
Photo of thewifigeek

thewifigeek, Champ

  • 86 Posts
  • 12 Reply Likes
Hi Nathan,
Good suggestion from J.Goodnough.  Can you also grab us your 'sh run' and advice which WIFI network you are connecting to?

I have UDP137-139 allowed in the past and had no issues with Win7 login scripts etc.
(Edited)
Photo of Nathan Tefft

Nathan Tefft

  • 3 Posts
  • 0 Reply Likes
Hello all.  I discovered that the predefined LDAP service (389) was only for TCP however Windows requires 389 UDP as well.  Adding a service and rule for that did the trick.