Video Screencast Help

How Do I Turn Off Windows Defender Firewall after I deploy SEP 11.05

Created: 19 Apr 2010 | 18 comments

So I deployed SEP 11.05 in my network and everything seemed to go fine.  I activated the complete SEP package on all my Windows 7 clients (Anti Virus and Firewall).  After having this running for a month, I noticed that I would intermittently have problems with the client computers communicating with my network scanner.   When I investigated I found that both the SEP Firewall (Network Threat Protection) and Windows Firewall were running at the same time when I had the problems.  I thought that SEP took control of the computers and forced Windows Defender Firewall to turn off.   However, what I am finding is that randomly the client computers boot with both the Windows Firewall and Network Threat Protection running. 

Does anyone know how I get this sorted out so that Windows Firewall stays off on the clients?

My setup is SBS2008r2 server, Windows 7 clients (13 computers in all), and one XP client that also runs the SEPM.

Comments 18 CommentsJump to latest comment

TJBlues's picture

Sorry Pete.  What I meant was Windows Firewall intermittently turns on at power up.  I mistakenly called it Windows Defender Firewall.  My mistake.

Mick2009's picture

Hi TJBlues,

You are correct that SEP will turn off the Windows Firewall during install.  It is best practice that only one software firewall should be run on a computer.  Two firewalls that run on one computer at the same time can drain resources, and the firewalls might have rules that conflict with each other.  Enabling more than one firewall program is likely to result in conflicts and poor performance.  To prevent this situation, SEP's installer automatically detects and disables Windows firewalls that are enabled.

If there is a GPO in your AD domain policies, however, that turns the Windows Firewall back on, it will come back.  SEP does not constantly search for and disable Windows Firewalls, just on install.

Here are a couple of articles which should help:

About Windows Firewall and Symantec Endpoint Protection's NTP

Windows Firewall is still enabled after installing Symantec Endpoint Protection 11 (http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009011613172148).

Some final notes:

I expect that you'll always have intermittent communications problems if the SEPM is installed on an XP computer.  Windows XP has a maximum of 10 concurrent connections... it can't communicate with all the other computers in the network at the same time.   

Also: SEP 11 RU6 is now available- I recommend that all SEP clients and SEPMs be upgarded to this new release!

Thanks and best regards,

Mick

With thanks and best regards,

Mick

TJBlues's picture

Thanks for the quick response Mick.  

I agree that there should be only one Firewall running at one time and I would really like to have it that way but as I stated, the computers intermittently boot with both turned on and I have no control at all on this and can't turn off Windows Firewall (sorry I called it Windows Defender Firewall before).

So I followed the instructions in the links you provided.  The problem is that it turns off Windows Firewall on my Server.  Remember I am running SBS2008 and the recommendation is not to run SEP Network Protection on the Server.  So how do I get this to work with just turning off the Windows Firewall in the Clients?

Mick2009's picture

You should actually be fine running SEP 11's NTP component on your WWindows 2008 SBS.

Here's a KB that can help you disable the Windows Firewall throughout the AD domain:

How to disable the Windows Firewall from the GPO

Final plug: RU6 is now available.  There's a Small Business Server Best Practices guide in RU's documentation folder on the DVD.

Hope this helps!

Mick

With thanks and best regards,

Mick

TJBlues's picture

Mick:

There is no link in your message.  If you mean the link:  (http://service1.symantec.com/SUPPORT/ent-security....) then I have implemented it and found it does not work.  Can you please post the link you are thinking of?

TJBlues's picture

Mick:

I read several posts that recommend not to implement NTP on the 2008 64bit server.  This is a quote from Vikram Kumar:    "The issues with Server 2008 32/64 bit is almost resolved in Mr4Mp2 (11.0.4202.xx). You do not have to install SEPM on server 2008 for sep client to work.
However  It is recommend that you install only Antivirus and Antispyware on Server 2008 64 ( PTP is not supported on server/64 bits systems so no use) NTP ( Firewall cause more problems than solution many times .) is also not recommended without testing it first on your environment."

That is extracted from the postings at: https://www-secure.symantec.com/connect/forums/sep-support-windows-small-business-server-2008

Have you actually tested this combination to be valid or was this just a limitation for MR4?  

Does anyone know?

Mick2009's picture

Hi TJ,

Here's the link to that article: How to disable the Windows Firewall from the GPO  http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010011315282048 

This is advice on how to use Microsoft's powerful GPO tools.... I'm sure there are also KB's on Microsoft's site that describes how to accomplish what you're looking for.

Another article to see: Best Practices for Installing Symantec Endpoint Protection on Windows Servers http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009021811070448

It's completely supoprted (and recommended!) to use NTP (firewall) on servers.  AV protection alone is not enough, anymore.  IPS and firewall protection is very much necessary IMHO.

Thanks and best regards,

Mick 

With thanks and best regards,

Mick

Rafeeq's picture

when you install SEP it will turnoff the firewall till reboot
once rebooted the windows firewall will be back on.
you can turn off the windows firewall using gpo or else create a port exception in windows firewall for 8014 
that should take care.

TJBlues's picture

Thanks Rafeeq.  The exception at 8014 does not guarantee that Windows Firewall stays off.  I set the GPO as instructed in Document ID: 2010011315282048  http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010011315282048  However, when I follow it completely it also shuts off Windows Firewall on the server (and with SEP11.0.5 and SBS2008r2 you need to have Windows Firewall running on the server as you can't run SEP Network Threat Protection).  So what I did was go back and set the "Windows Firewall: Protect all network connections" on the Domain Profile Tab back to "Not Configured".  This re-enabled Windows Firewall on the Server.  When I look at the Windows 7 computers and reboot them several times they consistently come up with Windows Firewall disabled (exactly what I want so I will monitor this over several days to ensure this is fixed).  However, my XP computer still has Windows Firewall enabled, and I can't get that disabled.

TJBlues's picture

As I had posted I made the changes to the GPO as instructed in Document ID: 2010011315282048 http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010011315282048       I have let this run for a couple of days now and Windows Firewall still intermittently turning on at power-up.    The notes in the Document reference Windows 2003 server and XP clients.  I am running SBS2008r2 server and Windows 7.  Has anyone tested that solution against that combination?

Frey's picture

Here's another link in disabling firewall through GPO. Hope it will help

http://technet.microsoft.com/en-us/library/bb490626.aspx

Cheers,
Ef

TJBlues's picture

However this is identical to the instructions in Document ID: 2010011315282048 http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010011315282048   that I have already implemented.  The only difference is that you are using an XP computer to get in and make the modifications to the group policies rather than logging into the server.  Keep in mind I am not running XP and Windows 2003 I am running Windows 7 and SBS2008r2.

Frey's picture

Sorry 'bout that. I just noticed it a while ago that you're not running in xp environment. I'll check if i can get more solution to this. thanks for reminding.

TJBlues's picture

After weeks of trying all of these suggestions and more to get Windows Firewall to turn off I am at a loss.  My Windows 7 computers still intermittently have both NTP and Windows Firewall running and this is driving me crazy.  Does anyone out there have a clue as to what might be happening?

TJBlues's picture

I finally resolved the problem of not being able to reliably turn off the Windows Firewall on all client computers by placing a GPO on the server in the SBSComputers OU under group policy management . Here is what I did:

On the SBS2008r2 Server:


  1. Click Start > Run and type in gpmc.msc  then click OK
  2. Go to the SBSComputers OU (Organizational Unit) : Forest > Domains > mydomain.local > MyBusiness > Computers > SBSComputers
  3. Right click on SBSComputers and click on “Create a GPO in this domain, and Link it here…”.  Name the GPO (in this case I named it “Disable Windows Firewall”.  Leave Source Starter GPO blank.
  4. click OK
  5. Highlight the GPO and right click and select Edit….   A new window will pop up
  6. Click (expand): Computer Configuration > Administrative Templates: Policy definitions….. > Network Connections > Windows Firewall > Standard Profile
  7. In the right hand window double click on “Windows  Firewall: Protect all network connections Properties” and set it to Disable. 
  8. Click OK
  9. Click (expand): Computer Configuration > Administrative Templates: Policy definitions….. > Network Connections > Windows Firewall > Domain Profile
  10. In the right hand window double click on “Windows  Firewall: Protect all network connections Properties” and set it to Disable. 
  11. Click OK
  12. Close Group Policy Management Editor  and Group Policy Management windows
  13. Click Start > Run and type in gpupdate /force
  14. NOTE: this procedure can also be done through  ‘Server Manager’ > Features > Group Policy Management

On the Client that was giving me the most problem (which had both firewalls on at the time of performing the above action on the server):


  1. Click Start > Run and type in gpupdate /force and then check to see if the Windows Firewall is off
  2. Reboot the client computer and verify the windows firewall is off.

This has successfully and reliably turned off Windows Firewall on all my Windows 7 client computers.  This has been running for close to a week now without a single report of Dual Firewalls.

*Note:  I updated this on June 11, 2010 as I noticed I forgot to include the changes to the Domain Profile

Mick2009's picture

Hi T.J.,

Cheers for adding your solution to this forum thread.  With luck, admins facing similar circumstances will be able to find your solution with an internet search and swiftly benefit.

Please do use the forum community agin if you have any furture questions or concerns about SEP!

Thanks and best regards,

Mick

With thanks and best regards,

Mick

TJBlues's picture

As of June 17 I am still having this issue.  I have no idea what is causing it or how to fix it.  I went so far as to engage Microsoft to help me work through why the two firewalls appear to be running at the same time which resulted in the GPO above as well as a startup script and so far nothing has worked.  I can not find an answer that will resolve this issue.

I am now in the process of uninstalling SEP from my client computers and will look for another solution.