Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Wireless Printing Being Block by Network Threat Protection

Created: 14 Mar 2013 | 14 comments

I've Googled this one quite a bit and came across a lot of garbled responses. Hopefully this will get some decent answers.

Now, I have a firewall policy that's applied for any client that goes off of the network. When in unmanaged mode I want the client basically locked down.

The only problem with that is all users lost wireless printing functionality.

How can I allow wireless printing without opening up too many ports, services, or IP's? How can it be locked down to ONLY allow wireless printing?

Is there a set number of ports and services to allow this traffic?

Here are some logs to help out.

Note: This user is on their home wireless network trying to print to a wireless printer.

14018 3/12/2013 9:50 Blocked 15 Outgoing UDP 10.0.1.11 84-4B-F5-07-E5-20 427 10.0.1.38 10-0B-A9-BA-1F-BC 1596 C:\HP_SI_CC38C23C-7824-4DBB-AC73-997CD0BBFEC7\7zS68BB\Installer\hpbcsiInstaller.exe Block all other traffic
14019 3/12/2013 9:50 Blocked 15 Outgoing UDP 10.0.1.11 84-4B-F5-07-E5-20 3702 10.0.1.38 10-0B-A9-BA-1F-BC 1597 C:\HP_SI_CC38C23C-7824-4DBB-AC73-997CD0BBFEC7\7zS68BB\Installer\hpbcsiInstaller.exe Block all other traffic
14022 3/12/2013 9:50 Blocked 15 Outgoing UDP 10.0.1.11 84-4B-F5-07-E5-20 427 10.0.1.38 10-0B-A9-BA-1F-BC 1606 C:\HP_SI_CC38C23C-7824-4DBB-AC73-997CD0BBFEC7\7zS68BB\Installer\hpbcsiInstaller.exe Block all other traffic
14023 3/12/2013 9:50 Blocked 15 Outgoing UDP 10.0.1.11 84-4B-F5-07-E5-20 3702 10.0.1.38 10-0B-A9-BA-1F-BC 1607 C:\HP_SI_CC38C23C-7824-4DBB-AC73-997CD0BBFEC7\7zS68BB\Installer\hpbcsiInstaller.exe Block all other traffic
14028 3/12/2013 9:54 Blocked 15 Incoming ETHERNET [type=0x806] 10.0.1.11 84-4B-F5-07-E5-20 0 10.0.1.38 10-0B-A9-BA-1F-BC 2054   Block all other traffic
Operating Systems:

Comments 14 CommentsJump to latest comment

.Brian's picture

Is the wireless NIC being blocked on their machine or is just the printer being blocked?

Looking at the above which IP address is the printer and which is the client?

You can create a rule based on this KB article

How to create a firewall rule to allow wireless connections on unmanaged client

Article:TECH141066  |  Created: 2010-10-01  |  Updated: 2010-10-23  |  Article URL http://www.symantec.com/docs/TECH141066

It is for unmanaged clients but you can still create the rule in the SEPM for Ethernet type 0x888E

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

Have you tried adding a rule to allow traffic to/from only the printer IP?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

mcmillions's picture

It's just the wireless printer being blocked. I can certainly open up just the ports and tie it to UDP, but I'm not sure if that's the only wireless printer. Since this is for end users with their own wireless printers who's to say another manufacturer doesn't use another port?

.Brian's picture

Ahhh so there are multiple printers?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

mcmillions's picture

Yes, but that's a band-aid approach. I need something long term for all wireless printers. Not just the one sitting at that IP address. Mind you this policy applies to about 200+ users.

Mithun Sanghavi's picture

Hello,

Check these Articles:

How to enable file and printer sharing with Symantec Endpoint Protection installed

http://www.symantec.com/docs/TECH90999

Manually enabling network file and printer browsing for unmanaged Symantec Endpoint Protection 11.0 clients.

http://www.symantec.com/docs/TECH102586

Firewall Policies on Unmanaged Clients

http://www.symantec.com/docs/TECH105725

How to create a firewall rule to allow wireless connections on unmanaged client

http://www.symantec.com/docs/TECH141066

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SebastianZ's picture

Is this HP Officejet printer?  I see on your screenshot two repeated ports referred - 427, 3702 -> try to set firewall allow rules to this ports for udp traffic.

Beside that could you check in your printer documentation if the producer provides any information about what ports need to be allowed for the communication to the printer?

Here a something similar for one of HP printers (lists among the ports 427 as well):

http://h30434.www3.hp.com/t5/Printer-Networking-an...

Here another documentation from HP :

http://h20000.www2.hp.com/bizsupport/TechSupport/D...

427 UDP I SLP Listen: HP Jetdirect-connected devices use Service Location Protocol (SLP) to advertise their existence. When the passive SLP discovery feature is enabled on HP Web Jetadmin, devices send multicast packets to this port on the HP Web Jetadmin server.
3702 UDP O WS Discovery: HP Web Jetadmin uses this port to perform a Web Services discovery on newer HP devices.
mcmillions's picture

Are there a lot of lazy readers on this site?

SebastianZ, Yes but that would fix only the HP printer. What about other printers? Should I create a rule for every printer manufacturer? That's just not a good solution.

mcmillions's picture

Maybe I'm over complicating things.

What I'm beginning to gather is that multiple rules have to be setup for each wireless printer? I'm assuming all wireless printers do not communicate over the same ports?

Considering NTP requires less than 40 rules in their policies, this isn't a great solution for unmanaged users. Plus, having too many open ports isn't exactly "locked" down for unmanaged 'Remote' users off the corporate network.

SebastianZ's picture

Well, if these are from different manufacturers the ports will be definitely different as well. Maybe you can somehow limit the NTP rules by grouping the users by the type of printers they use - not sure if this possible in your case, or if each user has access to many different printers.

mcmillions's picture

It's basically giving them the capability to use their home wireless printers. Since our unmanaged "remote" policy completely locks down the system they cannot print. Personally, I would like to keep it that way and not have to open up UDP ports for every singe printer manufacturer out there. I was hoping there was maybe a one size fits all solution, but I don't think there is.

SebastianZ's picture

I am affraid there won't be any other "one for all" solution than to create a single firewall rule and set a number of UDP remote ports (as per manufacturer specifications) to be allowed with it.

SameerU's picture

Hi

What is the version of SEP client installed ?

Regards