Swyx Knowledgebase

HOWTO: SwyxIt! and Windows XP Service Pack 2 - Firewall settings (kb2891)

The information in this article applies to:

SwyxIt! all versions

Summary

Microsoft notably tightens security with Windows XP Service Pack 2. SwyxWare might be affected by the Windows Firewall, which is on by default. Additionally SP 2 tightens DCOM security settings, which might affect SwyxWare in certain scenarios, too. This article describes in detail how to correctly configure the firewall settings in Windows XP Service Pack 2, while the DCOM settings are described in the following article:

SwyxIt! and Windows XP Service Pack 2 - DCOM settings (kb2890)

If you install SwyxIt! v4.31 after Windows XP Service Pack 2, SwyxIt! setup adds the necessary settings to allow working with SwyxIt! on a LAN in a windows domain.
If you install Windows XP Service Pack 2 after SwyxIt! v4.31 or if you using an older SwyxIt! oder of you use SwyxIt! via a VPN connection read this article.
In case of logon problems, please proceed according to this article first - If afterwards you still get the error message "SwyxIt! could not be accessed by the SwyxServer", please configure the DCOM settings according to the above mentionend article kb2890.

Information

Firewall

The Firewall in Windows XP Service Pack 2 blocks incoming traffic to the system. Each system component or application which listens for such traffic has to be added to the firewall exception list to be able to receive any network packets. Windows Firewall does not block any outgoing traffic.

Note: It is not recommend switching off Windows Firewall completely.

Note: SwyxIt! v4.31 setup configures the firewall automatically when detecting Windows XP Service Pack 2 or newer. You have to do nothing in that case. If you want to use an older SwyxIt version for whatever reason, you may apply the required changes manually by following instructions below.

Note: If you install Windows XP Service Pack 2 after SwyxIt! v4.31 you can manually apply the required firewall settings as described below or you can use the Repair-Feature of the SwyxIt! installation.

Step 1: Add firewall exception for clmgr.exe

SwyxIt needs to send and receive packets via the network to communicate with SwyxServer and other Swyx Clients. Therefore the firewall has to be configured to allow such traffic. SwyxIt mainly consists of two executables, swyxit.exe and clmgr.exe. SwyxIt.exe is the user interface. Clmgr.exe handles the call control, audio data and communicates with SwyxServer. The firewall has to be configured so that clmgr.exe can receive network packet. To configure the firewall, do the following:

Add clmgr.exe as exception to the firewall. To do so, go to Windows Control Panel, click on the “Windows Firewall” Icon. The following dialog is shown:
Windows Firewall Configuration
Ensure that checkbox “Don’t allow exceptions” is unchecked.
Select the “Exceptions” property page.
Windows Firewall Exceptions
Click button “Add Program”. The “Add a Program” dialog is shown.
Click button “Browse” and select clmgr.exe in your SwyxIt installation folder. The default location is “c:\program files\swyxit!”, but it may vary depending on your installation
Don’t close the “Add a Program” dialog yet, but click button “Change Scope” instead. The following dialog is shown:
Windows Firewall Change Scope Dialog
Select “My network (subnet) only”.
Note: If you’re running SwyxIt on a remote system connected via VPN it might be necessary to choose another scope. You might need to specify the IP-address ranges of your network in the custom list. Using “Any computer” is not recommend, even if it will probably work.
Close the dialog with OK.
Close the “Add a Program” dialog by clicking OK. Clmgr.exe is now displayed in the “Programs and Services” list on the Exceptions property page.
Ensure that the checkbox next to clmgr.exe is checked (see Figure "Windows Firewall Configuration" above).

Step 2: Allow incoming RPC traffic

SwyxWare uses Microsoft Distributed Component Object Model (DCOM) for communication between SwyxIt! and SwyxServer. DCOM is based on the Remote Procedure Call protocol. Windows XP Service Pack 2 restricts incoming RPC network traffic. Per default no such traffic is allowed. You have to allow such traffic by opening port TCP 135 in the Windows Firewall.

Go to Windows Control Panel, click on the “Windows Firewall” Icon. The "Windows Firewall" dialog is shown (see above).
Select Property page “Exceptions” (see dialog "Windows Firewall Exceptions" above)
Click Button “Add Port”. The following dialog is shown:
Windows Firewall Add Port Dialog
Enter a Name, e.g. “RPC Endpoint Mapper” in field “Name”
Enter “135” in field “Port number”.
Make sure that radio button “TCP” is selected
Click button “Change Scope”. The "Change Scope" dialog in is shown (see above)
Select “My network (subnet) only and close the dialog by clicking OK.
Note: SwyxIt v4.31 uses this setting. If you configure the firewall manually it is recommended to choose “Custom List” and enter your SwyxServer’s IP-address. Don’t use “Any Computer”. This will open the RPC port completely and counteracts the Windows XP Service Pack 2 intentions.
Close the “Add a port” dialog by clicking OK.

Step 3: Allow application sharing

SwyxIt! uses Microsoft Netmeeting for application sharing. If you’re using application sharing you have to add Netmeeting to the firewall exception list. To do so, follow the instructions for adding the clmgr.exe exception (see above), but select “c:\program files\Netmeeting\conf.exe” instead of clmgr.exe. If you don’t use application sharing you can omit adding this firewall exception.

Now SwyxIt is able to run on Windows Service Pack 2. In some rare cases you have to change the default DCOM security settings. Read the following section to determine if that is necessary in your installation.

Preventing automatic firewall configuration

It is possible to let SwyxIt! setup omit the firewall configuration if you prefer to do this by yourself, e.g. via a group policy. Set property FIREWALLCONFIG to 0, e.g. call

Setup.exe /param=”FIREWALLCONFIG=0”

Alternatively you can use a Windows Installer Transformation (mst) to customize SwyxIt’s msi file.

Manual Firewall Configuration Via Command Line

It’s possible to use Windows XP Service Pack 2’s “netsh firewall” command to configure the above mentioned firewall exceptions manually. The following command adds clmgr.exe to the exception list (the command has to be entered as one line):

netsh firewall add allowedprogram program = ”c:\program files\swyxit!\clmgr.exe” name = “clmgr.exe” scope = subnet

Note that you have to change the above used path if you’ve installed SwyxIt! to another location. The following command adds TCP port 135 to the exception list

netsh firewall add portopening protocol = TCP port = 135 name = “RPC Port” scope = subnet

The following command adds Microsoft Netmeeting to the exception list (used for Application Sharing)

netsh firewall add allowedprogram program = ”c:\program files\Netmeeting\conf.exe” name = “Windows Netmeeting” scope = subnet

Consult the Windows XP Service Pack 2 online help for details about the netsh command.

Manual Firewall Configuration Via Setupfirewall.exe

Alternatively to netsh firewall you can add the firewall settings with the command line program setupfirewall.exe which will be installed with SwyxIt! v4.31 and located in SwyxIt's program folder (default location: c:\program files\swyxIt!). It can also be downloaded at the end of this article.

Add SwyxIt! firewall exceptions: setupfirewall -a Remove SwyxIt! firewall exceptions: setupfirewall -r Display command line option help setupfirewall -h

Windows Firewall Profiles

To support different sets of firewall settings for different environments, Windows Firewall has two separate profiles, a domain profile and a standard profile. When your Windows XP Service Pack 2 computer is currently connected to a domain, the domain profile is used. When you’re connected to another network the standard profile is used. This is useful for laptop users which can have less restrictive firewall settings when working inside the domain. When connected to the internet, e.g. while traveling, the standard profile is used which usually uses more limited settings.

SwyxIt! v4.31 setup adds the above described firewall exceptions in the currently active profile only. You can check the currently used profile by typing

netsh firewall show currentprofile

in a command prompt window.

Further information

For detailed information about Windows XP Service Pack 2 have a look at the Microsoft TechNet Website at http://www.microsoft.com/technet/winxpsp2
All firewall settings can be distributed via Group Policy in a Windows network instead of configuring it manually. See this document http://www.microsoft.com/downloads/details.aspx?FamilyID=4454e0e1-61fa-447a-bdcd-499f73a637d1&DisplayLang=en for details.
A useful article about manually configuring the Windows Firewall can be found here: http://www.microsoft.com/technet/community/ columns/cableguy/cg0204.mspx
This article http://www.microsoft.com/technet/community/ columns/cableguy/cg0504.mspx contains information about how Windows decides if it is attached to a domain or not. This determines if the firewall’s domain or standard profile is used.

Links

Setup XP Firewall
Commandline tool to configure the XP firewall automatically. Is part of SwyxIt! v4.31. See article kb2762 for usage instructions.
kb2890_SetupFirewall.zip

The third-party contact information included in this article is provided to help you find the technical support you need. This contact information is subject to change without notice. Swyx in no way guarantees the accuracy of this third-party contact information nor is responsible for it's content.

Updates

Created: 03.02.2005, Last Modified: 07.02.2005

07.02.2005: Taken from article kb2762