cancel
Showing results for 
Search instead for 
Did you mean: 
SergeM
Level 9

HIPS 7 vs. ActiveSync (PDA)

Hi,

Several of my users report synchronisation problems with their HTC SmartPhones. When we disable HIPS the problems disappear, so I'm pretty sure of the relation to HIPS.
HTC uses Windows Mobile and syncs through ActiveSync.

I went and studied a bit "How to allow ActiveSync ports in McAfee Personal Firewall" (is not HIPS), ActiveSync is unable to synchronize with PDAs or Smartphones running on Windows 2000 protected by Ho... (close but not quite.

Users are using Windows XP SP3 (mostly) with HIPS 7 and VSE 8.5i through ePO.

I've set firewall rules for WCESMgr.exe, wcescomm.exe, rapimgr.exe and CEAPPMGR.exe giving "allow/log in/out all IP any/any".

It still doesn't work.

Anyone has an idea ?

Serge

PS : I've read something about setting the port for ActiveSync
Incoming TCP/IP ports = 26675
Outgoing TCP/IP ports = 26675
I'm not sure it'd help since I've allowed all ports in/out, and I'm not sure how I'd do this anyway.
0 Kudos
6 Replies
SergeM
Level 9

RE: HIPS 7 vs. ActiveSync (PDA)

Any ideas anyone ?
:confused:
0 Kudos
roychoy
Level 9

RE: HIPS 7 vs. ActiveSync (PDA)

We had problem with ActiveSync after MHIPS deployment.

We created a Firewall rules based on Microsoft recommendation.

http://www.microsoft.com/windowsmobile/en-us/help/synchronize/activesync-usb.mspx
0 Kudos
SergeM
Level 9

RE: HIPS 7 vs. ActiveSync (PDA)




As I mentionned in my original post, I did create said rules according to MSFT... (just check the links I provided)...

It did not work.

HIPS still blocks some connection. I know it's HIPS because synchronisation works when I deactivate the FW. What's more, it blocks something, but doesn't log it (what, why) although I told it to log everything Smiley Sad

Serge
0 Kudos
roychoy
Level 9

RE: HIPS 7 vs. ActiveSync (PDA)

Do you have connection aware firewall rule enable?

Try this.

Allow Outgoing DNS (UDP Port 53)
Allow In/Out BootP (UDP Port 67-68)
Allow In/Out NTP (UDP 123)
Allow NetBios rule group (only from known IP addresses)
Allow Incoming LDAP (UDP 389)

Create ActiveSync rule group and allow the following:
Allow rapimgr.exe, WCESMgr.exe, wcescomm.exe
Allow Incoming TCP Port 990
Allow Incoming TCP Port 999
Allow Incoming TCP Port 5678
Allow Incoming TCP Port 5721
Allow Incoming TCP Port 26675
Allow Outgoing UDP Port 5679
0 Kudos
SergeM
Level 9

RE: HIPS 7 vs. ActiveSync (PDA)

Hi,

Thanks for the answer.

I had put the 4 rules (RAPIMGR.EXE, WCESMGR.EXE, WCESCOMM.EXE and CEAPPMGR.EXE) in a group (for readability) but not in a "connection aware group" (!) is this important ?
Right now, I've just taken the 4 rules out of any group so they are "always active" I expect. (I'm not yet too comfortable with HIPs settings.)

You mention incoming/outgoing rules for "specific ports" for the activesync programs. I presently have allowed all ports outgoing & incoming for those 4 programs. (I know it is less secure, this is while I'm trying to get the syn to work correctly).

I'd expect that if I allow "more than necessary" (i.e. all ports instead of just the 6 specific ports) it should work, don't you agree ?

Yet, with "more open than needed" it doesn't work.

(My other problem is that I don't have such a smartphone to test here, so I set-up rules and ask the users to give me test-results sad )

Serge
0 Kudos
jawuk
Level 7

ActiveSync Problems

Issue resolved now . . . . details to follow


Here is the working configuration i used. Using CAG based on IP address given to ActiveSync USB Connection

CAG (Connection Aware Group) Settings




Activesync firewall rules




*note the netbios port rules specificed, which runs off the screen shot are:-

epmap (135), netbios_ns (137), netbios_dgm (138), netbios_ssn (139)


When specifying process to tie rule to make sure u choose this setting: -



regards

J
0 Kudos