2 Replies Latest reply on Apr 28, 2017 2:34 PM by gph12

    HIP Firewall Blocks VMware vCenter Server

    gph12

      Hello,

       

      I'm hoping someone can help with this ongoing issue. We have a problem with McAfee Host Intrusion Prevention 8.0.0 Patch 8 Build 3828 blocking VMware vCenter Server service from starting up on Windows 2008 R2 server. When I turn it off the firewall but leave on IPS and Network IPS, vCenter starts up.

       

      When I put the firewall in learn mode, vCenter starts up without a problem because all applications and ports are allowed.

       

      When I put it in Adaptive mode, vCenter does not start up.

       

      The two applications\ports that are getting blocked are:

      • Microsoft.Active.Directory.WebServices (Micrsoft.ActiveDirectory.WebServices.exe) \ldap 389 . Source and Destination are both 127.0.0.1, the IPV4 loopback address.   
      • Active Directory Lightweight Directory Services (dsamain.exe) \ Port 55966 on Source. Port 389 on Destination. Source and Destination are both 0000:0000:0000:0000:0000:0000:0001, the IPV6 loopback address. IPV6 is disabled on the system.

       

      The strange thing is that both of the applications are trusted and should be allowed by the firewall.

       

      I did check the threats to the system. None showing. I've completely removed HIPs and re-installed it.

       

      I'd appreciate any suggestions. Thanks.

       

      Greg

        • 1. Re: HIP Firewall Blocks VMware vCenter Server
          Kary Tankink

          When I put the firewall in learn mode, vCenter starts up without a problem because all applications and ports are allowed.

           

          FYI, HIPS Learn mode does not allow all traffic.  It works the exact same as Adaptive mode, except for Learn mode displays user prompts to ALLOW/BLOCK traffic, whereas Adaptive mode is an automatic ALLOW choice.

           

           

          The two applications\ports that are getting blocked are:

          • Microsoft.Active.Directory.WebServices (Micrsoft.ActiveDirectory.WebServices.exe) \ldap 389 . Source and Destination are both 127.0.0.1, the IPV4 loopback address.   
          • Active Directory Lightweight Directory Services (dsamain.exe) \ Port 55966 on Source. Port 389 on Destination. Source and Destination are both 0000:0000:0000:0000:0000:0000:0001, the IPV6 loopback address. IPV6 is disabled on the system.

           

          You should have a firewall rule that always allows Loopback traffic through the Firewall; this applies to IPv4 127.0.0.1 (and possibly 127.0.0/8) traffic, and possibly IPv6 loopback traffic ::1 address.  See McAfee Corporate KB - Host Intrusion Prevention 8.0 Loopback traffic blocked when firewall is enabled KB71230.

           

           

          The strange thing is that both of the applications are trusted and should be allowed by the firewall.

           

          FYI, HIPS Trusted Application rule only allow Outbound traffic though; this does not apply to Inbound traffic (create a separate rule to allow Inbound traffic).

           

           

           

          I did check the threats to the system. None showing. I've completely removed HIPs and re-installed it.

           

          FYI, HIPS does not generate "Threat" events for Firewall activity (Blocked/Allow traffic).  Monitor the HIPS Activity log for ALLOWED/BLOCKED traffic (enable the LOG ALL ALLOWED/BLOCKED TRAFFIC filter options as needed).

          1 of 1 people found this helpful
          • 2. Re: HIP Firewall Blocks VMware vCenter Server
            gph12

            That was it: Allow Loopback.

             

            That solved my problem. Thank you very much. We've been searching for an answer for that for a long time. We also had the same issue with DNS.

             

            Thanks again,

             

            Greg