6 Replies Latest reply on May 15, 2009 4:48 AM by jawuk

    HIPS 7 vs. ActiveSync (PDA)


      Several of my users report synchronisation problems with their HTC SmartPhones. When we disable HIPS the problems disappear, so I'm pretty sure of the relation to HIPS.
      HTC uses Windows Mobile and syncs through ActiveSync.

      I went and studied a bit "How to allow ActiveSync ports in McAfee Personal Firewall" (is not HIPS), ActiveSync is unable to synchronize with PDAs or Smartphones running on Windows 2000 protected by Host IPS 6.0 or Desktop Firewall 8.5 (close but not quite.

      Users are using Windows XP SP3 (mostly) with HIPS 7 and VSE 8.5i through ePO.

      I've set firewall rules for WCESMgr.exe, wcescomm.exe, rapimgr.exe and CEAPPMGR.exe giving "allow/log in/out all IP any/any".

      It still doesn't work.

      Anyone has an idea ?


      PS : I've read something about setting the port for ActiveSync
      Incoming TCP/IP ports = 26675
      Outgoing TCP/IP ports = 26675
      I'm not sure it'd help since I've allowed all ports in/out, and I'm not sure how I'd do this anyway.
        • 1. RE: HIPS 7 vs. ActiveSync (PDA)
          Any ideas anyone ?
          • 2. RE: HIPS 7 vs. ActiveSync (PDA)
            We had problem with ActiveSync after MHIPS deployment.

            We created a Firewall rules based on Microsoft recommendation.

            http://www.microsoft.com/windowsmobile/en-us/help/synchronize/activesync-usb.msp x
            • 3. RE: HIPS 7 vs. ActiveSync (PDA)

              As I mentionned in my original post, I did create said rules according to MSFT... (just check the links I provided)...

              It did not work.

              HIPS still blocks some connection. I know it's HIPS because synchronisation works when I deactivate the FW. What's more, it blocks something, but doesn't log it (what, why) although I told it to log everything :(

              • 4. RE: HIPS 7 vs. ActiveSync (PDA)
                Do you have connection aware firewall rule enable?

                Try this.

                Allow Outgoing DNS (UDP Port 53)
                Allow In/Out BootP (UDP Port 67-68)
                Allow In/Out NTP (UDP 123)
                Allow NetBios rule group (only from known IP addresses)
                Allow Incoming LDAP (UDP 389)

                Create ActiveSync rule group and allow the following:
                Allow rapimgr.exe, WCESMgr.exe, wcescomm.exe
                Allow Incoming TCP Port 990
                Allow Incoming TCP Port 999
                Allow Incoming TCP Port 5678
                Allow Incoming TCP Port 5721
                Allow Incoming TCP Port 26675
                Allow Outgoing UDP Port 5679
                • 5. RE: HIPS 7 vs. ActiveSync (PDA)

                  Thanks for the answer.

                  I had put the 4 rules (RAPIMGR.EXE, WCESMGR.EXE, WCESCOMM.EXE and CEAPPMGR.EXE) in a group (for readability) but not in a "connection aware group" (!) is this important ?
                  Right now, I've just taken the 4 rules out of any group so they are "always active" I expect. (I'm not yet too comfortable with HIPs settings.)

                  You mention incoming/outgoing rules for "specific ports" for the activesync programs. I presently have allowed all ports outgoing & incoming for those 4 programs. (I know it is less secure, this is while I'm trying to get the syn to work correctly).

                  I'd expect that if I allow "more than necessary" (i.e. all ports instead of just the 6 specific ports) it should work, don't you agree ?

                  Yet, with "more open than needed" it doesn't work.

                  [SIZE="1"](My other problem is that I don't have such a smartphone to test here, so I set-up rules and ask the users to give me test-results sad )[/SIZE]

                  • 6. ActiveSync Problems
                    Issue resolved now . . . . details to follow

                    Here is the working configuration i used. Using CAG based on IP address given to ActiveSync USB Connection

                    CAG (Connection Aware Group) Settings

                    Activesync firewall rules

                    *note the netbios port rules specificed, which runs off the screen shot are:-

                    epmap (135), netbios_ns (137), netbios_dgm (138), netbios_ssn (139)

                    When specifying process to tie rule to make sure u choose this setting: -