4 Replies Latest reply on Oct 22, 2014 8:27 PM by fitchsoccer342

    Had to disable HIPS on DC for clients to join

    numin8r

      I have a Windows server 2012 R2 that is my DC and I'm running McAfee agent on it (HIPS and VSE).  I was trying to add a file share server on the DC but I was getting an error.  I checked the HIPS logs on the DC and it said DNS and netbios were getting blocked.  I went on EPO and changed the HIPS FW policy to allow both and it still it was getting blocked.  Then I disabled HIPS to I could add the file share server.  I'm trying to figure out why the traffic was getting blocked.

       

      The DC and file share are on the same network.

       

      Network settings for the DC:

      Private IP, and for primary DNS setting I have it pointing to 127.0.0.1.

       

      For the file share server I have it's DNS pointing to the DCs IP address.

       

      Are both of these setup properly?

       

      Thanks

        • 1. Re: Had to disable HIPS on DC for clients to join
          fitchsoccer342

          Have you tried setting up a Connection Aware Group within your firewall? Try creating a new policy with a CAG defined. A CAG is basically a rule within the firewall that says if a DNSname/default gateway/DCHP/etc. matches one of the specified listed within the CAG, then it will allow any/any for internal traffic.

           

          Here is a high level McAfee overview about CAG's:

          https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 20000/PD20747/en_US/18-na-cor-hipfc-001-0908s.pdf

           

          Otherwise you will have to do what you are doing, and create specific rules in the FW table for traffic that is internal.

          • 2. Re: Had to disable HIPS on DC for clients to join
            numin8r

            Thanks for the response!

             

            I'm pretty sure I created a CAG.  Under HIPS, I am running 'typical corporate fw policy' (FW rule).  I have allowed DNS in either direction as well as allow incoming NetBIOS.  When I try to do a nslookup from the File share server it doesn't resolve.  I then check the HIPS logs on the DC and I see that DNS is getting blocked.  I'm not sure why.  The block rule that it's hitting is 'Block All Traffic'.  Does anyone know where this is?  I only have 3 policies for HIPS (FW options, FW rules, DNS block which is by default). 

             

            I know that HIPS is blocking DNS, NetBIOS because I can see it in the logs... im not sure if I need to allow it anywhere else.

            • 3. Re: Had to disable HIPS on DC for clients to join
              drliv1980

              Try setting the FW rules for any direction (for ports 137/138) and see if that works for NetBIOS. The HIPS firewall doesn't always work as expected.

              • 4. Re: Had to disable HIPS on DC for clients to join
                fitchsoccer342

                If you did have a CAG or it was setup correctly, it would not be blocking this.

                 

                The "Block All Traffic" is a default rule in the firewall table that you will not see unless except on the end client when it is being hit; basically if it cannot match a rule within the table, it will default to the built in Block All Traffic - which leads be to believe if you do have a CAG setup, it is not being done correctly.

                 

                You can do what drliv1980 is saying and start creating single single rules, but that will leave you with creating all types of rules every time something is tripped. It is much more efficient and easy to setup a CAG for internal traffic.