Reflection Windows-Based Products and the Microsoft Windows Firewall (Included in XP Service Pack 2)

  • 7021929
  • 12-Aug-2004
  • 01-Apr-2018

Environment

Reflection for IBM 2008
Reflection for UNIX and OpenVMS 2008
Reflection Standard Suite 2008
Reflection for UNIX and OpenVMS
Reflection for HP
Reflection for IBM
Reflection for the Multi-Host Enterprise Professional Edition
Reflection for the Multi-Host Enterprise Standard Edition
Reflection TCP/IP utilities
Reflection X
Reflection Suite for X

Situation

Windows XP Service Pack 2 (SP2) includes a new Windows Firewall. In prior releases, this feature was known as the Internet Connection Firewall (ICF) and was disabled by default. Starting with the SP2 release, during installation the firewall is automatically enabled on all network connections and is configured to block all unsolicited incoming traffic. This note describes how the Windows Firewall interacts with Reflection Windows-based products, components, and options.

Resolution

About the Windows Firewall

The Windows Firewall is a stateful host firewall that runs in Windows XP and blocks all unsolicited incoming traffic, unless configured to allow the traffic. Outgoing traffic is not blocked by the firewall.

When the firewall detects unsolicited inbound application traffic, a Windows Security Alert is displayed. The Alert window enables users to decide whether to block the incoming traffic (Keep Blocking), add the connection to the Windows Firewall Exceptions list and always allow it (Unblock), or allow only this specific instance of the connection (Ask Me Later).

Figure 1 - Windows Security Alert
Figure 1 - Windows Security Alert

Reflection and the Windows Firewall

Attachmate has tested the current Reflection Windows-based products, components, and options with the Microsoft Windows Firewall. (For information about the current version of Reflection, see the Attachmate Product Support Lifecycle at https://support.microfocus.com/programs/lifecycle/.)

In most cases, Reflection is able to pass through the firewall with no additional firewall configuration because all communication with the host is initiated (solicited) by Reflection; however, if you are using the following Reflection products, components, or options, you must specifically configure the firewall to permit these connections.

  • Reflection X
  • Reflection X Font Retrieval utility
  • Reflection FTP Client, active connections (default connection type)
  • The Fast File Transfer options of the WRQ/Reflection Protocol within Reflection for UNIX and OpenVMS 2008, Reflection Standard Suite 2008, Reflection for UNIX and OpenVMS, and Reflection for HP.
  • Reflection LPD (Line Printer Daemon)

These applications either open listening ports or communicate with the host on multiple ports. For more information about ports used by Reflection, see KB 7021759.

Additional Notes:

  • You must be a member of the Window's Local Administrative group to configure the firewall.
  • The firewall can be configured using Group Policies or scripting. For more information about these deployment options, see Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2 on the Microsoft web site at

Reflection X, Reflection FTP Client, and Fast File Transfer

The first time you run Reflection X, Reflection FTP Client, or Fast File Transfer, the Windows Security Alert dialog box opens. To allow these applications through the firewall, click Unblock (to allow always) or Ask Me Later (to allow only this once).

Selecting Unblock adds the application to Windows Firewall Exceptions list and enables the exception. Selecting Ask Me Later allows the current connection, but does not add the application to the Exceptions list (you will be prompted with the Windows Security Alert again the next time you try to access this product or component).

Warning: If you select Keep Blocking, the product or component will not work through the firewall.

If you select Keep Blocking and later want to change this setting, see Manually Adding Applications to the Exceptions List.

Reflection LPD

When enabled, the Reflection LPD server listens on port 515 for incoming print requests. If LPD is installed on a Windows XP SP2-based machine, by default, the Windows firewall blocks the incoming print requests.

Users who attempt to use Reflection LPD printing before port 515 has been opened will see the printjob waiting in the local printer queue. No error will appear, but the printjob will not be processed. There will also be no error displayed on the machine running Reflection LPD, however, if Windows Firewall logging is enabled, the blocked connection is recorded in the log.

To allow Reflection LPD printing, follow the steps in Manually Adding Applications to the Exceptions List, and add the executable Lpdserv.exe to the Windows Firewall Exceptions list.

Manually Adding Applications to the Exceptions List

To manually add these applications to the Exceptions list, follow these steps:

  1. From the Control Panel, click Security Center > Windows Firewall.
  2. On the Exceptions tab, click Add Program.
  3. Browse to and select the Reflection executable; click Open > OK > OK.
Figure 2 - The Windows Firewall Exceptions List (Default)
Figure 2 - The Windows Firewall Exceptions List (Default)

For further information about manually adding application or port exceptions to the Windows Firewall, see Manually Configuring Windows Firewall in Windows XP Service Pack 2 on the Microsoft web site at

http://www.microsoft.com/technet/community/columns/cableguy/cg0204.mspx

Troubleshooting the Microsoft Firewall

For information about troubleshooting the Microsoft Firewall, see Troubleshooting Windows Firewall in Microsoft Windows XP Service Pack 2 on Microsoft's web site at

http://www.microsoft.com/downloads/details.aspx?familyid=a7628646-131d-4617-bf68-f0532d8db131&displaylang=en

Using Reflection Ping

When using Reflection Ping for troubleshooting, you will be able to ping out through the local Windows Firewall; however, the firewall blocks incoming ping (ICMP) connections by default. Therefore, if the workstation you are pinging has the Windows Firewall enabled, you may need to temporarily allow ICMP connections on that workstation before you attempt to ping it. Details about enabling and disabling ping can be found in the article noted above, under the heading "Nobody Can Ping My Computer."

Additional Information

Legacy KB ID

This document was originally published as Attachmate Technical Note 1784.