Windows XP Service Pack 2 (SP2) includes a new Windows Firewall. In prior releases, this feature was known as the Internet Connection Firewall (ICF) and was disabled by default. Starting with the SP2 release, during installation the firewall is automatically enabled on all network connections and is configured to block all unsolicited incoming traffic. This note describes how the Windows Firewall interacts with Reflection Windows-based products, components, and options.
The Windows Firewall is a stateful host firewall that runs in Windows XP and blocks all unsolicited incoming traffic, unless configured to allow the traffic. Outgoing traffic is not blocked by the firewall.
When the firewall detects unsolicited inbound application traffic, a Windows Security Alert is displayed. The Alert window enables users to decide whether to block the incoming traffic (Keep Blocking), add the connection to the Windows Firewall Exceptions list and always allow it (Unblock), or allow only this specific instance of the connection (Ask Me Later).
Attachmate has tested the current Reflection Windows-based products, components, and options with the Microsoft Windows Firewall. (For information about the current version of Reflection, see the Attachmate Product Support Lifecycle at http://support.attachmate.com/programs/lifecycle/.)
In most cases, Reflection is able to pass through the firewall with no additional firewall configuration because all communication with the host is initiated (solicited) by Reflection; however, if you are using the following Reflection products, components, or options, you must specifically configure the firewall to permit these connections.
These applications either open listening ports or communicate with the host on multiple ports. For more information about ports used by Reflection, see Technical Note 1787.
The first time you run Reflection X, Reflection FTP Client, or Fast File Transfer, the Windows Security Alert dialog box opens. To allow these applications through the firewall, click Unblock (to allow always) or Ask Me Later (to allow only this once).
Selecting Unblock adds the application to Windows Firewall Exceptions list and enables the exception. Selecting Ask Me Later allows the current connection, but does not add the application to the Exceptions list (you will be prompted with the Windows Security Alert again the next time you try to access this product or component).
Warning: If you select Keep Blocking, the product or component will not work through the firewall.
If you select Keep Blocking and later want to change this setting, see Manually Adding Applications to the Exceptions List.
When enabled, the Reflection LPD server listens on port 515 for incoming print requests. If LPD is installed on a Windows XP SP2-based machine, by default, the Windows firewall blocks the incoming print requests.
Users who attempt to use Reflection LPD printing before port 515 has been opened will see the printjob waiting in the local printer queue. No error will appear, but the printjob will not be processed. There will also be no error displayed on the machine running Reflection LPD, however, if Windows Firewall logging is enabled, the blocked connection is recorded in the log.
To allow Reflection LPD printing, follow the steps in Manually Adding Applications to the Exceptions List, and add the executable Lpdserv.exe to the Windows Firewall Exceptions list.
To manually add these applications to the Exceptions list, follow these steps:
For further information about manually adding application or port exceptions to the Windows Firewall, see Manually Configuring Windows Firewall in Windows XP Service Pack 2 on the Microsoft web site at
For information about troubleshooting the Microsoft Firewall, see Troubleshooting Windows Firewall in Microsoft Windows XP Service Pack 2 on Microsoft's web site at
When using Reflection Ping for troubleshooting, you will be able to ping out through the local Windows Firewall; however, the firewall blocks incoming ping (ICMP) connections by default. Therefore, if the workstation you are pinging has the Windows Firewall enabled, you may need to temporarily allow ICMP connections on that workstation before you attempt to ping it. Details about enabling and disabling ping can be found in the article noted above, under the heading "Nobody Can Ping My Computer."