UPS Worldship remote workstation cannot connect to DB

[jkupski]

We're in the middle of migrating from XP ton win7, and just updated the PCs in our shipping office, which, among other things, run UPS Worldship. The worldship admin workstation is working fine, but the remote workstation is unable to connect to the database. After troubleshooting with UPS support, we established that the problem seems to be the windows firewall--disabling it allows the remote workstation to connect.

We have written rules to allow every TCP and UDP port involved, have allowed every process used by worldship and sql server express, I even wrote a rule to accept all TCP and UDP traffic from the remote workstation, and the problem still persists. UPS has basically washed their hands at this point and said it's an environmental issue (i.e. firewall) on our end.

Anyone have any idea on this one?

 

[jkupski]

To follow up, firewall logging is turned on, and there is nothing logged when the remote workstation tries to connect.

 

[goombawaho]

Have you tried the normal stuff?
1. Can you ping the administrative workstation by name and ip address from the remote workstation.

2. Try to totally disable the firewall on the remote workstation as follows from a CMD prompt
netsh firewall set opmode enable
Try ping again as above in 1.

If you haven't already done so:
3. I would remove worldship from the remote computer (remove it in PROGRAMS, reboot and delete the folder where it lived)

4. Run the install from the Administrative Workstation shared folder (with firewall disabled)
\UPS\WSTD\Remote\Install\Disk1

Try enabling firewall if successful in 4.

I have found that if you talk to different people at worldship support, some are better than others. I don't know if they can just dump you unless you were running Windows 95 on some virus-laden piece 'o junk computer.

 

[goombawaho]

You network type is not defined as PUBLIC in Win 7 is it??? I'm assuming NOT, but just verify.

Link

 

[jkupski]

Network is defined as "domain," administrative workstation is pingable by remote workstation, DNS queries return correct IP, etc. No file/printer sharing issues, as remote can connect to file share on admin, connect to label printers, etc.

Remote has been re-installed (suggestion from UPS support). Remote workstation DOES work when firewall is disabled on admin workstation, so we're confident this is the problem, we have just not been able to find any combination of rules to make the issue go away. Further, as noted, firewall logs do not show any rejected/dropped packets.

My next step is going to be to spin up a test VM and see if the problem is unrelated to the individual machine in question. If I still have a failure, I expect that a few hours with wireshark are in my future.

 

[jkupski]

Test VM fails in the same way, so issue is definitely related to admin workstation.

 

[goombawaho]

so issue is definitely related to admin workstation

No, I think that means that the problem is UNrelated to a specific PC and IS related to the Win 7 firewall in general. Right???? Or am I misinterpreting what you tried?

 

[jkupski]

Correct... by admin workstation, I meant the box, and not the UPS software role.

Testing with wireshark is indicating that the win7 firewall (presumably) is blocking connections to the sql server express instance running on the admin workstation... I see SYNs but no ACKs.I'll need to figure out why, since incoming connections are allowed on the port, and even the executable has an allow rule.

 

[jkupski]

Firewall log is now showing that the admin workstation is dropping tcp 1434.... which is odd, because there is a rule allowing it.

 

[jkupski]

SOLVED.

For anyone have the same problem:

Digging into netsh, I noticed the following:

netsh advfirewall>show currentprofile

Domain Profile Settings:
----------------------------------------------------------------------
State                                 ON
Firewall Policy                       BlockInbound,AllowOutbound
LocalFirewallRules                    N/A (GPO-store only)
LocalConSecRules                      N/A (GPO-store only)
InboundUserNotification               Enable
RemoteManagement                      Disable
UnicastResponseToMulticast            Enable

Logging:
LogAllowedConnections                 Disable
LogDroppedConnections                 Disable
FileName                              %systemroot%\system32\LogFiles\Firewall\pf
irewall.log
MaxFileSize                           4096

The bit about LocalFirewallRules being "N/A (GPO-store only)" got me thinking, and I defined rules for TCP and UDP 1434 in a group policy, and applied it to the machine. Worldship immediately started on my test VM.

I was not aware that where a GPO was applied for firewall rules, local exceptions are ignored. Can anyone confirm this behavior, and maybe offer a workaround? "Allow local port exceptions" is explicitly enabled in the controlling GPO, so I'm fairly confused here.

 

[mkstap]

I know this is probably a dumb question... but How did you apply the group policy?
I am having this exact problem.

 

[goombawaho]

Thanks for posting back - it may help quite a few people.

 

[mkstap]

Just got off the phone with UPS AGAIN!!! they are telling me now that it is because my Win 7 machines are trying to use IPv6. It must but IPv4.

 

[goombawaho]

Please start your own thread with all relevant information about the PC and what you've done so far.