Archives by date

You are browsing the site archives for 2017.

Windows 2003 Firewall Rules Allow UNC Access To Shared Folders

E1Tips FireA couple weeks ago I wrote a post about setting up Windows Firewall on a Windows 2003 Server running Oracle JD Edwards EnterpriseOne.

Well, looks like I wrote that article a little too quickly. Because although Oracle JD Edwards EnterpriseOne ran perfectly, the users were not able to access the exported files on the shared folders. Actually, neither was I. In fact, I couldn’t get to any of the shared folders using a basic UNC path (i.e. \\servername\foldername\file.name).

Windows Firewall File and Print SharingI thought this would be easily resolved by checking a box on the Windows Firewall Exceptions tab like on the image to the right. I was wrong. Although, it seemed like it should work, it didn’t.

Then, I did some checking and found that I could access the shared folders from the servers on the same segment as the Windows 2003 Server but not from my laptop. Since I’ve been out of the Windows networking arena for a while and I had no idea what the Infrastructure Team might have setup, I decided to submit a Service Request to our Support Desk and hope for the best. Unfortunately, because Windows Server 2003 reached it’s End-of-Life in 2009, the extremely limited options of the Windows Firewall at that time and the number of different things that have been tried to segregate these servers from the rest of the network, my support options were pretty limited. Our Infrastructure Team worked with me for a while on the issue until we both gave up.

Defeated, I let it sit for a day or so.

Since I was getting tired of seeing that Service Request sitting in my queue, I took a look at it again. I did some research into the exact ports that needed to be opened up on any firewall to allow Windows Shared Folders to be used. Those ports are listed here:

  • udp 137: NetBIOS Name Service (nbname)
  • udp 138: NetBIOS Datagram Service (nbdatagram)
  • tcp 139: NetBIOS Session Service (nbsession)
  • tcp 445: SMB Over TCP

I tried to insert exceptions for those ports but kept getting errors notifying me that “An entry for the same port ‘TCP 445 (SMB over TCP)’ already exists” and I couldn’t make port_can_not_be_addedanother one. So, that made me want to see the raw settings in the registry rather than through the GUI. I did some searching and finally figured out that what I wanted could be found at the following registry key:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

 

I found the entries to allow Windows Shared Folders and noticed that they were different than the entries that I had added manually. They indicated that the scope was for the “LocalSubNet” rather than “*”. No wonder I could only get to the shared folders from servers that were on the same network segment.

I replace the “LocalSubnet” with “*” and everything worked!

You can use a .reg file like the following to make the changes:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"137:UDP"="137:UDP:*:Enabled:@xpsp2res.dll,-22001"
"139:TCP"="139:TCP:*:Enabled:@xpsp2res.dll,-22004"
"445:TCP"="445:TCP:*:Enabled:@xpsp2res.dll,-22005"
"138:UDP"="138:UDP:*:Enabled:@xpsp2res.dll,-22002"

That was fun! I think…

Submit a Tip or Trick

Results: Where Does The CNC Function Reside In Your IT Department?

Where do you put CNC?

That was the question I asked in my first survey attempt. Needless to say, the CNC community is a quiet group. I only got 7 responses. I know there are many people that read this blog but rarely do I get comments, suggestions or flat out criticisms. Maybe that’s due to me staying pretty factual (translate “geeky”). For those that actually know me, I don’t seem to hold back when it comes to my opinions.

Anyway, here are the results:

CNC_function_IT Department Survey Chart

So, are you surprised?

How To Set Your Linux Command Shell

Linux Shell

One of the best things about the Linux command line is the ability to recall the last used command by hitting the up arrow ↑. Yes, I realize that Windows command line has done that for a long time, but where do you think they got the idea for that?

I’m fairly new to this whole Linux thing and I had an issue where I used SSH to get to a Linux server but when I ran a command and then hit the up arrow ↑, I got back a couple unreadable characters instead of the previous command. I found out that I was using the wrong command shell for what I was wanting to do.

There are a few shells that seem to be fairly common:

  • bash – Bourne again shell
  • ksh – Korn shell
  • csh – C Shell
  • dash – Debian almquist shell

I’m not sure which shell I was using that day, but I figured out that I needed the bash shell. Below are a few commands that will help you when working with your command shell:

  • To find all of the available shells in your system, type the following command:
    cat /etc/shells
  • To find out your current shell, type any of the following commands:
    echo $SHELL
    ps $$
    ps -p $$
  • To change your shell to the bash shell, type the following command:
    chsh -s /bin/bash

Anything else you want to add to the discussion about shells?

 

Survey: Where Does The CNC Function Reside In Your IT Department?

E1Tips.com Survey
I’ve worked at four very different IT organizations. I guess you would call 2 of them large and 2 of them small/medium sized organizations. That’s it. I’ve only received a W2 from four different IT organizations. I think that’s pretty good for a 20 year career in Information Technology, especially having gone through the Y2K Crisis and the Dot-com Bubble.

My first IT experience came at a quasi-state agency. It was “quasi” because we were kind of segregated from the rest of the state agencies. Anyway, I hadn’t gotten into JDE yet, so it isn’t really relevant to my thoughts on this post.

The other three organizations were a Fortune 500 company, a large privately held company and now another Fortune 500 company. Although these three organizations are vastly different, there was one thing that seemed to be consistent between them:

Where do we put CNC?


Where does the CNC function reside in your IT Department?

  • Infrastructure (43%, 3 Votes)
  • Applications (29%, 2 Votes)
  • CNC is the IT Department (14%, 1 Votes)
  • Contractor (14%, 1 Votes)
  • Middleware (0%, 0 Votes)
  • Support (0%, 0 Votes)
  • What IT Department? (0%, 0 Votes)
  • Other (0%, 0 Votes)

Total Voters: 7

Loading ... Loading ...

Securing Oracle JD Edwards EnterpriseOne with Windows Firewall

EnterpriseOne Windows Firewall

On one of the Oracle JD Edwards EnterpriseOne installations that I manage, we have a few Windows 2003 Servers. Yeah, I know, it’s no longer supported but the Tools Release is 8.98.4.7 and there are a couple third-party applications that are not able to be upgraded. It’s crazy how messy, real-life situations cannot be duplicated in the squeaky-clean confines of the Oracle lab.

Since Windows 2003 Server is no longer supported by Microsoft, our IT Security Team has tried locking down these servers using several different methods. One of them has been to try and implement a software firewall on the server itself. Unfortunately, any third-party solution that we tried had such a negative impact on the performance of EnterpriseOne that we had to remove it. So, they asked that we turn on the Windows Firewall. While not as robust as they would have liked, it would provide another layer of security.

The good thing about the Windows Firewall, other than how simple it is, is that it shuts down all communication and only allows what you specify. That means, for EnterpriseOne to function, you need to make sure that all the applications and ports are allowed through the firewall. There were a few different documents that I used to come up with the correct recipe for successfully securing Oracle JD Edwards EnterpriseOne with Windows Firewall:

The easiest way to access the Windows Firewall settings is to go to [Start] -> Run -> firewall.cpl. I created a shortcut to firewall.cpl on the desktop to make it easier.

The following is a breakdown of what I came up with but since everyone’s configuration is different (CNC = Configurable Network Computing) your mileage may vary.

  • Made the following change to the jde.ini of the affected Windows Server:
    enablePredefinedPorts=1
  • Specified the following applications
    • E:\JDE_HOME\jdk\jre\bin\java.exe – Used by the JDE Server Manager
    • E:\JDEdwards\E900\DDP\system\bin32\jdenet_k.exe – Part of JDE Services
    • E:\JDEdwards\E900\DDP\system\bin32\jdenet_n.exe – Part of JDE Services
    • E:\JDE_HOME\bin\scfagent_64.exe – Used by the JDE Server Manager
    • E:\JDEdwards\E900\DDP\system\bin32\jdesnet.exe – Part of JDE Services
  • Specified the following ports
    • Oracle_Database_Port – Oracle DB communication port 1521
    • Server_Manager_Port – Oracle JDE Server Manager port 14501
    • Server_Manager_Port – Oracle JDE Server Manager port 14502
    • Server_Manager_Port – Oracle JDE Server Manager port 14503
  • Specified the following ports that correspond to the enablePredfinedPorts setting above:
    • Oracle_E1_Port_6015 – 6015
    • Oracle_E1_Port_6016 – 6016
    • Oracle_E1_Port_6017 – 6017
    • Oracle_E1_Port_6018 – 6018
  • Allowed PING for monitoring server availability by using the [Advanced] tab
    Windows Firewall Ping

There were a few more settings that I added to allow for our third-party applications but those are not related to EnterpriseOne.

Do you have any other tips or tricks to get Oracle JD Edwards EnterpriseOne to work with Windows Firewall?

Submit a Tip or Trick