Windows, printers, and firewalls

Posted on 11 April 2012 by jose

As a Linux geek, I don't usually wrestle with Windows problems (but when I do, I prefer Windows 7); this week, I did a little bit of system administration and troubleshooting at work, since I could physically manage the machines in question. There's no doubt I need to improve my phone support abilities, but since I was available in person, I took advantage.

First, I needed to get a Windows 7 machine to print to a networked printer. Not too difficult, right? Except Windows wanted a driver for the HP printer, and it expected to detect the printer via a local USB connection to install the downloaded driver, frustrating me to no end. Luckily, we had the disk containing the printer's drivers in the office; setting it up as a local printer on a TCP port and then installing the drivers from the disk solved the problem. I note in passing that my Linux laptop had no trouble seeing and printing to the networked printer.

Next, and far more difficult given my light usage of Windows 7, was getting a laptop to connect to and map a shared directory on a remote machine. Complicating matters was that the desktop was inside our office network, but the laptop by necessity had to connect via a wireless connection, and then a VPN. I had the name (and IP) of the target computer, but no matter what I tried on the laptop, it could not find a path to the target machine.

After several intensive Internet searches, I reluctantly decided to upgrade the laptop to Windows 7 Professional (from Home Premium). To my enormous annoyance, this did not take care of the problem. Further troubleshooting confirmed that it wasn't the laptop that was being troublesome: it was the target machine, and specifically, its firewall.

If I took down the target machine's firewall, the laptop could map the shared folder and access it normally. So the task then became to determine which firewall component was preventing access, and how to get around it securely. After some inspection, I discovered the SMB-in firewall rule, and after some fiddling, I verified that it was indeed the culprit.

So here's what you do: take note of the private subnet your source machine's VPN IP address resides on. Ideally, it is a close neighbor of all IP addresses attempting to connect to the target machine, but as long as the network is private, it is trivial to deal with a large range of IPs.

In the target machine's Windows firewall's advanced settings, locate the SMB-in rule in the Incoming connections list. If the rule does not exist, you can create it from the presets available.

Now, the important part: edit the rule's scope. By default, it restricts incoming SMB requests to machines on the local subnet; if you're having trouble, it's likely because your VPN source machine is on a slightly different subnet than the target machine. Windows lets you add a CIDR block to the scope, and there are other useful options to get your list of IPs into the rule's scope; make sure whatever you use encompasses the range of VPN IPs that will attempt to connect to the network. Save, and barring any other issues, you should be able to connect to the target machine and map its shared directories at will even from Windows 7 Home Premium (no restart of the target required, which is a nice bonus).

Given the additional complexity of adding a connection via a VPN tunnel to the mix, in hindsight, it's easy to think I should have thought of the firewall earlier; I blame a long-standing belief that Windows firewalls were not to be taken seriously (in other words, Linux snobbery). Then again, I haven't had to troubleshoot machines on a network since switching to Linux full time, so I was rusty when I tried to solve this.

In short, on your source machine, ignore NTLM and LM compatibility modes. Don't worry about NetBIOS settings; they're probably fine. No need to mess around with gateways and routes on the source machine. And definitely try this before you upgrade the source machine to Professional. You may still have to, but if tweaking the target machine's firewall gets you in, it'll save you a bit of cash.

Latest poll

Which do you favor?