none
Eventos 5159 en servidores Exchange RRS feed

  • Pregunta

  • Tenemos montado nuestro servidor de buzones Exchange 2007 en una máquina Windows 2008 x64. El Hub Transport y Client Access (los dos roles en la misma máquina) están en otra máquina con Windows 2008 x64.

    Aunque todo parece que está funcionando correctamente, en el visor de eventos de ambos servidores Exchange 2007 aparecen de forma continuada estos mensajes de error:

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          19/05/2009 16:35:37
    Event ID:      5159
    Task Category: Filtering Platform Connection
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      excMBX.dominio.com
    Description:
    The Windows Filtering Platform has blocked a bind to a local port.

    Application Information:
     Process ID:  2216
     Application Name: \device\harddiskvolume1\program files\microsoft\exchange server\bin\store.exe

    Network Information:
     Source Address:  0.0.0.0
     Source Port:  52636
     Protocol:  17

    Filter Information:
     Filter Run-Time ID: 0
     Layer Name:  Resource Assignment
     Layer Run-Time ID: 36
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
        <EventID>5159</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12810</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2009-05-19T14:35:37.051Z" />
        <EventRecordID>3685166</EventRecordID>
        <Correlation />
        <Execution ProcessID="4" ThreadID="88" />
        <Channel>Security</Channel>
        <Computer>excMBX.dominio.com</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="ProcessId">2216</Data>
        <Data Name="Application">\device\harddiskvolume1\program files\microsoft\exchange server\bin\store.exe</Data>
        <Data Name="SourceAddress">0.0.0.0</Data>
        <Data Name="SourcePort">52636</Data>
        <Data Name="Protocol">17</Data>
        <Data Name="FilterRTID">0</Data>
        <Data Name="LayerName">%%14608</Data>
        <Data Name="LayerRTID">36</Data>
      </EventData>
    </Event>

    Parece como si la Windows Filtering Platform estuviera cortando las conexiones UDP (protocolo 17) pero no sé dónde dar acceso a este protocolo. ¿Tenéis alguno este mismo problema?

    Gracias y saludos a todos.

    martes, 19 de mayo de 2009 14:49

Respuestas

  • Hola

    Verifica el contenido de este blog

    http://blogs.technet.com/instan/archive/2009/01/08/the-windows-filtering-platform-has-blocked-a-bind-to-a-local-port.aspx
    The Windows Filtering Platform has blocked a bind to a local port

    You may notice event 5159 being logged on your Windows 2008 Server(s) indicating a connection has been blocked/dropped, etc.
    The Process ID will indicate which application was blocked (tasklist /SVC can be used to get details on running PID's) and which protocol was involved.

    The actual enforcement of the firewall rules is done by WFP through traffic filters derived from the firewall policy.
    To further troubleshoot this you can enable WFP auditing and monitor the event viewer to see what is happening in WFP while you reproduce the problem that you want to troubleshoot.

    One common event we have observed is where the initial attempt is made using UDP (protocol 17) which is blocked and then a second attempt is made using TCP which is allowed, this is typical of Kerberos traffic which first tries UDP and then attempts TCP if UDP fails.

    By default the drop is not logged, so you should really only see this event if one of the Audit subcategories (Filtering Platform Packet Drop) has been turned on.

    To enable WFP auditing:
    auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable
    auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable
    auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable
    auditpol /set /subcategory:"IPsec Main Mode" /success:enable /failure:enable
    auditpol /set /subcategory:"IPsec Quick Mode" /success:enable /failure:enable
    auditpol /set /subcategory:"IPsec Extended Mode" /success:enable /failure:enable

    ...Repro the failure, go to the Security event log and monitor for the events.

    To disable WFP auditing:
    auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure: disable
    auditpol /set /subcategory:"Filtering Platform Connection" /success: disable /failure: disable
    auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable
    auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable
    auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable
    auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable

    • Marcado como respuesta Uriel Almendra lunes, 13 de mayo de 2013 19:51
    miércoles, 20 de mayo de 2009 19:51