Windows file and printer sharing only works if firewall turned off?

I've narrowed down a problem that bugs me at regular intervals when setting up new test systems here at work, and I'd like to know if anyone else has seen this, and if they know how to solve this?

- Install the Windows Vista or Windows 7 operating system fresh, on a new PC or a new virtual machine. (The "target" machine.)

- Network type is "Work Network", i.e., it is a private network.

- Go into "Network and Sharing Center"

- Enable the following things in Network and Sharing center's advanced features that are normally turned off by default: "Network Discovery", "File and Printer Sharing".

- Note, by looking at the Windows Firewall settings, that the firewall has automatically added the exceptions for these two features in Windows Firewall. (There are now exceptions for "Network Discovery" and "File and Printer Sharing" activated in Windows Firewall.)

- From a different PC, note that I can ping the target computer (ping computername) successfully and that the DNS IP address that comes up in the ping results is correct. So Network Discovery is working.

- Attempt to connect to one of the computers' file shares by doing Start, Run, "\\computername" from a different PC.

- The attempt to connect to the file share fails with an unknown error. There is an extremely long pause before the failure box appears, at least 60-90 seconds.

- Turn off firewall completely on the target machine (instead of just relying on the firewall exceptions mentioned above) and try again.

- The attempt to connect to the file share succeeds, and does so instantly.


Why is it that, when I've gone into the correct Windows setting screen to enable file sharing, and the results are clearly visible in the Firewall screen, that it fails like that? What's going wrong here? What little secret setting have I not enabled on the target machine?

Also tried going into "Windows Firewall with Advanced Security" and, under both "Inbound Rules" and "Outbound Rules", enabled all rules starting with the name "File and Printer Sharing" to be "Allow". Many of them were already enabled, but for things like Private Networks they were disabled. So I just enabled everything that starts with "File and Printer Sharing".

Still no joy.

Found it.

Have to "add port" for TCP port 139 into firewall exceptions.

After adding TCP 139, can instantly connect to file shares on that computer.

Why is port 139 not already included in the existing pre-defined exception for "File and Printer Sharing"?

Complete details for all the OS's I'm worried about:

- (XP) Open a folder. Tools, Folder Options. "View" tab. Advanced Settings. Scroll to bottom. Deactivate "Use Simple File Sharing".
- (XP) FIREWALL.CPL: enable the exception for File and Printer Sharing.
- (XP) FIREWALL.CPL: Edit the exception for File and Printer sharing and CHANGE SCOPE for each of the ports to be "any computer".
- (Vista+) Network and Sharing Center: Enable Network Discovery and File Sharing
- (Vista) FIREWALL.CPL: ADD PORT for port 139 TCP.
- (Win7) WF.MSC: add an INBOUND RULE to allow port 139 TCP.

Because Windows is crap.

I wonder if it has to do with the machine name being resolved by broadcast. Have you tried connecting to the share directly by IP Address just for fun? e.g. \\192.168.1.1\c$

Officially I think resolving by broadcast is considered kind of deprecated you are suppoed to use either FQDN or IP addresses to do file sharing now.

I was going to post something about failing on the first task by installing Windows, but you kind of beat me to it.

You Da Man!

I was struggling with this just an hour ago.

Thanks a lot for this 'complete details' post Tony! I've been struggling with this in the past as well!

Isn't there an option when joining a network for the first time whether its setup as a public network i.e. no file sharing or your home/work network which does allow file sharing?

I dealt with something similar to this problem a few years ago. By default, Windows turns on the firewall. The firewall prevents any sort of remote administration, even when joined to a domain. I finally put in a domain policy to disable the firewall when connected directly to the domain, but, really, Windows? I knew you were supposed to be "zero administration", but I didn't realize that that was an enforced policy.

All that prompt does is define whether or not the network is private or public. It doesn't actively go in and add file sharing on private networks. You still have to do that separately. At least in my experience.

... AND it still needs me to add port 139 to the firewall or it doesn't work. Again, at least in my experience.

I've also updated my list above to include the thing on XP where you have to turn off simple file sharing before you can go browsing \\computername\c$ via its administrator password.

This!

You should always assume it will want some or all of the following:

135 RPC
137 NetBIOS
138 NetBIOS
139 NetBIOS
445 SMB

As well as various others - see http://support.microsoft.com/kb/832017