Meraki

Community

VPN client Group Policy - allowing SMB 445 from server to client

SimonReach
Building a reputation
‎Jun 12 2025 4:33 AM
‎Jun 12 2025 4:33 AM

VPN client Group Policy - allowing SMB 445 from server to client

Hopefully someone will be able to assist with this.

 

I have a client Group Policy rule that only allows specific traffic from a vpn client to a server, the server in question has an ip of 10.0.17.1 and the client is 10.0.100.174.

 

Now there are rules that allows client access to the server for TCP ports 3389, 443, and 445.  These work absolutely fine, so client machine can unc to the server and also rdp to the server without issue.  I also need to allow a unc connection from the server back to the client, so i thought simple, allow port 445 to the vpn subnet...doesn't work, allow all traffic to the vpn subnet, doesn't work, i needed to allow all traffic to the server before it would work.

 

I capture packet logs from when the server is trying to get a unc to the client and shove the data into ChatGPT but it moans it's too much data or just tells me the settings i have should work fine and i don't need anything more than port 445 which is already unblocked.


So my question is, if the server on 10.0.17.1 is trying to unc to a client that uses a group policy, what specific traffic could potentially be getting blocked that needs unblocking, apart from 3389, 443 and 445?

Labels:
0 Kudos
3 Replies 3
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 12 2025 5:11 AM
‎Jun 12 2025 5:11 AM

Have you tried disabling the machine's local firewall?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to Jagatiya143
SimonReach
Building a reputation
‎Jun 12 2025 8:02 AM
‎Jun 12 2025 8:02 AM

Thank you for the great response.


So,
Test-NetConnection -ComputerName 10.0.17.1 -Port 445, when running from the client on 10.0.100.174, works fine and connects straight away.
Test-NetConnection -ComputerName 10.0.100.174 -Port 445, when running from the server on 10.0.17.1, fails the connection.

 

Wireshark running over the vpn connection on the client, when the Test-NetConnection is being done from the server to the client, confirms that the client sees the request but it's blocked on the way back.

416 31.096235 10.0.17.1 10.0.100.174 TCP 66 [TCP Port numbers reused] 52323 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM

0 Kudos
In response to SimonReach
SimonReach
Building a reputation
‎Jun 12 2025 8:22 AM
‎Jun 12 2025 8:22 AM

Just clarify, i've sorted it by doing a Group Policy unblock for the VPN Clients of ports 49152-65535 into the server address, this works.

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.