🟠 High   ⏱ 5–30 min  Last verified: 29 May 2026
Affected versions: Windows Server 2022

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Critical app endpoints time out even though services are running, due to blocked inbound or outbound ports.

Environment & Reproduction

Typically occurs after baseline policy updates or profile changes.

Get-NetFirewallProfile
Get-NetFirewallRule -Enabled True | Select -First 20
Test-NetConnection localhost -Port 443

Root Cause Analysis

Rule precedence, profile mismatch, or GPO-enforced denies can override local allow rules.

Quick Triage

Check active profiles and recent block logs.

Get-NetFirewallProfile | Select Name,Enabled,DefaultInboundAction
Get-WinEvent -LogName Security -MaxEvents 30
Get-NetFirewallRule -PolicyStore ActiveStore | Select -First 20

Step-by-Step Diagnosis

Map listener ports to effective firewall policy.

Get-NetTCPConnection -State Listen | Select LocalAddress,LocalPort,OwningProcess
Get-NetFirewallPortFilter | Select -First 40
Get-NetFirewallRule -DisplayName '*app*'

Solution – Primary Fix

Create explicit allow rules with correct profile scope.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

New-NetFirewallRule -DisplayName 'LOB App 443 Inbound' -Direction Inbound -Action Allow -Protocol TCP -LocalPort 443 -Profile Domain
New-NetFirewallRule -DisplayName 'LOB App 443 Outbound' -Direction Outbound -Action Allow -Protocol TCP -RemotePort 443 -Profile Domain

Solution – Alternative Approaches

Apply centralized GPO firewall rule set if local policy is non-authoritative.

gpupdate /force
Get-NetFirewallRule -PolicyStore ActiveStore | Where-Object DisplayName -like '*LOB*'

Verification & Acceptance Criteria

Application traffic succeeds and no matching deny events recur.

Test-NetConnection app01.corp.local -Port 443
Get-NetFirewallRule -DisplayName '*LOB App*'
Get-WinEvent -LogName Security -MaxEvents 10

Rollback Plan

Remove newly created rules if unintended exposure is detected.

Remove-NetFirewallRule -DisplayName 'LOB App 443 Inbound'
Remove-NetFirewallRule -DisplayName 'LOB App 443 Outbound'

Prevention & Hardening

Track rule drift and keep application-port matrices under change control.

Get-NetFirewallRule | Export-Csv firewall-rules.csv -NoTypeInformation
Get-NetFirewallProfile
Illustrative mockup for windows-server-2022 β€” terminal_or_powershell
Diagnostics commands in PowerShell β€” Illustrative mockup β€” Progressive Robot
Illustrative mockup for windows-server-2022 β€” event_or_log_viewer
Event log verification for Windows Server 2022 β€” Illustrative mockup β€” Progressive Robot

Often misdiagnosed as DNS or service failures when network policy is the true blocker.

Related tutorial: View the step-by-step tutorial for Windows Server 2022.

View all Windows Server 2022 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: Windows Defender Firewall with Advanced Security and policy processing order.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.