question

SureshCh-7185 avatar image
0 Votes"
SureshCh-7185 asked Scottoliver-5997 answered

Event id: 4957. Reason: Remote Addresses resolved to an empty set - windows 2016

Good Day All,

We have a "work group" server running "Windows 2016 Standard" edition in "DMZ Zone". Application team remotely trying to discover this server in to their application console using discovery methods one as "WMI" and the other as "winrm". In both the cases, server is not getting discoverable and we could see below security audit failure in the security log.

Symantec antivirus client is running on the server and hence, Local firewall is in stopped state on OS level but the "windows firewall service" is in running state. I have also stopped "Symantec Endpoint service" and asked app team to discover it again. but no luck and still same error.

1) The user id configured for communication between app and server is having local admin rights on server.
2) we could see successful audit log for the user id during discovery.
3) Tried by restarting WMI service but no luck. also rebuilt wbem and tried
4) port 5985 is telnetting from application server

Please find the event details below and help me fixing the issue.........thanQ!!!

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 8/27/2021 5:12:01 PM
Event ID: 4957
Task Category: MPSSVC Rule-Level Policy Change
Level: Information
Keywords: Audit Failure
User: N/A
Computer: xxxxxxxxxxxxxxxx
Description:
Windows Firewall did not apply the following rule:

Rule Information:
ID: PrivateNetwork Inbound Default Rule
Name: PrivateNetwork Inbound Default Rule

Error Information:
Reason: Remote Addresses resolved to an empty set.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">;
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4957</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13571</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2021-08-27T07:12:01.119209900Z" />
<EventRecordID>39566259</EventRecordID>
<Correlation ActivityID="{981E48DA-918B-0002-0649-1E988B91D701}" />
<Execution ProcessID="660" ThreadID="12528" />
<Channel>Security</Channel>
<Computer>xxxxxxxxxxxxxxx</Computer>
<Security />
</System>
<EventData>
<Data Name="RuleId">PrivateNetwork Inbound Default Rule</Data>
<Data Name="RuleName">PrivateNetwork Inbound Default Rule</Data>
<Data Name="RuleAttr">Remote Addresses</Data>
</EventData>
</Event>

windows-server-2016
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Scottoliver-5997 avatar image
0 Votes"
Scottoliver-5997 answered

I am having this same problem. It is related to the network isolation feature of the windows filtering platform. I am trying to fix this. Were you ever able to get it working?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.