add-circle-bold add-circle add-square add alarm-bell-1 alert-diamond analytics-pie-2 archive archive arrow-down-1 arrow-down-2 arrow-left-1 arrow-right-1 arrow-up-1 attachment-1 bin-paper-1 book-star button-record check-1 check-circle-1 close close-quote close cog-1 cog common-file-stack copy-paste credit-card-1 diagram-fall-down disable time-clock-midnight download-thick-bottom drawer-send envelope-letter envelope-letter expand-6 expand-6 file-code filter-1 floppy-disk flying-insect-honey folder-file-1 headphones-customer-support hierarchy-9 hyperlink-2 information-circle keyboard-arrow-down keyboard-arrow-up layout-module-1 list-bullets lock-2 lock-unlock-1 love-it messages-bubble-square move-to-top multiple-circle multiple-neutral-1 multiple-users-1 navigation-menu-horizontal navigation-menu network-browser open-quote pencil-1 pencil-write pencil-1 print-text rating-star rating-star remove-circle remove-square-1 search send-email-1 shield-warning single-neutral-actions single-neutral smiley-sad-1 smiley-unhappy smiley-indifferent smiley-smile-1_1 smiley-happy smiley-sad-1 smiley-unhappy smiley-indifferent smiley-happy smiley-thrilled social-media-twitter synchronize-arrows-1 tags-double ticket-1 ticket-1 time-clock-circle undo view-1 view-off view wench
Enterprise
Customer Portal
All Categories / Help with Errors and Warnings / Resolving Inter-VLAN Access Issues to Management VLAN Admin Share – Guidance for Standard Windows SMB

Resolving Inter-VLAN Access Issues to Management VLAN Admin Share – Guidance for Standard Windows SMB

Article ID: KB-Resolving-Inter-VLAN-Access-Issues-001

Overview

Customers with strict VLAN segmentation (e.g., Office VLAN with no access to Management VLAN) may encounter failures when moving the backup storage destination to the Management VLAN. The backup application accesses network shares using standard Windows SMB protocols (primarily via UNC paths or the Windows file-copy API).

The issue arises because backup jobs initiate connections from the Office VLAN (client machines) to the Management VLAN (backup server/share). By default, this direction is blocked by inter-VLAN firewall rules or ACLs, even if the reverse direction (Management to Office) is fully permitted.

Key Details

  • The Backup client application runs on Office VLAN machines.
  • It connects to a standard Windows SMB share (including admin shares like \\server\C$, \\server\ADMIN$, etc.) hosted on a Windows Server in the Management VLAN.
  • No custom application is listening on TCP port 445 on the server side.
  • Standard Windows SMB server functionality (LanmanServer service) handles inbound connections on port 445.
  • The listening process for SMB is typically hosted by the System process (PID 4) or svchost.exe (hosting the Server service / LanmanServer).
  • Therefore, program-specific firewall rules (which require a full path to a user-mode .exe) do not apply here, as there is no custom executable to target.

The primary blockers remain:

  1. Inter-VLAN ACL/firewall rules blocking Office VLAN → Management VLAN on TCP 445.
  2. Windows Defender Firewall on the backup server potentially restricting inbound SMB from non-local subnets.

Root Cause Recap

  • SMB traffic uses TCP port 445 (primary; legacy 139 rarely needed).
  • Connections are initiated from Office VLAN clients to Management VLAN server.
  • Inter-VLAN rules must allow this direction.
  • On the server, the built-in File and Printer Sharing (SMB-In) rule(s) control inbound access but are often scoped to "Local subnet" by default (especially on Private/Domain profiles).

Resolution Steps

1. Inter-VLAN Firewall/ACL (Required – Network Device Side)

Add an allow rule (as previously detailed):

  • Source: Office VLAN subnet (e.g., 192.168.10.0/24)
  • Destination: Backup server IP in Management VLAN
  • Protocol/Port: TCP 445
  • Action: Allow

Limit to this single port and destination IP for best security.
Optional: Add TCP 139 only if legacy clients are involved (rare).

2. Windows Defender Firewall on the Backup Server (Management VLAN)

Since no custom program is involved, use the built-in SMB rules and adjust their scope to allow traffic from the Office VLAN subnet.

Recommended Method: Modify Existing Built-in Rules

  1. On the backup server, open Windows Defender Firewall with Advanced Security (wf.msc).
  2. Go to Inbound Rules.
  3. Locate the following rules (enable them if disabled):
    • File and Printer Sharing (SMB-In) (TCP 445 – main rule for modern SMB)
    • File and Printer Sharing (NB-Session-In) (TCP 139 – legacy, optional)
  4. For each relevant rule:
    • Right-click → Properties.
    • Go to the Scope tab.
    • Under Remote IP address:
      • Change from "Local subnet" (or "Any") to These IP addresses.
      • Click Add → enter the Office VLAN subnet (e.g., 192.168.10.0/24 or specific ranges/IPs).
    • Ensure the rule is enabled and applies to the correct profile(s) (typically Domain and/or Private).
  5. Click OK / Apply.

This restricts inbound SMB to only the Office VLAN subnet(s), following least-privilege principles.

Alternative: Create a Custom Inbound Rule (if you prefer not to modify built-ins)

  1. Right-click Inbound RulesNew Rule...
  2. Rule Type: Port → Next
  3. Protocol: TCP → Specific local ports: 445 → Next
  4. Action: Allow the connection → Next
  5. Profile: Domain and/or Private → Next
  6. Scope:
    • Local IP addresses: Any (or server IP)
    • Remote IP addresses: These IP addresses → Add → Office VLAN subnet
  7. Name: "DATASTOR Backup – Allow SMB Inbound from Office VLAN (Port 445)"
  8. Finish.

After changes, test connectivity (see below).
Note: If the server is domain-joined and the network profile is correctly set to Domain, the built-in rules should activate automatically once file sharing is enabled—but the scope adjustment is key for cross-subnet/VLAN access.

3. Ensure SMB/Admin Shares Are Accessible

  • Admin shares (C$, ADMIN$, etc.) are enabled by default on Windows Server (unless disabled via registry or policy).
  • Confirm share permissions and NTFS permissions allow the backup account (or authenticated users) read/write access.
  • Test with \\server\C$ from an Office VLAN machine after firewall changes.

Verification Steps

From an Office VLAN client machine (PowerShell):

Test-NetConnection -ComputerName <backup-server-IP> -Port 445
  • Should return TcpTestSucceeded : True.

Manually access the UNC path:

  • Explorer: \\<backup-server-IP>\C$ (or your configured share)
  • Or: net use Z: \\<backup-server-IP>\C$ /user:domain\user password (for testing auth)

Run a small test backup job.

Check Event Viewer on the server (Windows Logs → System/Security) for any related errors or blocked events.

Troubleshooting Tips

  • If port 445 test fails after changes: Verify inter-VLAN rule first (use tracert or packet capture if needed).
  • Profile mismatch: Ensure the network interface on the server is classified as Domain/Private (not Public).
  • GPO overrides: If Group Policy manages firewall rules, changes may need to be applied via GPO.
  • Provide: Exact error from backup, Windows Server version, firewall profile status (Get-NetFirewallProfile), or rule screenshots for further help.

This configuration keeps security tight: only Office VLAN can reach SMB on the server, with no unnecessary broad exposure.

Contact support with additional details (e.g., server OS version, exact share type, or new errors) for assistance.

Related Articles

  • Microsoft: Manage SMB Firewall Rules (learn.microsoft.com)

End of Article

 

DATASTOR™
Enterprise Contact Us
Knowledge Base Software By SupportBee