Cannot see Renderer

For help and support with Universal Media Server
Forum rules
Please make sure you follow the Problem Reporting Guidelines before posting if you want a reply
Post Reply
gorblimey
Posts: 8
Joined: Mon Jan 02, 2017 3:19 am

Cannot see Renderer

Post by gorblimey »

Ummm... We've had UMS 6.5.1 for some years now. It's on the Desktop, Win7 HPx64 SP1 (...1.4), ethernet to a PS3 (...1.8). The subnet has several members, most of which are normally switched off until needed or simply not present in the house. The daughter's lappy (...1.2) is normally switched on, but hibernates when not needed. Security on the Desktop is VoodooShield 4.20 (anti-exe) and WIndows Firewall with Windows Firewall Control 5.3.0.0. There is no realtime AV. All traffic inbound to the desktop is permitted, and outbound is strictly regulated to essential (apps or the OS need it to work) traffic only. WFC was installed about 3 weeks ago, and WF was switched in at that time. I have attached the current ruleset as well as the TRACE log. The WFC ruleset (Full policy 23.4.2018.wfw) says it is binary, but contains mostly clear text.

I do not use UPnP, all IP addresses are manually assigned in the router and UPnP services are disabled as far as possible in the desktop. As noted above, this system has worked well so far. DHCP is enabled in the router, but is bypassed by manally assigning IPs to MAC addresses. We know the PS3 has access to the internet, as Netflix is used a lot, thus the ethernet cable is plugged in.

Our problem was seen tonight, after several weeks of not using UMS. UMS fails completely to see the PS3, even though it is pointed straight at it. The post-startup logs show many entries denying access to the desktop and at least one entry denying access to the lappy. There are lots of "Sending ALIVE..." entries. The start-up part of the log does actually recognise that it should be looking at ...1.8.

I am very sure the solution to our woes is some completely ridiculous misconfiguration in the firewall, but I just. can't. see. it.
Attachments
Full policy 6.5.2018.zip
Firewall ruleset
(20.8 KiB) Downloaded 384 times
ums_dbg.zip
TRACE log
(30.31 KiB) Downloaded 380 times
Nadahar
Posts: 1990
Joined: Tue Jun 09, 2015 5:57 pm

Re: Cannot see Renderer

Post by Nadahar »

I have no knowledge of the "security" programs you use or why you use them, but I'm pretty sure they cause problems. Looking in your log I can see that there's no communication with the PS3 at all, which means that something is blocking the traffic. I can also see that things which normally works (like running "tasklist") is blocked, so I assume this is caused by VoodooShield.

I can't tell you what to do or not, but UMS can't work if it's not allowed to do what it needs to. You should disable the firewall and see if that solves your problems, although I suspect that you'd have to disable VoodooShield as well for things to work properly. Without knowing anything about this, I can just say generally that a lot of, if not most, "security" software available don't do much to improve security and often just cause problems. Their main goal is often to find a way to get some money out of people that aren't knowledgeable, selling them a false sense of security.

Your firewall configuration sounds just opposite what's normal. The normal configuration is to allow any outgoing traffic and block all incoming traffic. That doesn't work for UMS though, as it needs two-way communication with the renderers. UMS use UPnP for discovery and HTTP for transfers, so these things must flow freely. UPnP also depends on multicast being available in both directions.

By default, Windows will open UPnP traffic in the firewall rules when you "enable UPnP" in Windows and vice versa. Since you use a 3. party program to control the firewall rules, this is probably overridden anyway though.

It seems like you might not be aware of what UPnP is. It is a protocol and isn't dangerous in itself. Enabling UPnP in routers will allow software to open the router for incoming access from the internet without user intervention, which I personally think is a very bad idea - but it will allow incoming access to programs that need it to function for users that aren't capable of doing it manually. As such, I think disabling UPnP in your router is a very good idea, but blocking UPnP on your local network is a very bad idea if you want to use UPnP/DLNA. DLNA is simply an "extension" of UPnP. Without UPnP neither UMS nor any other UPnP/DLNA media server will work.

The reason you get access denied for the desktop itself is that you have configued UMS with an IP filter. This shouldn't keep it from working though.

You're running a very old version of UMS, so the logs leave a lot to be desired. Newer versions have much more information in the log. There are still some issues with the 7.x versions, so I would upgrade to 6.8.0 is I were you.
gorblimey
Posts: 8
Joined: Mon Jan 02, 2017 3:19 am

Re: Cannot see Renderer

Post by gorblimey »

Hi Nadahar - Thank you for responding.

OK. I have downloaded and clean installed 6.8.0. I should have mentioned the PS3 is running firmware 4.80, and one of the little gifts is "Search for Media Servers". I'm guessing that this simply scans for any attempts to connect with the PS3. The Sony help file is not informative, so I don't know if that app must be running to see UMS trying to connect. Whatever, it seems to not make a difference.

I cannot see anything like "tasklist" in VoodooShield's logs, and in any case it would produce a pop-up. HOWEVER, I have locked down %appdata/temp% and \Program Data, so no executable can ever be run from there. VoodooShield is a white-listing app, and both UMS and Java are allowed (except in %Temp% and \Program Data :D ).

I have not worried about what comes into the box through the router, it must always pass through NAT which functions as a passable inbound filter. NAT won't matter for the LAN, so communication should be fairly free.

I do understand your concern with my treatment of UPnP. UMS has always worked well in the past with this approach. But my next move is to take your advice and switch off the firewall.

One question: does UMS need Windows Media Network Sharing Service? Or in fact, any part of WMP?
gorblimey
Posts: 8
Joined: Mon Jan 02, 2017 3:19 am

Re: Cannot see Renderer

Post by gorblimey »

OK, the problem is in Windows Firewall. I just disabled that, and UMS showed up instantly in the PS3. Then I played part of a movie. TRACE log attached.

FWIW, UMS can still not execute "tasklist", which seems to be a Java thing.

So. The way WFC is set up, and we note that WFC is only a GUI front-end for WF, is that rules are either Enabled or Disabled. Further, Enabled Outbound Allow rules are whitelisted, while Block rules are Notified with a pop-up, giving users the chance to Allow if necessary. Disabled rules count as Blocks. My problem is I do not see any Notifications when I run UMS, and nor do I see anything in the logs that can be identified as UMS.

However, as asked above, "does UMS need Windows Media Network Sharing Service? Or in fact, any part of WMP?"
Attachments
ums_dbg.zip
(292.52 KiB) Downloaded 394 times
Nadahar
Posts: 1990
Joined: Tue Jun 09, 2015 5:57 pm

Re: Cannot see Renderer

Post by Nadahar »

"tasklist" isn't a Java thing, it's a standard Windows command used to list active processes. The fact that UMS aren't allowed to run it won't cause much problems though, it's just used to make sure that UMS isn't running more than one time (which will thus fail for you). I just picked that as an example, I saw that there were other things that were blocked as well.

As most people run UMS from an account with administrative privileges, this might be caused by you running it as a non-administrive user. UMS shouldn't need administrative privileges for the "important tasks", so that might not be a problem. I simply picked up on how the VoodooShield works, trying to "learn" what is normally run and then blocking everything else. It's a strategy that can cause a lot of problems, as UMS calls a lot of different external programs/commands to do what it needs and I doubt VoodooShield will "learn" to accept all these. You'll just have to check the log when something doesn't work and see if there's something UMS is prevented from doing, and then decide if you should let it or not I guess.

Since UMS is a Java program, the WF doesn't see UMS as the "application", but your Java installation. Java runs a Java Virtual Machine (JVM) that actually runs all Java code. Seens from Windows' POV, the JVM is the process that need the access. Also, outgoing connections will be spawned on random ports (as is normal for many programs), so there's not way to "whitelist" the outgoing ports. The JVM simply needs "any" outgoing UDP and TCP access for UMS to work properly.

UMS doesn't need or have anything to do with the Windows Media Network Sharing Service or WMP. The only "correlation" is that by default, SSDP us only allowed in the WF when this is enabled. Since SSDP is the discovery used by UPnP, UMS needs that this is allowed in both directions in the firewall.
gorblimey
Posts: 8
Joined: Mon Jan 02, 2017 3:19 am

Re: Cannot see Renderer [SOLVED]

Post by gorblimey »

Hi Nadahar - Thank you. UMS now works through the Firewall. I was looking for the JVM, but Win 7 was only showing javaw.exe. And all that needed was (and I still don't understand why) an explicit inbound Allow. I've also Allowed a few things that WF and WFC had left DIsabled, to do with SSDP.

I cannot understand why so many people run Win NT in Admin in preference to LUA. It really is asking for trouble. As you wrote, UMS should not need Admin privileges--and it works brilliantly in a LUA. Oh well.

FWIW, the reason I'm locking down the outbound is that malware more and more needs to phone home to locate the next part of their payloads. The general thinking is that while you may not be able to catch every malware, if you can stop them phoning home you've pretty well mitigated the catastrophe.

As I say, thank you. I've learnt a lot in the last couple of days, and with any luck others can refer to this conversation. Have a good one, cob :)
Nadahar
Posts: 1990
Joined: Tue Jun 09, 2015 5:57 pm

Re: Cannot see Renderer

Post by Nadahar »

Good to hear. I'm not sure what your reference to LUA means, but running as admin is simply lazyness I guess. There are so many extra "challenges" when you run without administrator privileges that most users prefer not to have to deal with that.

When it comes down to locking down outbound access, I see your point - although I prefer not to install/run the malware in the first place ;) UMS doesn't need outbound access to the internet (although some things won't work like live subtitles, auto update or cover downloads), but it needs unrestricted outbound access to your local subnet (192.168.1.0/24). That shouldn't pose any risk for malware unless some of the malware have their "home" in your local network :D
Post Reply