MBSA incomplete scans

[Hari Sekhon <hpsekhon () googlemail com>]

I'm using MBSA which I have used for quite a long time previously. I'm 
however having a spot of trouble in my latest network audit with it. I'm 
using the latest version against XP Sp2 clients with firewalls enabled. 
I get:

"Incomplete Scan (Could not complete one or more requested checks)"

I know this is because MBSA cannot contact the agent on the target 
machines and this is because of the firewalls, but I have defined port 
exceptions at the domain level via group policy for file and printer 
sharing which opens up udp ports 137,138 and tcp 139 and 445. I have 
also made an explicit rule to open up tcp port 135 for my workstation, 
as well as defining to allow a remote administration exception in the 
firewall for my workstation. This should be all 5 ports needed to get 
the scan done properly but it is not working.

I can see the exceptions in the client's firewall and I can scan the 
client using a portscanner and verify that all 5 ports are open. If I 
take the firewall down completely then it works, but I can't really 
leave all the machines like this or do this every time I want to do 
another scan. I don't understand why I'm having trouble with something 
that should be so straight forward.

I've been through the faqs for MBSA and verified that I have the ports 
open but it still doesn't work. I'm convinced this is a firewall problem 
since it works when the firewall is down.

Any ideas?

--
Hari Sekhon