Randomly allocated high tcp ports on both client/server?

TheMSsForum.com: The Microsoft Software Forum

We unfortunately have a firewall (hardware based not the host based) between
this one client (only one, the others are on our LAN) and our domain
controller.
Outgoing traffic are not blocked on either side.

We won't modify the registry to use a static port for RPC for some reason.
And we can't use the VPN.
So on the hardware firewall that's protecting the domain controller (no host
based firewall) side, we're going to allow all traffic from that one client
to the domain controller.

On the client side (on the hardware firewall, there's no host based firewall
on the client) the usual MS ports are open ex) 135, 137 U, 138 U, 139, 445.
Do we need to open the dynamic ports on the firewall that's protecting the
client side 1024:65535 or just by opening all traffic on the domain
controller side as I mentioned above will take care of the traffic?

Thanks
Top

Re: Randomly allocated high tcp ports on both client/server? by S

S
Sat Mar 01 02:13:47 CST 2008

"We won't modify the registry to use a static port for RPC for some
reason." - is that a legitimate reason? Your other options are opening range
of ports between the hosts, allowing all traffic between the client and the
DC, and decommisioning the hardware firewall. I would start with fixing the
port.


--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"study" <study@discussions.microsoft.com> wrote in message
news:45687FA1-EA85-45C6-8B6C-492B8CC2D9B9@microsoft.com...
> We unfortunately have a firewall (hardware based not the host based)
> between
> this one client (only one, the others are on our LAN) and our domain
> controller.
> Outgoing traffic are not blocked on either side.
>
> We won't modify the registry to use a static port for RPC for some reason.
> And we can't use the VPN.
> So on the hardware firewall that's protecting the domain controller (no
> host
> based firewall) side, we're going to allow all traffic from that one
> client
> to the domain controller.
>
> On the client side (on the hardware firewall, there's no host based
> firewall
> on the client) the usual MS ports are open ex) 135, 137 U, 138 U, 139,
> 445.
> Do we need to open the dynamic ports on the firewall that's protecting the
> client side 1024:65535 or just by opening all traffic on the domain
> controller side as I mentioned above will take care of the traffic?
>
> Thanks


Top

Re: Randomly allocated high tcp ports on both client/server? by study

study
Mon Mar 03 11:32:02 CST 2008

Thanks for the reply.
So the high tcp ports need to be opened on the client side as well even
though the client is initiating the connection and the outbound traffic are
not blocked?
I was hoping that we just needed to open the ports on the DC side.

"S. Pidgorny <MVP>" wrote:

> "We won't modify the registry to use a static port for RPC for some
> reason." - is that a legitimate reason? Your other options are opening range
> of ports between the hosts, allowing all traffic between the client and the
> DC, and decommisioning the hardware firewall. I would start with fixing the
> port.
>
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
> "study" <study@discussions.microsoft.com> wrote in message
> news:45687FA1-EA85-45C6-8B6C-492B8CC2D9B9@microsoft.com...
> > We unfortunately have a firewall (hardware based not the host based)
> > between
> > this one client (only one, the others are on our LAN) and our domain
> > controller.
> > Outgoing traffic are not blocked on either side.
> >
> > We won't modify the registry to use a static port for RPC for some reason.
> > And we can't use the VPN.
> > So on the hardware firewall that's protecting the domain controller (no
> > host
> > based firewall) side, we're going to allow all traffic from that one
> > client
> > to the domain controller.
> >
> > On the client side (on the hardware firewall, there's no host based
> > firewall
> > on the client) the usual MS ports are open ex) 135, 137 U, 138 U, 139,
> > 445.
> > Do we need to open the dynamic ports on the firewall that's protecting the
> > client side 1024:65535 or just by opening all traffic on the domain
> > controller side as I mentioned above will take care of the traffic?
> >
> > Thanks
>
>
>
Top

Re: Randomly allocated high tcp ports on both client/server? by S

S
Sat Mar 08 20:35:02 CST 2008

Yes, that's the DC side.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"study" <study@discussions.microsoft.com> wrote in message
news:C3A54387-2A80-4402-B651-B9C1F7A6E310@microsoft.com...
> Thanks for the reply.
> So the high tcp ports need to be opened on the client side as well even
> though the client is initiating the connection and the outbound traffic
> are
> not blocked?
> I was hoping that we just needed to open the ports on the DC side.
>
> "S. Pidgorny <MVP>" wrote:
>
>> "We won't modify the registry to use a static port for RPC for some
>> reason." - is that a legitimate reason? Your other options are opening
>> range
>> of ports between the hosts, allowing all traffic between the client and
>> the
>> DC, and decommisioning the hardware firewall. I would start with fixing
>> the
>> port.
>>
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>
>> "study" <study@discussions.microsoft.com> wrote in message
>> news:45687FA1-EA85-45C6-8B6C-492B8CC2D9B9@microsoft.com...
>> > We unfortunately have a firewall (hardware based not the host based)
>> > between
>> > this one client (only one, the others are on our LAN) and our domain
>> > controller.
>> > Outgoing traffic are not blocked on either side.
>> >
>> > We won't modify the registry to use a static port for RPC for some
>> > reason.
>> > And we can't use the VPN.
>> > So on the hardware firewall that's protecting the domain controller (no
>> > host
>> > based firewall) side, we're going to allow all traffic from that one
>> > client
>> > to the domain controller.
>> >
>> > On the client side (on the hardware firewall, there's no host based
>> > firewall
>> > on the client) the usual MS ports are open ex) 135, 137 U, 138 U, 139,
>> > 445.
>> > Do we need to open the dynamic ports on the firewall that's protecting
>> > the
>> > client side 1024:65535 or just by opening all traffic on the domain
>> > controller side as I mentioned above will take care of the traffic?
>> >
>> > Thanks
>>
>>
>>


Top