Solved

Port 135 Blocked---Trying to connect to MS Exchange via VPN

Posted on 2003-11-17
28
680 Views
Last Modified: 2010-04-11
Since the Blaster Worm became a nuisance, some ISPs had blocked access to port 135.  I have a user that has BellSouth Fast Access for their ISP.  They are wanting to connect to our company Exchange Server via VPN.   The type of VPN software is Netscreen 8.1, but I believe it to be the same as Secure Remote.   The user is also using a Linksys BEFSR41 router.  However, this user is having difficultiy connecting to Exchange.  Everytime he tries to log on, he receives the message "Network problems are preventing connection the Exchange Server Computer."  I've tried adjusting the MTU to lower values, but I was still unsuccessful.  

Is there anyway to solve this issue?  Or do I have to wait until they unblock port 135?

thanks.
0
Comment
Question by:Joe_27
  • 9
  • 8
  • 4
  • +3
28 Comments
 

Expert Comment

by:cunnij
Comment Utility
The user can get authenticated with VPN but cannot access Exchange once connected to the internal network;correct? Do the Netscreen logs show any traffic from the users ip to the exchange server?
0
 

Author Comment

by:Joe_27
Comment Utility
The user can ping the servers on our network.  The strange thing is, Outlook can open but as soon as you try to read a message the network error message appears.
0
 
LVL 31

Expert Comment

by:qwaletee
Comment Utility
That's not an ISP port block, because the ISP does not see the "interna;" port numbers being accessed via VPN.  It only see the traffic going to the VPN server over teh IpSec port.

What happens if the user drops teh router and connects directly?
0
 

Author Comment

by:Joe_27
Comment Utility
We haven't tried that scenario, since it required installing software on the laptop.  However, I have other users that have a router, and they're able to get in just fine.  Are certain ports required to be open on the router, other than 500 UDP?
0
 

Expert Comment

by:cunnij
Comment Utility
That is what I was getting to qwa. :). Once the user is authenticated the traffic should be internal. Add to the fact that Outlook opens at all. That message usually indicates a traffic problem rather than an access problem. Can the user connect 'offline' and then press the 'send and receive' button to get new messages?
0
 

Author Comment

by:Joe_27
Comment Utility
But to connect offline, the user would have to disconnect his DSL connection first?  New messages come in fine, but if he tries to synchronize for offline access, it has errors.
0
 

Expert Comment

by:cunnij
Comment Utility
No, configure Outlook to choose the connection type. I was only refering to connecting to Exchange offline.
0
 

Author Comment

by:Joe_27
Comment Utility
I just found out that the user is having diffculty accessing information that is stored on other servers.  He can access our intranet, and other information via shared drives.  But when it comes to the exchange or our other data retrieval programs, it doesn't work.
0
 
LVL 31

Expert Comment

by:qwaletee
Comment Utility
How far down did you go with MTU?

Don't forget that MTU settings are PER NIC, and the VPN may have its own virtual NIC.
0
 

Author Comment

by:Joe_27
Comment Utility
The MTU on the router was set to 1000.  I even started at 500 and worked my way up.
0
 

Author Comment

by:Joe_27
Comment Utility
I even tried using a D-Link DI-604 router as well.  Even that didn't work.
0
 

Expert Comment

by:cunnij
Comment Utility
sounds like a netscreen firewall problem then...any indication in the netscreen logs that his ip is moving to the 'problem' areas, something like his ip and the target ip but with no data?
0
 
LVL 31

Expert Comment

by:qwaletee
Comment Utility
And you made sure to change MTU on *all* adapters?
0
 
LVL 31

Expert Comment

by:qwaletee
Comment Utility
(You need to set MTU on the PC not the router.)
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 

Author Comment

by:Joe_27
Comment Utility
How would I change the MTU on the NIC?  Also, does the MTU setting on the NIC need to match that of the router?
0
 
LVL 41

Accepted Solution

by:
stevenlewis earned 200 total points
Comment Utility
great tool to change MTU settings
http://www.dslreports.com/front/drtcp.html
0
 
LVL 41

Expert Comment

by:stevenlewis
Comment Utility
have them do a port scan and see if port 135 is open or blocked
0
 
LVL 31

Assisted Solution

by:qwaletee
qwaletee earned 200 total points
Comment Utility
MTU on the workstation must be smaller than or equal to MTU on any routers the packet passes through.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
listening... hmm... why only focus on MTU?
0
 
LVL 31

Expert Comment

by:qwaletee
Comment Utility
bbao,
SOme of teh most common VPN problems, where sometimes traffic goes thru/not, are MTU-related.  WHen packets fragment, it is much easier for the IP stack at the other end to get confused about piecing together content, or even if not, at least to kill performance.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
oh, if so, wrong MTU will cause what? a not stable communication or traffic? or the connection can not be established at all? thanks in advance, bbao
0
 
LVL 31

Assisted Solution

by:qwaletee
qwaletee earned 200 total points
Comment Utility
If a packet passes trhough two devices, first A then B, and A has a "big MTU," while B has a smaller one...

Any packets smaller than B's MTU will be OK.  If A supoprts larger MTU, and a packets mslaler than A's MTU but bigger than B's, then A will have to fragment the packets before sending it to B.

VPNs encode "internal" network traffic inside regular IP traffic.  That means extra overhead on each packet.  That meanns the VPN client and server have to fragment the bundled packets, because a maximum packet headed for VPN will be of maximum size+overhead omce done. Because the "receiving side" will have to piece these things back together, any issues such as MTU size that make it harder mean the VPN is less likely to work well.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
so, can i say, any MTU related issues means, the vpn MAY work but NOT work well, NOT stable? or hmm, just make LOWER perrformance? thanks in advance. bbao
0
 
LVL 31

Expert Comment

by:qwaletee
Comment Utility
When MTU issues affect a VPN, the most common result is that the most basic of  services work, but nothing else.  That's because less complex traffic tends to use smaller bits of data, which don't fill the packet anyway.  So, you might be able to ping, but not connect to any services.  Or, you might be able to connect to services, but any significant data transfers time out.
0
 

Author Comment

by:Joe_27
Comment Utility
So it appears the MTU is the factor to check for.  Port 135 is not blocked on our end, but it is blocked on the ISP's end.  Could anything else be affecting communication, other than MTU?  
0
 
LVL 31

Expert Comment

by:qwaletee
Comment Utility
The ISP's blocking of port 135 would be irrelevant, because it never sees 135 trafic.  It only sees VPN traffic.  The VPN server unbundles the 135 traffic from the VPN traffic, and retransmits it.
0
 
LVL 37

Assisted Solution

by:Bing CISM / CISSP
Bing CISM / CISSP earned 100 total points
Comment Utility
agree with qwaletee.  IMO, even the ISP blocks the 135 traffic, which sounds so curious, the two ends still can talk with each other on another port. ISP can not see the port number encapsulated in VPN channel.
0
 

Expert Comment

by:ceba
Comment Utility
From Cox Cable Web Site and Implemented by others

Port 135 Block Implementation
Recently, the US Department of Homeland Security issued an advisory to Internet Service Providers, including Cox Communications. It warns of a potential network disruption due to a security loophole in the Windows 2000, XP, NT, and 2003 operating systems. This loophole may allow hackers unauthorized access to computers on our Cox High Speed Internet network and the Internet at large, using computer viruses or worms.

The government has called for the filtering of three ports (ports 135, 137 and 445) to prevent hackers from exploiting the security loopholes. A port is basically a point of connection for a specific type of program. For example, whenever a request is sent to display a web page like www.cox.net, it is sent to port 80. Cox currently filters (in both directions) two of the ports identified in the advisory -- ports 137 and 445. This prevents computers on the Internet from talking to your computer on these ports.

In the last week, the Cox Abuse department has seen a significant increase in the number of computers on our customer network that have been infected with viruses and worms; we are therefore complying with the Department of Homeland Security Advisory. The spread of infection is due to a high number of users operating exploitable versions of Microsoft Windows, primarily XP and 2000 (i.e. unpatched machines). Cox recommends that customers visit the Microsoft Windows Update website frequently to insure they are updating and protecting themselves from newly discovered exploits.

Cox anticipates the filter of port 135 will be implemented in all markets by August 10th, 2003.

Customers who use Microsoft Outlook to connect directly to a Microsoft Exchange server may no longer be able to connect when this port filter is applied. We recommend the use of a Virtual Private Network (VPN) to the company or group who operates the Exchange server. Please contact the network administrator or helpdesk for that company or group for additional details.

This does not affect customers who use Cox.net e-mail, Webmail, or connect to their Cox.net e-mail with Microsoft Outlook.

Cox makes every effort to avoid implementing port filters. In this case, we believe that the benefits of protecting the network and continuing to provide customers with the best performing service possible outweigh the possible impact to those customers connecting to Exchange servers.

0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now