Solved

Port 135 Blocked---Trying to connect to MS Exchange via VPN

Posted on 2003-11-17
28
686 Views
Last Modified: 2010-04-11
Since the Blaster Worm became a nuisance, some ISPs had blocked access to port 135.  I have a user that has BellSouth Fast Access for their ISP.  They are wanting to connect to our company Exchange Server via VPN.   The type of VPN software is Netscreen 8.1, but I believe it to be the same as Secure Remote.   The user is also using a Linksys BEFSR41 router.  However, this user is having difficultiy connecting to Exchange.  Everytime he tries to log on, he receives the message "Network problems are preventing connection the Exchange Server Computer."  I've tried adjusting the MTU to lower values, but I was still unsuccessful.  

Is there anyway to solve this issue?  Or do I have to wait until they unblock port 135?

thanks.
0
Comment
Question by:Joe_27
  • 9
  • 8
  • 4
  • +3
28 Comments
 

Expert Comment

by:cunnij
ID: 9763906
The user can get authenticated with VPN but cannot access Exchange once connected to the internal network;correct? Do the Netscreen logs show any traffic from the users ip to the exchange server?
0
 

Author Comment

by:Joe_27
ID: 9763969
The user can ping the servers on our network.  The strange thing is, Outlook can open but as soon as you try to read a message the network error message appears.
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9764065
That's not an ISP port block, because the ISP does not see the "interna;" port numbers being accessed via VPN.  It only see the traffic going to the VPN server over teh IpSec port.

What happens if the user drops teh router and connects directly?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:Joe_27
ID: 9764104
We haven't tried that scenario, since it required installing software on the laptop.  However, I have other users that have a router, and they're able to get in just fine.  Are certain ports required to be open on the router, other than 500 UDP?
0
 

Expert Comment

by:cunnij
ID: 9764123
That is what I was getting to qwa. :). Once the user is authenticated the traffic should be internal. Add to the fact that Outlook opens at all. That message usually indicates a traffic problem rather than an access problem. Can the user connect 'offline' and then press the 'send and receive' button to get new messages?
0
 

Author Comment

by:Joe_27
ID: 9764146
But to connect offline, the user would have to disconnect his DSL connection first?  New messages come in fine, but if he tries to synchronize for offline access, it has errors.
0
 

Expert Comment

by:cunnij
ID: 9764189
No, configure Outlook to choose the connection type. I was only refering to connecting to Exchange offline.
0
 

Author Comment

by:Joe_27
ID: 9764784
I just found out that the user is having diffculty accessing information that is stored on other servers.  He can access our intranet, and other information via shared drives.  But when it comes to the exchange or our other data retrieval programs, it doesn't work.
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9764833
How far down did you go with MTU?

Don't forget that MTU settings are PER NIC, and the VPN may have its own virtual NIC.
0
 

Author Comment

by:Joe_27
ID: 9764857
The MTU on the router was set to 1000.  I even started at 500 and worked my way up.
0
 

Author Comment

by:Joe_27
ID: 9764867
I even tried using a D-Link DI-604 router as well.  Even that didn't work.
0
 

Expert Comment

by:cunnij
ID: 9764906
sounds like a netscreen firewall problem then...any indication in the netscreen logs that his ip is moving to the 'problem' areas, something like his ip and the target ip but with no data?
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9764907
And you made sure to change MTU on *all* adapters?
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9764913
(You need to set MTU on the PC not the router.)
0
 

Author Comment

by:Joe_27
ID: 9765125
How would I change the MTU on the NIC?  Also, does the MTU setting on the NIC need to match that of the router?
0
 
LVL 41

Accepted Solution

by:
stevenlewis earned 200 total points
ID: 9767928
great tool to change MTU settings
http://www.dslreports.com/front/drtcp.html
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 9767968
have them do a port scan and see if port 135 is open or blocked
0
 
LVL 31

Assisted Solution

by:qwaletee
qwaletee earned 200 total points
ID: 9768017
MTU on the workstation must be smaller than or equal to MTU on any routers the packet passes through.
0
 
LVL 37

Expert Comment

by:bbao
ID: 9814849
listening... hmm... why only focus on MTU?
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9815616
bbao,
SOme of teh most common VPN problems, where sometimes traffic goes thru/not, are MTU-related.  WHen packets fragment, it is much easier for the IP stack at the other end to get confused about piecing together content, or even if not, at least to kill performance.
0
 
LVL 37

Expert Comment

by:bbao
ID: 9815725
oh, if so, wrong MTU will cause what? a not stable communication or traffic? or the connection can not be established at all? thanks in advance, bbao
0
 
LVL 31

Assisted Solution

by:qwaletee
qwaletee earned 200 total points
ID: 9815801
If a packet passes trhough two devices, first A then B, and A has a "big MTU," while B has a smaller one...

Any packets smaller than B's MTU will be OK.  If A supoprts larger MTU, and a packets mslaler than A's MTU but bigger than B's, then A will have to fragment the packets before sending it to B.

VPNs encode "internal" network traffic inside regular IP traffic.  That means extra overhead on each packet.  That meanns the VPN client and server have to fragment the bundled packets, because a maximum packet headed for VPN will be of maximum size+overhead omce done. Because the "receiving side" will have to piece these things back together, any issues such as MTU size that make it harder mean the VPN is less likely to work well.
0
 
LVL 37

Expert Comment

by:bbao
ID: 9815895
so, can i say, any MTU related issues means, the vpn MAY work but NOT work well, NOT stable? or hmm, just make LOWER perrformance? thanks in advance. bbao
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9818342
When MTU issues affect a VPN, the most common result is that the most basic of  services work, but nothing else.  That's because less complex traffic tends to use smaller bits of data, which don't fill the packet anyway.  So, you might be able to ping, but not connect to any services.  Or, you might be able to connect to services, but any significant data transfers time out.
0
 

Author Comment

by:Joe_27
ID: 9821087
So it appears the MTU is the factor to check for.  Port 135 is not blocked on our end, but it is blocked on the ISP's end.  Could anything else be affecting communication, other than MTU?  
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9826022
The ISP's blocking of port 135 would be irrelevant, because it never sees 135 trafic.  It only sees VPN traffic.  The VPN server unbundles the 135 traffic from the VPN traffic, and retransmits it.
0
 
LVL 37

Assisted Solution

by:bbao
bbao earned 100 total points
ID: 9829047
agree with qwaletee.  IMO, even the ISP blocks the 135 traffic, which sounds so curious, the two ends still can talk with each other on another port. ISP can not see the port number encapsulated in VPN channel.
0
 

Expert Comment

by:ceba
ID: 10600880
From Cox Cable Web Site and Implemented by others

Port 135 Block Implementation
Recently, the US Department of Homeland Security issued an advisory to Internet Service Providers, including Cox Communications. It warns of a potential network disruption due to a security loophole in the Windows 2000, XP, NT, and 2003 operating systems. This loophole may allow hackers unauthorized access to computers on our Cox High Speed Internet network and the Internet at large, using computer viruses or worms.

The government has called for the filtering of three ports (ports 135, 137 and 445) to prevent hackers from exploiting the security loopholes. A port is basically a point of connection for a specific type of program. For example, whenever a request is sent to display a web page like www.cox.net, it is sent to port 80. Cox currently filters (in both directions) two of the ports identified in the advisory -- ports 137 and 445. This prevents computers on the Internet from talking to your computer on these ports.

In the last week, the Cox Abuse department has seen a significant increase in the number of computers on our customer network that have been infected with viruses and worms; we are therefore complying with the Department of Homeland Security Advisory. The spread of infection is due to a high number of users operating exploitable versions of Microsoft Windows, primarily XP and 2000 (i.e. unpatched machines). Cox recommends that customers visit the Microsoft Windows Update website frequently to insure they are updating and protecting themselves from newly discovered exploits.

Cox anticipates the filter of port 135 will be implemented in all markets by August 10th, 2003.

Customers who use Microsoft Outlook to connect directly to a Microsoft Exchange server may no longer be able to connect when this port filter is applied. We recommend the use of a Virtual Private Network (VPN) to the company or group who operates the Exchange server. Please contact the network administrator or helpdesk for that company or group for additional details.

This does not affect customers who use Cox.net e-mail, Webmail, or connect to their Cox.net e-mail with Microsoft Outlook.

Cox makes every effort to avoid implementing port filters. In this case, we believe that the benefits of protecting the network and continuing to provide customers with the best performing service possible outweigh the possible impact to those customers connecting to Exchange servers.

0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question