?
Solved

Port 135 Blocked---Trying to connect to MS Exchange via VPN

Posted on 2003-11-17
28
Medium Priority
?
692 Views
Last Modified: 2010-04-11
Since the Blaster Worm became a nuisance, some ISPs had blocked access to port 135.  I have a user that has BellSouth Fast Access for their ISP.  They are wanting to connect to our company Exchange Server via VPN.   The type of VPN software is Netscreen 8.1, but I believe it to be the same as Secure Remote.   The user is also using a Linksys BEFSR41 router.  However, this user is having difficultiy connecting to Exchange.  Everytime he tries to log on, he receives the message "Network problems are preventing connection the Exchange Server Computer."  I've tried adjusting the MTU to lower values, but I was still unsuccessful.  

Is there anyway to solve this issue?  Or do I have to wait until they unblock port 135?

thanks.
0
Comment
Question by:Joe_27
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
  • 4
  • +3
28 Comments
 

Expert Comment

by:cunnij
ID: 9763906
The user can get authenticated with VPN but cannot access Exchange once connected to the internal network;correct? Do the Netscreen logs show any traffic from the users ip to the exchange server?
0
 

Author Comment

by:Joe_27
ID: 9763969
The user can ping the servers on our network.  The strange thing is, Outlook can open but as soon as you try to read a message the network error message appears.
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9764065
That's not an ISP port block, because the ISP does not see the "interna;" port numbers being accessed via VPN.  It only see the traffic going to the VPN server over teh IpSec port.

What happens if the user drops teh router and connects directly?
0
Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

 

Author Comment

by:Joe_27
ID: 9764104
We haven't tried that scenario, since it required installing software on the laptop.  However, I have other users that have a router, and they're able to get in just fine.  Are certain ports required to be open on the router, other than 500 UDP?
0
 

Expert Comment

by:cunnij
ID: 9764123
That is what I was getting to qwa. :). Once the user is authenticated the traffic should be internal. Add to the fact that Outlook opens at all. That message usually indicates a traffic problem rather than an access problem. Can the user connect 'offline' and then press the 'send and receive' button to get new messages?
0
 

Author Comment

by:Joe_27
ID: 9764146
But to connect offline, the user would have to disconnect his DSL connection first?  New messages come in fine, but if he tries to synchronize for offline access, it has errors.
0
 

Expert Comment

by:cunnij
ID: 9764189
No, configure Outlook to choose the connection type. I was only refering to connecting to Exchange offline.
0
 

Author Comment

by:Joe_27
ID: 9764784
I just found out that the user is having diffculty accessing information that is stored on other servers.  He can access our intranet, and other information via shared drives.  But when it comes to the exchange or our other data retrieval programs, it doesn't work.
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9764833
How far down did you go with MTU?

Don't forget that MTU settings are PER NIC, and the VPN may have its own virtual NIC.
0
 

Author Comment

by:Joe_27
ID: 9764857
The MTU on the router was set to 1000.  I even started at 500 and worked my way up.
0
 

Author Comment

by:Joe_27
ID: 9764867
I even tried using a D-Link DI-604 router as well.  Even that didn't work.
0
 

Expert Comment

by:cunnij
ID: 9764906
sounds like a netscreen firewall problem then...any indication in the netscreen logs that his ip is moving to the 'problem' areas, something like his ip and the target ip but with no data?
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9764907
And you made sure to change MTU on *all* adapters?
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9764913
(You need to set MTU on the PC not the router.)
0
 

Author Comment

by:Joe_27
ID: 9765125
How would I change the MTU on the NIC?  Also, does the MTU setting on the NIC need to match that of the router?
0
 
LVL 41

Accepted Solution

by:
stevenlewis earned 800 total points
ID: 9767928
great tool to change MTU settings
http://www.dslreports.com/front/drtcp.html
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 9767968
have them do a port scan and see if port 135 is open or blocked
0
 
LVL 31

Assisted Solution

by:qwaletee
qwaletee earned 800 total points
ID: 9768017
MTU on the workstation must be smaller than or equal to MTU on any routers the packet passes through.
0
 
LVL 37

Expert Comment

by:bbao
ID: 9814849
listening... hmm... why only focus on MTU?
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9815616
bbao,
SOme of teh most common VPN problems, where sometimes traffic goes thru/not, are MTU-related.  WHen packets fragment, it is much easier for the IP stack at the other end to get confused about piecing together content, or even if not, at least to kill performance.
0
 
LVL 37

Expert Comment

by:bbao
ID: 9815725
oh, if so, wrong MTU will cause what? a not stable communication or traffic? or the connection can not be established at all? thanks in advance, bbao
0
 
LVL 31

Assisted Solution

by:qwaletee
qwaletee earned 800 total points
ID: 9815801
If a packet passes trhough two devices, first A then B, and A has a "big MTU," while B has a smaller one...

Any packets smaller than B's MTU will be OK.  If A supoprts larger MTU, and a packets mslaler than A's MTU but bigger than B's, then A will have to fragment the packets before sending it to B.

VPNs encode "internal" network traffic inside regular IP traffic.  That means extra overhead on each packet.  That meanns the VPN client and server have to fragment the bundled packets, because a maximum packet headed for VPN will be of maximum size+overhead omce done. Because the "receiving side" will have to piece these things back together, any issues such as MTU size that make it harder mean the VPN is less likely to work well.
0
 
LVL 37

Expert Comment

by:bbao
ID: 9815895
so, can i say, any MTU related issues means, the vpn MAY work but NOT work well, NOT stable? or hmm, just make LOWER perrformance? thanks in advance. bbao
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9818342
When MTU issues affect a VPN, the most common result is that the most basic of  services work, but nothing else.  That's because less complex traffic tends to use smaller bits of data, which don't fill the packet anyway.  So, you might be able to ping, but not connect to any services.  Or, you might be able to connect to services, but any significant data transfers time out.
0
 

Author Comment

by:Joe_27
ID: 9821087
So it appears the MTU is the factor to check for.  Port 135 is not blocked on our end, but it is blocked on the ISP's end.  Could anything else be affecting communication, other than MTU?  
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 9826022
The ISP's blocking of port 135 would be irrelevant, because it never sees 135 trafic.  It only sees VPN traffic.  The VPN server unbundles the 135 traffic from the VPN traffic, and retransmits it.
0
 
LVL 37

Assisted Solution

by:bbao
bbao earned 400 total points
ID: 9829047
agree with qwaletee.  IMO, even the ISP blocks the 135 traffic, which sounds so curious, the two ends still can talk with each other on another port. ISP can not see the port number encapsulated in VPN channel.
0
 

Expert Comment

by:ceba
ID: 10600880
From Cox Cable Web Site and Implemented by others

Port 135 Block Implementation
Recently, the US Department of Homeland Security issued an advisory to Internet Service Providers, including Cox Communications. It warns of a potential network disruption due to a security loophole in the Windows 2000, XP, NT, and 2003 operating systems. This loophole may allow hackers unauthorized access to computers on our Cox High Speed Internet network and the Internet at large, using computer viruses or worms.

The government has called for the filtering of three ports (ports 135, 137 and 445) to prevent hackers from exploiting the security loopholes. A port is basically a point of connection for a specific type of program. For example, whenever a request is sent to display a web page like www.cox.net, it is sent to port 80. Cox currently filters (in both directions) two of the ports identified in the advisory -- ports 137 and 445. This prevents computers on the Internet from talking to your computer on these ports.

In the last week, the Cox Abuse department has seen a significant increase in the number of computers on our customer network that have been infected with viruses and worms; we are therefore complying with the Department of Homeland Security Advisory. The spread of infection is due to a high number of users operating exploitable versions of Microsoft Windows, primarily XP and 2000 (i.e. unpatched machines). Cox recommends that customers visit the Microsoft Windows Update website frequently to insure they are updating and protecting themselves from newly discovered exploits.

Cox anticipates the filter of port 135 will be implemented in all markets by August 10th, 2003.

Customers who use Microsoft Outlook to connect directly to a Microsoft Exchange server may no longer be able to connect when this port filter is applied. We recommend the use of a Virtual Private Network (VPN) to the company or group who operates the Exchange server. Please contact the network administrator or helpdesk for that company or group for additional details.

This does not affect customers who use Cox.net e-mail, Webmail, or connect to their Cox.net e-mail with Microsoft Outlook.

Cox makes every effort to avoid implementing port filters. In this case, we believe that the benefits of protecting the network and continuing to provide customers with the best performing service possible outweigh the possible impact to those customers connecting to Exchange servers.

0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Suggested Courses
Course of the Month14 days, 22 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question