Port 135 Blocked---Trying to connect to MS Exchange via VPN

Since the Blaster Worm became a nuisance, some ISPs had blocked access to port 135.  I have a user that has BellSouth Fast Access for their ISP.  They are wanting to connect to our company Exchange Server via VPN.   The type of VPN software is Netscreen 8.1, but I believe it to be the same as Secure Remote.   The user is also using a Linksys BEFSR41 router.  However, this user is having difficultiy connecting to Exchange.  Everytime he tries to log on, he receives the message "Network problems are preventing connection the Exchange Server Computer."  I've tried adjusting the MTU to lower values, but I was still unsuccessful.  

Is there anyway to solve this issue?  Or do I have to wait until they unblock port 135?

thanks.
Joe_27Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cunnijCommented:
The user can get authenticated with VPN but cannot access Exchange once connected to the internal network;correct? Do the Netscreen logs show any traffic from the users ip to the exchange server?
0
Joe_27Author Commented:
The user can ping the servers on our network.  The strange thing is, Outlook can open but as soon as you try to read a message the network error message appears.
0
qwaleteeCommented:
That's not an ISP port block, because the ISP does not see the "interna;" port numbers being accessed via VPN.  It only see the traffic going to the VPN server over teh IpSec port.

What happens if the user drops teh router and connects directly?
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Joe_27Author Commented:
We haven't tried that scenario, since it required installing software on the laptop.  However, I have other users that have a router, and they're able to get in just fine.  Are certain ports required to be open on the router, other than 500 UDP?
0
cunnijCommented:
That is what I was getting to qwa. :). Once the user is authenticated the traffic should be internal. Add to the fact that Outlook opens at all. That message usually indicates a traffic problem rather than an access problem. Can the user connect 'offline' and then press the 'send and receive' button to get new messages?
0
Joe_27Author Commented:
But to connect offline, the user would have to disconnect his DSL connection first?  New messages come in fine, but if he tries to synchronize for offline access, it has errors.
0
cunnijCommented:
No, configure Outlook to choose the connection type. I was only refering to connecting to Exchange offline.
0
Joe_27Author Commented:
I just found out that the user is having diffculty accessing information that is stored on other servers.  He can access our intranet, and other information via shared drives.  But when it comes to the exchange or our other data retrieval programs, it doesn't work.
0
qwaleteeCommented:
How far down did you go with MTU?

Don't forget that MTU settings are PER NIC, and the VPN may have its own virtual NIC.
0
Joe_27Author Commented:
The MTU on the router was set to 1000.  I even started at 500 and worked my way up.
0
Joe_27Author Commented:
I even tried using a D-Link DI-604 router as well.  Even that didn't work.
0
cunnijCommented:
sounds like a netscreen firewall problem then...any indication in the netscreen logs that his ip is moving to the 'problem' areas, something like his ip and the target ip but with no data?
0
qwaleteeCommented:
And you made sure to change MTU on *all* adapters?
0
qwaleteeCommented:
(You need to set MTU on the PC not the router.)
0
Joe_27Author Commented:
How would I change the MTU on the NIC?  Also, does the MTU setting on the NIC need to match that of the router?
0
stevenlewisCommented:
great tool to change MTU settings
http://www.dslreports.com/front/drtcp.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
stevenlewisCommented:
have them do a port scan and see if port 135 is open or blocked
0
qwaleteeCommented:
MTU on the workstation must be smaller than or equal to MTU on any routers the packet passes through.
0
bbaoIT ConsultantCommented:
listening... hmm... why only focus on MTU?
0
qwaleteeCommented:
bbao,
SOme of teh most common VPN problems, where sometimes traffic goes thru/not, are MTU-related.  WHen packets fragment, it is much easier for the IP stack at the other end to get confused about piecing together content, or even if not, at least to kill performance.
0
bbaoIT ConsultantCommented:
oh, if so, wrong MTU will cause what? a not stable communication or traffic? or the connection can not be established at all? thanks in advance, bbao
0
qwaleteeCommented:
If a packet passes trhough two devices, first A then B, and A has a "big MTU," while B has a smaller one...

Any packets smaller than B's MTU will be OK.  If A supoprts larger MTU, and a packets mslaler than A's MTU but bigger than B's, then A will have to fragment the packets before sending it to B.

VPNs encode "internal" network traffic inside regular IP traffic.  That means extra overhead on each packet.  That meanns the VPN client and server have to fragment the bundled packets, because a maximum packet headed for VPN will be of maximum size+overhead omce done. Because the "receiving side" will have to piece these things back together, any issues such as MTU size that make it harder mean the VPN is less likely to work well.
0
bbaoIT ConsultantCommented:
so, can i say, any MTU related issues means, the vpn MAY work but NOT work well, NOT stable? or hmm, just make LOWER perrformance? thanks in advance. bbao
0
qwaleteeCommented:
When MTU issues affect a VPN, the most common result is that the most basic of  services work, but nothing else.  That's because less complex traffic tends to use smaller bits of data, which don't fill the packet anyway.  So, you might be able to ping, but not connect to any services.  Or, you might be able to connect to services, but any significant data transfers time out.
0
Joe_27Author Commented:
So it appears the MTU is the factor to check for.  Port 135 is not blocked on our end, but it is blocked on the ISP's end.  Could anything else be affecting communication, other than MTU?  
0
qwaleteeCommented:
The ISP's blocking of port 135 would be irrelevant, because it never sees 135 trafic.  It only sees VPN traffic.  The VPN server unbundles the 135 traffic from the VPN traffic, and retransmits it.
0
bbaoIT ConsultantCommented:
agree with qwaletee.  IMO, even the ISP blocks the 135 traffic, which sounds so curious, the two ends still can talk with each other on another port. ISP can not see the port number encapsulated in VPN channel.
0
cebaCommented:
From Cox Cable Web Site and Implemented by others

Port 135 Block Implementation
Recently, the US Department of Homeland Security issued an advisory to Internet Service Providers, including Cox Communications. It warns of a potential network disruption due to a security loophole in the Windows 2000, XP, NT, and 2003 operating systems. This loophole may allow hackers unauthorized access to computers on our Cox High Speed Internet network and the Internet at large, using computer viruses or worms.

The government has called for the filtering of three ports (ports 135, 137 and 445) to prevent hackers from exploiting the security loopholes. A port is basically a point of connection for a specific type of program. For example, whenever a request is sent to display a web page like www.cox.net, it is sent to port 80. Cox currently filters (in both directions) two of the ports identified in the advisory -- ports 137 and 445. This prevents computers on the Internet from talking to your computer on these ports.

In the last week, the Cox Abuse department has seen a significant increase in the number of computers on our customer network that have been infected with viruses and worms; we are therefore complying with the Department of Homeland Security Advisory. The spread of infection is due to a high number of users operating exploitable versions of Microsoft Windows, primarily XP and 2000 (i.e. unpatched machines). Cox recommends that customers visit the Microsoft Windows Update website frequently to insure they are updating and protecting themselves from newly discovered exploits.

Cox anticipates the filter of port 135 will be implemented in all markets by August 10th, 2003.

Customers who use Microsoft Outlook to connect directly to a Microsoft Exchange server may no longer be able to connect when this port filter is applied. We recommend the use of a Virtual Private Network (VPN) to the company or group who operates the Exchange server. Please contact the network administrator or helpdesk for that company or group for additional details.

This does not affect customers who use Cox.net e-mail, Webmail, or connect to their Cox.net e-mail with Microsoft Outlook.

Cox makes every effort to avoid implementing port filters. In this case, we believe that the benefits of protecting the network and continuing to provide customers with the best performing service possible outweigh the possible impact to those customers connecting to Exchange servers.

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.