which port should be allowed for web servers

We have a firewall that enable us to block ports - our operating sys is win2k server. If our customer enters in the url box www.oursitename.com on his IE, our server calls asp file that calls dll file doing some calculations and send the answer to customer IE again. It looks simple but, which port is to allow for recieving the customer IE order, and whick port to allow for sending an answer. As we read port 80 but how come the customer IE recieved tcp problem after displaying the url name on the bottom. And what is HTTP TCP UDP, are they related to ports allowance case if we did not block UDP in some cases it works. after many testing we were able to make it work but now the server IE cannot work on the internet we think its port is blocked which we do not know.
Does any body know THE FOLLOWING
- the Ports for get customer IE request
- the port for send an answer to customer IE
- the port to allow our server IE to access internet
- HTTP relation to TCP   UDP   ARP   ICMP
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Please see the link below if there is help that you need:

saljasAuthor Commented:
To Punky
what you suggested is to read, which we did for too long, what we are looking for is some one to say i.e. for a user on the internet to get to a server open port so and so, and for the server to answer open the port so and so, and if you are using this and that then be aware of opening port so and so, but you should have a rule for that because so and so........
Standard HTTP is TCP port 80
All communication is done through this port.

Thats all you should need, if it doesnt work - your problem is elsewhere.
HTTPS (HTTP over SSL) is 443 - however, you might not be using that.
However, the port would be 80 on your system, but on the client accessing the port is random.

To allow your server's ie to access the internet, you will need to allow outgoing tcp on port 80/443 (again, to allow ssl aswell, you need 443).
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Have you tried turning the firewall off completely and checking if the site is accessible?  Access it from outside and inside the network where the server is.  If it's accessible from inside and not outside, the problem is on your perimeter firewall.  If it accessible from both inside and outside, the problem is with the firewall loaded on our server 2000 box.  What firewall is being used on the server?

Also, you can do a netstat -a from the command line on the server and the remote computer to see current state of all ports and more importantly, what the port numbers are.
saljasAuthor Commented:
The fire wall is 8Signs and is working fine. Visits from outside and inside are well, but for us to configure it- we depented on the principal of- ( try and see what happens ) without knowing what is going on.   The firewall is offering the following ( things ) to be configured and (should) be controlled by us:
1- TCP, UDP, ICMP, ARP, RARP, MAC addresses
2- For each of them is offering the following (services) : Web Server, Web Browsing HTTP, ...etc
3- For each one of them we should set a rule of filtering which is devided into two parts Local and Remote.
4- For each of the last two division it offers a the following:
  a-  Address must match - options -  (My address, All addresses, Address Range from to, Address mask, One address, Group)
   b- Port must be - options - (one number, in the range of, any number, 1024-5000, 1024-65535, group)

What is listed before is related to setting the rule of filtering - now there is another story which is related to controlling the addabter connections.   And the final story of how to see (or understand) both stories in one integrated concept.

Thank u for ur interest
"Visits from outside and inside are well,..."    What does that mean exactly....

What happens when you turn the firewall off? This is an important test to see if the issue
is with the local firewall or the perimeter.  

What does netstat -a show?  

What does the 8Signs logfile show?  Any dropped packets at the time a user tries to access the application?

Try the above things to narrow down where the problem is.
saljasAuthor Commented:
All we need is to know what is going on in brief
There are three kinds of visitors to our site,
1- people form outside of our network keyin our site name in the URL box and a request to the internet provider company, forward it to our ADSL then router then 8signs firewall ( we call them outside visits)
2- people from within our internal network (inside visits)
3- a request from the our web server to the site that is on the same machine (inside visits)
Now we do not have any problems with any of them, but we do not know what we did - may be we opended something that should not be opened. (like a port or FTP or what ever)
So, you are wanting to see what ports are currently open on your server?  Doesn't the firewall software have that config?  Does it have a log file?  

I'm not sure what your question is.  In the original post you said:

"after many testing we were able to make it work but now the server IE cannot work on the internet we think its port is blocked which we do not know"

In your last post you said:


Do you have an issue with the firewall blocking traffic?  Or have you solved that already and now you want to know what ports are open on your server?

netstat -a will list all listening ports and connections.

Do a netstat /? to see all of the available switches associated with netstat.  There are many and will give you a lot of information.

Please clarify what your question is.

saljasAuthor Commented:
After posting the question we changed the setting and every thing is working, but we do not know what we did exactly, we always try and see what happens. In fact we never know how Ports, Services (like HTTP), connections, DSL, and Adabters are related to each other !  So the main isue is to (know that) then we will be able to deal with our server in a better way.
netstat -a is telling which TCP and UDP related to which service and its state, and is not helping much, infact it says porto TCP local address is http which is listining (what does that mean ???)
Which setting did you change exactly?  If you know what setting you changed, you should be able to determine what ports you opened.  Does the firewall software have the ability to show a running configuration that displays open ports, allowed IP's etc...

My recommendation is to close this question as being answered by yourself and open another one
to address which ports are open on your server, perhaps in the "firewall" section of Experts Exchange.
They would be better equipped to answer your new question.
saljasAuthor Commented:
How to delete and Refund
Search and you shall find:


I recommend offering up more points for your future questions.  It tends to get others involved more.
saljasAuthor Commented:
We have read the link you sent, infact this is the fourth time we read it - it says
 ( To delete the question, click the button that says Delete Question )
I can garantee that the above mentioned button never exsists.  Any way lets stop this and wait for some one from this site employee, to ask us to close the question.
And for the points, since we do not deal with this site every day - then we do not have the sense of how many for what.
best regards
This is what is applicable to you.  You need to post it in the Community Support area of this forum and request that this question be closed since you answered it your self.

I answered my question myself. What do I do?

Post a request in the ***Community Support topic area ***asking for a refund, and asking the Moderators to close the question; be sure to post the URL to your question. You will be required to post your solution in your original question. A Moderator will post a notice of your request which will give the participants four days to object to the refund. Note that if it resembles one of the suggested comments, the likelihood is that your request will not be granted, but rather, the points will be awarded to the Expert who makes the suggestion.
All TCP otherwise declared:
FTP: 21
SSH:22 (If you want to allow)
SMTP: 25
DNS: 53 (Both TCP and UDP)
HTTP: 80
POP: 110
IMAP: 143 (depends, if you give your customers IMAP service)
HTTPS: 443 ( required for secure connections)
SUBMISSION: 587 ( required by spamassassin, if you are using it)
MYSQL: 3306 ( only localhost access is enough, but you may offer remote db connections)
TOMCAT: 8080 - 8433 and JSERV: 8007 if you serve them
Some hosting systems may require additional ports to be opened
and it is required to open ephemeral ports for passive FTP connections within a pre-configured range such as 1024 through 4999(out) will bind to your FTP port21(inside)
saljasAuthor Commented:
To cemkaraca
Many thanks - you cleared some points, things that we are allowing:-

1- People to visit our site that is on our server
do we open the HTTP for that (port 80) ??

2- Our IT engineers to browse the internet using IE which is on the server
which port do we open for that ??

3- Our employee to visit the site that is on the server from their computers ( it seems this happens internally because it has very fast reaction )
which port do we open for that ??

4- Our employee to visit the server hardisks INTERNALLY
which port do we open for that ??
Many Thanks
Thank you,

1- People viewing sites through your server will connect to port 80, that is correct.

2- If you don't have any proxy connections, also outgoing port will be the same, 80

3- same as ans. 2

4- To visit hdd's internally, you must be in the same broadcast domain or connected with a VPN, I don't really suggest internal firewall, you may open all ports for inside and make your rules for the outgoing(WAN) interface.
To enable VPN: open pptp port (      1723) and 4125 and GRE IP(47)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.