?
Solved

What SPECIFIC ports does DFS under Windows 2003 R2 require?

Posted on 2007-08-07
9
Medium Priority
?
13,528 Views
Last Modified: 2013-11-29
I'm in the process of configuring DFS.  I've done it before, but we've had issues with the various firewalls and IPS units in between the branch offices.

So, for 500 points, I'd like to know EXACTLY which ports DFS uses when you are running Windows 2003 Server R2.

None of the articles I'm seeing on Microsoft's website indicate if there is a difference bewteen Windows 2003 Server and Windows 2003 Server R2, but there is certainly an addition for R2.

I'd like someone who's configured a firewall between two sites using R2 DFS / DFS names spaces to tell me which ports they needed to open, and, if possible, any experiences they had issues with realted to DFS.

I appricate it.
0
Comment
Question by:gerhardub
  • 6
  • 3
9 Comments
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19646061
DFS uses the following ports:
TCP 137, 139, 389, 135, 445
UDP 137, 138, 389, 445
You can see details on the following link:
http://technet2.microsoft.com/windowsserver/en/library/a9096e88-1634-4da6-b820-537341d349061033.mspx?mfr=true

However !!! Most of those ports can be very risky to have exposed on the Internet. DFS between sites is usually done within the safety of a VPN or dedicated connection such as a site to site T1.
0
 
LVL 1

Author Comment

by:gerhardub
ID: 19646162
Notice how that Article is based on Windows 2003 Server, NOT Windows 2003 Server R2!

The article you refer to is about 4 years old since it was last updated.

I need information that applys to Windows 2003 Server R2's version of DFS.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19646199
Sorry, didn't realize there was a difference.
Are you actually forwarding this traffic over the Internet unencrypted?
Within a VPN tunnel, all ports are open by default making configuration easier and safe.
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
LVL 78

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 19646295
This may be of some help:
Distributed File Replication Service (pertains to R2 as well)
The Distributed File Replication Service includes the Dfsrdiag.exe command-line tool. Dfsrdiag.exe can set the server RPC port that is used for administration and replication. To use Dfsrdiag.exe to set the server RPC port, follow this example:
dfsrdiag StaticRPC /port:nnnnn /Member:Branch01.sales.contoso.com
In this example, nnnnn represents a single, static RPC port that DFSR will use for replication. Branch01.sales.contoso.com represents the DNS or NetBIOS name of the target member computer. If no member is specified, Dfsrdiag.exe uses the local computer.
http://support.microsoft.com/kb/832017
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19646589
...and also the following, specific to R2:
"Can DFS Replication replicate between branch offices without a VPN connection?
Yesassuming that there is a private Wide Area Network (WAN) link (not the Internet) connecting the branch offices. However, you must open the proper ports in external firewalls. DFS Replication uses the RPC Endpoint Mapper (port 135) and a randomly assigned ephemeral port above 1024. You can use the Dfsrdiag command line tool to specify a static port instead of the ephemeral port. For more information about how to specify the RPC Endpoint Mapper, see article 154596 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=73991). "
from:
http://technet2.microsoft.com/windowsserver2008/en/library/f9b98a0f-c1ae-4a9f-9724-80c679596e6b1033.mspx?mfr=true

0
 
LVL 1

Author Comment

by:gerhardub
ID: 19646595
No, I'm running this through a VPN tunnel, a few Cisco ASAs, and a few Tipping Points.

This is why I need to have someone who's using Windows 2003 R2 DFS to verify that it uses all of the ports that Windows 2003 [non-R2] plus anything new (135, random RPC).

MS is not making it clear that DFS on the ORIGINAL version of Windows 2003 and DFS on Windows 2003 R2 use exactly the same ports - or are even the same thing.

This KB Article: http://support.microsoft.com/kb/832017 Lists DFS & DFSR...

Are DFS and DFSR the same thing? or has DFSR taken over for DFS??  (Did they come up with a new version of DFS called DFSR in R2, and then limit it to two ports?)

So maybe I need to be asking this:

What Windows 2003 R2 service do I need to be running in order to host a DFS Namespace and DFS Replication?  Furthermore, what SPECIFIC ports are required in R2 [ONLY, since the KB is not R2 specific] to use DFS Namespaces and DFSR?

In so far as RPC is concerned, you can limit RPC to a range according to this KB:

http://support.microsoft.com/kb/154596/en-us
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19646684
Afraid I don not know anything further than the above.  All versions of DFS used the same ports since NT, but quite right, it is possible R2 has changed that, as replication in the primary change in R2. If using the Cisco VPN, do you have restrictions within the tunnel that have to be dealt with? I would think all traffic would be allowed but perhaps for security you have it tightened down. The fact that R2 appears to use dynamically assigned random ports over 1024 does make it more difficult, if the VPN tunnel is not "wide open".
0
 
LVL 1

Author Comment

by:gerhardub
ID: 19647536
No, that's not how we do things here... we use a permit only scheme:  We turn things on only that we know we have to.

Then, we use inspection engines to look at the traffic and verify that it's not an attack, etc...

0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19647627
Understandable.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question