What Ports Have to Be Open to Map a Drive Through a Site-to-Site VPN Tunnel?

We have a client with a laptop in an untrusted domain who is running Windows XP Professional SP2.  We have established a site-to-site VPN tunnel between the client's company and our own.  We need him to be able to map a drive to a member server in our own domain, a server dedicated for use by their company.  We have created a local user ID on our server with the same password to enable pass-through authentication.  If no firewall rules are applied to the tunnel he is able to map a drive.  If I enable only the "Netbios" ports, 137 through 139 and SMB port 445, the user is no longer able to map a drive.  Again, this is not using remote desktop or anything, it is simply mapping a drive letter to a UNC share through the tunnel.  We have added the server name in his HOSTS file so it is not a name resolution issue. What am I missing? Thank you...
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

VPN uses ports 500 and 1723, however you should not need it.
1. Make sure File and Printer sharing is enabled.
2. Make sure it is not being blocked via a software firewall.
adougheAuthor Commented:
The ports required for VPN, including port 500, are open and the tunnel is functional.  Everything to enable mapping the drive is setup and working.  There is no server or laptop firewall.  Like I said, it works as long as the firewall on the tunnel is not restricted.  So obviously if restricting it causes the mapping to fail it means I am blocking port(s) that need to be open other than the ones I have indicated I am allowing. So I believe this to be purely a ports issue.  The question is what ports? Is a dynamic range of ports needed? I have not yet been able to find this information.
Is the computer with the drives you trying to map Windows XP, or Vista? If it is Windows XP Pro then go in to the Control Panel, Administrative Tools, Local Security Policy, Local Policies, Security Options. The policy you want is Network Access: Sharing and Security Model.
Classic - You must have a valid username and password to connect.
Guest - You don't, however you will not be able to map hidden shares and the security might be blocking you out.
If that doesn't work let's try this:
Let's make absolutely sure that drive mapping is not the issue. You are trying to map a drive from Site B to Site A. Is there another computer at Site A you can use to map the drives internally at Site A, try it, this will confirm the issue is with the VPN.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

adougheAuthor Commented:
I appreciate your effort to help me but in my original post I indicated it was a server (Windows Server 2003 SP2) that the laptop needs to connect to and he had already successfully mapped a drive to a UNC share on that server. It is not XP. I believe it is a ports issue and simply need to know what ports I am missing.
Hugh FraserConsultantCommented:
Try making it ports 135-139 and 445, both UDP and TCP.

Before you do that, have you tried a basic ping to ensure that the end-to-end connectivity is there? If it fails, try a traceroute.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
adougheAuthor Commented:
hfraser, our firewall only lists ports 137 thru 139 and 445 as "NetBios" and that configuration works from our LAN to our DMZ.  It didn't work VPN to LAN until I added those two extra ports.  Thank you!
Hugh FraserConsultantCommented:
Port 135 is Microsoft's Endpoint Mapper, their version of the Unix Portmapper. For anything that's using RPCs. like file sharing, you need to have this open. That's different than netbios.

If you're syncing things like domain controllers across a VPN, you may find you have to open a lot of ports to support the RPC mechanism.

Glad I could help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.