Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

What Ports Have to Be Open to Map a Drive Through a Site-to-Site VPN Tunnel?

Posted on 2008-11-14
7
Medium Priority
?
9,292 Views
Last Modified: 2012-05-05
We have a client with a laptop in an untrusted domain who is running Windows XP Professional SP2.  We have established a site-to-site VPN tunnel between the client's company and our own.  We need him to be able to map a drive to a member server in our own domain, a server dedicated for use by their company.  We have created a local user ID on our server with the same password to enable pass-through authentication.  If no firewall rules are applied to the tunnel he is able to map a drive.  If I enable only the "Netbios" ports, 137 through 139 and SMB port 445, the user is no longer able to map a drive.  Again, this is not using remote desktop or anything, it is simply mapping a drive letter to a UNC share through the tunnel.  We have added the server name in his HOSTS file so it is not a name resolution issue. What am I missing? Thank you...
0
Comment
Question by:adoughe
  • 3
  • 2
  • 2
7 Comments
 
LVL 10

Expert Comment

by:MPCP-Brian
ID: 22962343
VPN uses ports 500 and 1723, however you should not need it.
1. Make sure File and Printer sharing is enabled.
2. Make sure it is not being blocked via a software firewall.
0
 
LVL 1

Author Comment

by:adoughe
ID: 22962379
The ports required for VPN, including port 500, are open and the tunnel is functional.  Everything to enable mapping the drive is setup and working.  There is no server or laptop firewall.  Like I said, it works as long as the firewall on the tunnel is not restricted.  So obviously if restricting it causes the mapping to fail it means I am blocking port(s) that need to be open other than the ones I have indicated I am allowing. So I believe this to be purely a ports issue.  The question is what ports? Is a dynamic range of ports needed? I have not yet been able to find this information.
0
 
LVL 10

Expert Comment

by:MPCP-Brian
ID: 22962504
Is the computer with the drives you trying to map Windows XP, or Vista? If it is Windows XP Pro then go in to the Control Panel, Administrative Tools, Local Security Policy, Local Policies, Security Options. The policy you want is Network Access: Sharing and Security Model.
Classic - You must have a valid username and password to connect.
Guest - You don't, however you will not be able to map hidden shares and the security might be blocking you out.
If that doesn't work let's try this:
Let's make absolutely sure that drive mapping is not the issue. You are trying to map a drive from Site B to Site A. Is there another computer at Site A you can use to map the drives internally at Site A, try it, this will confirm the issue is with the VPN.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 1

Author Comment

by:adoughe
ID: 22962697
I appreciate your effort to help me but in my original post I indicated it was a server (Windows Server 2003 SP2) that the laptop needs to connect to and he had already successfully mapped a drive to a UNC share on that server. It is not XP. I believe it is a ports issue and simply need to know what ports I am missing.
0
 
LVL 12

Accepted Solution

by:
Hugh Fraser earned 2000 total points
ID: 22963148
Try making it ports 135-139 and 445, both UDP and TCP.

Before you do that, have you tried a basic ping to ensure that the end-to-end connectivity is there? If it fails, try a traceroute.
0
 
LVL 1

Author Comment

by:adoughe
ID: 22963604
hfraser, our firewall only lists ports 137 thru 139 and 445 as "NetBios" and that configuration works from our LAN to our DMZ.  It didn't work VPN to LAN until I added those two extra ports.  Thank you!
0
 
LVL 12

Expert Comment

by:Hugh Fraser
ID: 22964269
Port 135 is Microsoft's Endpoint Mapper, their version of the Unix Portmapper. For anything that's using RPCs. like file sharing, you need to have this open. That's different than netbios.

If you're syncing things like domain controllers across a VPN, you may find you have to open a lot of ports to support the RPC mechanism.

Glad I could help.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question