Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 72
  • Last Modified:

To Check for open/block port on windows 2008/2003 server

Need to understand the best way..to locate the open/block port on any windows server 2003/2008, as m unable to tenet b/w machines x and y,unable to take rdp b/w machines x and y, while rdp and telnet is fine b/w a and x  and also for a and y.

Please advice best practice to follow..so that i can locate the actual glitch, and all machines are in my local LAN with different subnet/gateway..like Machine A,X,Y-all are one different Local subnet/gateway.
 i have already disabled window firewall..but no luck !!
0
patron
Asked:
patron
  • 5
  • 4
  • 2
  • +4
8 Solutions
 
patronAuthor Commented:
also confirm if telnet client is required on windows 2008 server to make telnet b/w win 2003 and 2008 machine ?
0
 
nader alkahtaniNetwork EngineerCommented:
download PortQryUI.exe

http://www.microsoft.com/en-us/download/details.aspx?id=24009

if you need to batching operation you should you the another command line version that mentioned here http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/Security/AQuickTipToCheckIfPortsAreListening.html
0
 
patronAuthor Commented:
Please Advice..as i need to rectify where exactly port are blocked @OS Level or in LAN Network ?
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
Rich RumbleSecurity SamuraiCommented:
Can you use Nmap from a host on your network to port scan the host in question?
nmap -sT -P0 -T5 1-65536 ip.ip.ip.ip
you can narrow down those ports if you need to 21-3389 for example, and change the IP's to the correct IP of the host you are scanning.
It could be your Anti-Virus software has a firewall built-in too. Someone could of applied IPSEC filters, have a look inside secpol.msc (start->run->secpol.msc) and look at the IPSec filters to see if any are applied.

-rich
0
 
btanExec ConsultantCommented:
nestat is also useful to list port listening and the process holding it so that at least we can further drill down if the service is indeed blocked or not even running

http://support.microsoft.com/kb/281336
e.g.
1. Telnet serverip 3389
Result : Could not open connection to the host, on port 3389:
2. netstat -n -a -o | find "3389" (run this command in my RDP server)
Result : nothing displayed (3389 port not listed )
3. Restart Terminal service and the server
4. Changed the RDP port no and restarted the service as well as the server
5. Check all RDP related Registry setting
0
 
btanExec ConsultantCommented:
another worth mentioning is in this EE which has similar experience in particular rdp..likewise disable almost everything and eventually it is a related rdp driver not starting. the steps shared is used to drill down though

http://mobile.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_27644206.html
0
 
CoralonCommented:
Ok, I think I understand what you are asking?

Are you saying that given 3 machines, a, y, x
x -> y telnet fails (assuming you are checking the correct ports (default 3389 for RDP, telnet is 23).
a -> x telnet works (same assumption)
a -> y telnet works (same assumption)
And you mentioned you have disabled the windows firewall (I assume this is on both ends?)

If these facts are correct, you are down to a few different options.
1. The port you want is blocked by networking gear (3389 for RDP).
Run tracert's (traceroute) between the machines to see if the routing is going through.
2. I am assuming you do not have a telnet server enabled on any of the servers (very serious security risk).
3. You could have IPSec blocking some of the connections.  For this, you would want to check the local IPSec settings on each of the network adapters for your machines.  You can assign/enforce machines to only accept IPSec connections, and only accept them from specific machines.
4. It is possible you may not have the correct services enabled on each machine?  NMap is not included with windows, but you can use Netstat -ano to see the services listening on specific ports.  It should look something like this:
TCP    0.0.0.0:3369           0.0.0.0:0              LISTENING       4


Coralon
0
 
David Johnson, CD, MVPOwnerCommented:
having different gateway's may be a problem..  First check to see if you have basic networking between the different zones  use ping or tracert and confirm that it is not a networking issue.  you may have to add routes from one machine to another
0
 
btanExec ConsultantCommented:
For common services and accessible directly via machines from various subnet and gateway complicate troubleshooting - dont really encourage that w/o proper routing planning though. If we take RDS services, there is best practice pointers in MS RDS configurations which you may want to check out "Verify all RD Gateway server farm members are available on the network"
0
 
patronAuthor Commented:
Thanks for all your supportive comments, will check for these options as well.

if i add route in arp..will that resolve issue to access any unc path ?

will share more detail after checking above options.
0
 
CoralonCommented:
ARP isn't used for routing?  But, adding a route through route add won't resolve your problem.  This is an issue of ports & connectivity, not routing.  (If they couldn't route, you would not be able to establish any session).  

Coralon
0
 
btanExec ConsultantCommented:
better to confirm your RDS services are all able to talk direct first with the setup rather than be bother by those connectivity stuff to ease troubleshooting, if that comes to the case then it is your network team to best advice for the org the way to get them accessible as these are your requirement from apps services perspective.
0
 
patronAuthor Commented:
RDS -Remote Data/Desktop Service ?  and how can i make it confirmed whether it is fine b/w 2 computers.except checking service status in service console ?
0
 
younghvCommented:
I've requested that this question be deleted for the following reason:

The question has either no comments or not enough useful information to be called an "answer".
0
 
patronAuthor Commented:
Thanks  for all your time on this.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 5
  • 4
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now