Solved

To Check for open/block port on windows 2008/2003 server

Posted on 2014-04-29
17
35 Views
Last Modified: 2016-01-21
Need to understand the best way..to locate the open/block port on any windows server 2003/2008, as m unable to tenet b/w machines x and y,unable to take rdp b/w machines x and y, while rdp and telnet is fine b/w a and x  and also for a and y.

Please advice best practice to follow..so that i can locate the actual glitch, and all machines are in my local LAN with different subnet/gateway..like Machine A,X,Y-all are one different Local subnet/gateway.
 i have already disabled window firewall..but no luck !!
0
Comment
Question by:patron
  • 5
  • 4
  • 2
  • +4
17 Comments
 
LVL 1

Author Comment

by:patron
ID: 40031245
also confirm if telnet client is required on windows 2008 server to make telnet b/w win 2003 and 2008 machine ?
0
 
LVL 8

Assisted Solution

by:nader alkahtani
nader alkahtani earned 63 total points
ID: 40031676
download PortQryUI.exe

http://www.microsoft.com/en-us/download/details.aspx?id=24009

if you need to batching operation you should you the another command line version that mentioned here http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/Security/AQuickTipToCheckIfPortsAreListening.html
0
 
LVL 1

Author Comment

by:patron
ID: 40052756
Please Advice..as i need to rectify where exactly port are blocked @OS Level or in LAN Network ?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 63 total points
ID: 40056691
Can you use Nmap from a host on your network to port scan the host in question?
nmap -sT -P0 -T5 1-65536 ip.ip.ip.ip
you can narrow down those ports if you need to 21-3389 for example, and change the IP's to the correct IP of the host you are scanning.
It could be your Anti-Virus software has a firewall built-in too. Someone could of applied IPSEC filters, have a look inside secpol.msc (start->run->secpol.msc) and look at the IPSec filters to see if any are applied.

-rich
0
 
LVL 63

Assisted Solution

by:btan
btan earned 188 total points
ID: 40056749
nestat is also useful to list port listening and the process holding it so that at least we can further drill down if the service is indeed blocked or not even running

http://support.microsoft.com/kb/281336
e.g.
1. Telnet serverip 3389
Result : Could not open connection to the host, on port 3389:
2. netstat -n -a -o | find "3389" (run this command in my RDP server)
Result : nothing displayed (3389 port not listed )
3. Restart Terminal service and the server
4. Changed the RDP port no and restarted the service as well as the server
5. Check all RDP related Registry setting
0
 
LVL 63

Expert Comment

by:btan
ID: 40056758
another worth mentioning is in this EE which has similar experience in particular rdp..likewise disable almost everything and eventually it is a related rdp driver not starting. the steps shared is used to drill down though

http://mobile.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_27644206.html
0
 
LVL 25

Assisted Solution

by:Coralon
Coralon earned 124 total points
ID: 40056764
Ok, I think I understand what you are asking?

Are you saying that given 3 machines, a, y, x
x -> y telnet fails (assuming you are checking the correct ports (default 3389 for RDP, telnet is 23).
a -> x telnet works (same assumption)
a -> y telnet works (same assumption)
And you mentioned you have disabled the windows firewall (I assume this is on both ends?)

If these facts are correct, you are down to a few different options.
1. The port you want is blocked by networking gear (3389 for RDP).
Run tracert's (traceroute) between the machines to see if the routing is going through.
2. I am assuming you do not have a telnet server enabled on any of the servers (very serious security risk).
3. You could have IPSec blocking some of the connections.  For this, you would want to check the local IPSec settings on each of the network adapters for your machines.  You can assign/enforce machines to only accept IPSec connections, and only accept them from specific machines.
4. It is possible you may not have the correct services enabled on each machine?  NMap is not included with windows, but you can use Netstat -ano to see the services listening on specific ports.  It should look something like this:
TCP    0.0.0.0:3369           0.0.0.0:0              LISTENING       4


Coralon
0
 
LVL 80

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 62 total points
ID: 40056923
having different gateway's may be a problem..  First check to see if you have basic networking between the different zones  use ping or tracert and confirm that it is not a networking issue.  you may have to add routes from one machine to another
0
 
LVL 63

Accepted Solution

by:
btan earned 188 total points
ID: 40056997
For common services and accessible directly via machines from various subnet and gateway complicate troubleshooting - dont really encourage that w/o proper routing planning though. If we take RDS services, there is best practice pointers in MS RDS configurations which you may want to check out "Verify all RD Gateway server farm members are available on the network"
0
 
LVL 1

Author Comment

by:patron
ID: 40057325
Thanks for all your supportive comments, will check for these options as well.

if i add route in arp..will that resolve issue to access any unc path ?

will share more detail after checking above options.
0
 
LVL 25

Assisted Solution

by:Coralon
Coralon earned 124 total points
ID: 40057954
ARP isn't used for routing?  But, adding a route through route add won't resolve your problem.  This is an issue of ports & connectivity, not routing.  (If they couldn't route, you would not be able to establish any session).  

Coralon
0
 
LVL 63

Assisted Solution

by:btan
btan earned 188 total points
ID: 40058014
better to confirm your RDS services are all able to talk direct first with the setup rather than be bother by those connectivity stuff to ease troubleshooting, if that comes to the case then it is your network team to best advice for the org the way to get them accessible as these are your requirement from apps services perspective.
0
 
LVL 1

Author Comment

by:patron
ID: 40058030
RDS -Remote Data/Desktop Service ?  and how can i make it confirmed whether it is fine b/w 2 computers.except checking service status in service console ?
0
 
LVL 38

Expert Comment

by:younghv
ID: 41424668
I've requested that this question be deleted for the following reason:

The question has either no comments or not enough useful information to be called an "answer".
0
 
LVL 1

Author Closing Comment

by:patron
ID: 41424669
Thanks  for all your time on this.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
windows explorer default details view 10 98
Monitor changes to folder and file permissions - automated reporting 6 94
AD architecture diagram 5 62
SMB Packet - File Data 4 48
Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question