PC Review


Reply
Thread Tools Rating: Thread Rating: 1 votes, 1.00 average.

Bypassing port 139 for a WAN active directory login

 
 
brian
Guest
Posts: n/a
 
      15th Oct 2003
Here's the deal. I need a non-Active Directory client to
map a drive across the WAN to a Active Directory Domain
Controller. Ok, I'm also using a Net Use batch file in
startup for the login/mapping to take place.
Batch file script:
net use f:\\ 172.17.1.200\NewFolder /user
(E-Mail Removed) password

This works, but my router's Access List is blocking a few
ports. That will stop this from this working in the
future. The access lists are as follows:

access-list 115 deny tcp any any eq 135
access-list 115 deny udp any any eq 135
access-list 115 deny udp any any eq netbios-ns
access-list 115 deny udp any any eq netbios-ss
access-list 115 deny udp any any eq netbios-dgm
access-list 115 deny tcp any any eq 139*****
access-list 115 deny tcp any any eq 445
access-list 115 deny tcp any any eq 593
access-list 115 deny tcp any any eq 4444
access-list 115 permit ip any any


The port I narrowed down to was 139. The script will run
with all the ACLs in place except for that one DENY
statement that I have marked with the asteriks.

My question, is there any way that I can get this login
batch to work on this 2000Pro client without using the 139
port? Changing the access-list is NOT an option, so I need
a work-around to have this batch file bypass the router
ACLs. I've tried using a LMHOST file which didn't seem to
work. LMHOST entry:
172.17.1.200 domaincontrl #PRE

Any help would be appreciated. Let's see how good you
MCSEs and network gurus are on this one.
..


 
Reply With Quote
 
 
 
 
Ellen Prater [MSFT]
Guest
Posts: n/a
 
      15th Oct 2003
|>
|>Here's the deal. I need a non-Active Directory client to
|>map a drive across the WAN to a Active Directory Domain
|>Controller. Ok, I'm also using a Net Use batch file in
|>startup for the login/mapping to take place.
|>Batch file script:
|>net use f:\\ 172.17.1.200\NewFolder /user
|>(E-Mail Removed) password
|>
|> This works, but my router's Access List is blocking a few
|>ports. That will stop this from this working in the
|>future. The access lists are as follows:
|>
|>access-list 115 deny tcp any any eq 135
|>access-list 115 deny udp any any eq 135
|>access-list 115 deny udp any any eq netbios-ns
|>access-list 115 deny udp any any eq netbios-ss
|>access-list 115 deny udp any any eq netbios-dgm
|>access-list 115 deny tcp any any eq 139*****
|>access-list 115 deny tcp any any eq 445
|>access-list 115 deny tcp any any eq 593
|>access-list 115 deny tcp any any eq 4444
|>access-list 115 permit ip any any
|>
|>
|>The port I narrowed down to was 139. The script will run
|>with all the ACLs in place except for that one DENY
|>statement that I have marked with the asteriks.
|>
|>My question, is there any way that I can get this login
|>batch to work on this 2000Pro client without using the 139
|>port? Changing the access-list is NOT an option, so I need
|>a work-around to have this batch file bypass the router
|>ACLs. I've tried using a LMHOST file which didn't seem to
|>work. LMHOST entry:
|>172.17.1.200 domaincontrl #PRE
|>
|> Any help would be appreciated. Let's see how good you
|>MCSEs and network gurus are on this one.
|>.


NetBIOS over TCP traditionally uses the following ports:
nbname 137/UDP
nbname 137/TCP
nbdatagram 138/UDP
nbsession 139/TCP

Direct hosted "NetBIOS-less" SMB traffic uses port 445 (TCP and UDP).

NT 4.0 and Win9x will always use port 139 for a netbios session (net use or
net view)
In Windows 2000, however, If both the direct hosted and NBT interfaces are
enabled, both methods are tried at the same time and the first to respond
is used.

In otherwords, you cannot block both port 139 and 445 if you want to map a
drive from and to a Windows 2000 system through a router. Since you are
mapping to an ip address instead of a netbios name, you will not need to
use lmhosts or wins for name resolution.

This article may be helpful to you as well:

179442 How to Configure a Firewall for Domains and Trusts
http://kb/article.asp?id=Q179442


This posting is provided "AS IS" with no warranties, and confers no rights.
OR if you wish to include a script sample in your post please add "Use of
included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm"




 
Reply With Quote
 
 
 
Reply

Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to route from 139.79.122.0 (my workstation) to 10.0.1.0 (my ISA Firewall) trou 139.79.158.0 (my PIX Firewall) Robin Kocher Windows XP Networking 1 5th Mar 2004 03:01 PM
File sharing and Port 139 RSK Microsoft Windows 2000 Security 7 22nd Dec 2003 12:21 AM
How to bypass Port 139 for logging into a AD DC brian Microsoft Windows 2000 Active Directory 1 16th Oct 2003 07:36 AM
Re: blastar patch and 139 port Steven L Umbach Microsoft Windows 2000 Security 1 2nd Sep 2003 11:57 PM
port 135, 139 shutdown Jesse Microsoft Windows 2000 0 21st Jul 2003 06:35 PM


Features
 

Advertising
 

Newsgroups
 


All times are GMT +1. The time now is 04:26 PM.