Bypassing port 139 for a WAN active directory login

B

brian

Here's the deal. I need a non-Active Directory client to
map a drive across the WAN to a Active Directory Domain
Controller. Ok, I'm also using a Net Use batch file in
startup for the login/mapping to take place.
Batch file script:
net use f:\\ 172.17.1.200\NewFolder /user
(e-mail address removed) password

This works, but my router's Access List is blocking a few
ports. That will stop this from this working in the
future. The access lists are as follows:

access-list 115 deny tcp any any eq 135
access-list 115 deny udp any any eq 135
access-list 115 deny udp any any eq netbios-ns
access-list 115 deny udp any any eq netbios-ss
access-list 115 deny udp any any eq netbios-dgm
access-list 115 deny tcp any any eq 139*****
access-list 115 deny tcp any any eq 445
access-list 115 deny tcp any any eq 593
access-list 115 deny tcp any any eq 4444
access-list 115 permit ip any any


The port I narrowed down to was 139. The script will run
with all the ACLs in place except for that one DENY
statement that I have marked with the asteriks.

My question, is there any way that I can get this login
batch to work on this 2000Pro client without using the 139
port? Changing the access-list is NOT an option, so I need
a work-around to have this batch file bypass the router
ACLs. I've tried using a LMHOST file which didn't seem to
work. LMHOST entry:
172.17.1.200 domaincontrl #PRE

Any help would be appreciated. Let's see how good you
MCSEs and network gurus are on this one.
..
 
E

Ellen Prater [MSFT]

|>
|>Here's the deal. I need a non-Active Directory client to
|>map a drive across the WAN to a Active Directory Domain
|>Controller. Ok, I'm also using a Net Use batch file in
|>startup for the login/mapping to take place.
|>Batch file script:
|>net use f:\\ 172.17.1.200\NewFolder /user
|>[email protected] password
|>
|> This works, but my router's Access List is blocking a few
|>ports. That will stop this from this working in the
|>future. The access lists are as follows:
|>
|>access-list 115 deny tcp any any eq 135
|>access-list 115 deny udp any any eq 135
|>access-list 115 deny udp any any eq netbios-ns
|>access-list 115 deny udp any any eq netbios-ss
|>access-list 115 deny udp any any eq netbios-dgm
|>access-list 115 deny tcp any any eq 139*****
|>access-list 115 deny tcp any any eq 445
|>access-list 115 deny tcp any any eq 593
|>access-list 115 deny tcp any any eq 4444
|>access-list 115 permit ip any any
|>
|>
|>The port I narrowed down to was 139. The script will run
|>with all the ACLs in place except for that one DENY
|>statement that I have marked with the asteriks.
|>
|>My question, is there any way that I can get this login
|>batch to work on this 2000Pro client without using the 139
|>port? Changing the access-list is NOT an option, so I need
|>a work-around to have this batch file bypass the router
|>ACLs. I've tried using a LMHOST file which didn't seem to
|>work. LMHOST entry:
|>172.17.1.200 domaincontrl #PRE
|>
|> Any help would be appreciated. Let's see how good you
|>MCSEs and network gurus are on this one.
|>.


NetBIOS over TCP traditionally uses the following ports:
nbname 137/UDP
nbname 137/TCP
nbdatagram 138/UDP
nbsession 139/TCP

Direct hosted "NetBIOS-less" SMB traffic uses port 445 (TCP and UDP).

NT 4.0 and Win9x will always use port 139 for a netbios session (net use or
net view)
In Windows 2000, however, If both the direct hosted and NBT interfaces are
enabled, both methods are tried at the same time and the first to respond
is used.

In otherwords, you cannot block both port 139 and 445 if you want to map a
drive from and to a Windows 2000 system through a router. Since you are
mapping to an ip address instead of a netbios name, you will not need to
use lmhosts or wins for name resolution.

This article may be helpful to you as well:

179442 How to Configure a Firewall for Domains and Trusts
http://kb/article.asp?id=Q179442


This posting is provided "AS IS" with no warranties, and confers no rights.
OR if you wish to include a script sample in your post please add "Use of
included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm"
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top