Bypassing port 139 for a WAN active directory login

Discussion in 'Microsoft Windows 2000 Networking' started by brian, Oct 15, 2003.

  1. brian

    brian Guest

    Here's the deal. I need a non-Active Directory client to
    map a drive across the WAN to a Active Directory Domain
    Controller. Ok, I'm also using a Net Use batch file in
    startup for the login/mapping to take place.
    Batch file script:
    net use f:\\ 172.17.1.200\NewFolder /user
    password

    This works, but my router's Access List is blocking a few
    ports. That will stop this from this working in the
    future. The access lists are as follows:

    access-list 115 deny tcp any any eq 135
    access-list 115 deny udp any any eq 135
    access-list 115 deny udp any any eq netbios-ns
    access-list 115 deny udp any any eq netbios-ss
    access-list 115 deny udp any any eq netbios-dgm
    access-list 115 deny tcp any any eq 139*****
    access-list 115 deny tcp any any eq 445
    access-list 115 deny tcp any any eq 593
    access-list 115 deny tcp any any eq 4444
    access-list 115 permit ip any any


    The port I narrowed down to was 139. The script will run
    with all the ACLs in place except for that one DENY
    statement that I have marked with the asteriks.

    My question, is there any way that I can get this login
    batch to work on this 2000Pro client without using the 139
    port? Changing the access-list is NOT an option, so I need
    a work-around to have this batch file bypass the router
    ACLs. I've tried using a LMHOST file which didn't seem to
    work. LMHOST entry:
    172.17.1.200 domaincontrl #PRE

    Any help would be appreciated. Let's see how good you
    MCSEs and network gurus are on this one.
    ..
     
    brian, Oct 15, 2003
    #1
    1. Advertisements

  2. |>
    |>Here's the deal. I need a non-Active Directory client to
    |>map a drive across the WAN to a Active Directory Domain
    |>Controller. Ok, I'm also using a Net Use batch file in
    |>startup for the login/mapping to take place.
    |>Batch file script:
    |>net use f:\\ 172.17.1.200\NewFolder /user
    |> password
    |>
    |> This works, but my router's Access List is blocking a few
    |>ports. That will stop this from this working in the
    |>future. The access lists are as follows:
    |>
    |>access-list 115 deny tcp any any eq 135
    |>access-list 115 deny udp any any eq 135
    |>access-list 115 deny udp any any eq netbios-ns
    |>access-list 115 deny udp any any eq netbios-ss
    |>access-list 115 deny udp any any eq netbios-dgm
    |>access-list 115 deny tcp any any eq 139*****
    |>access-list 115 deny tcp any any eq 445
    |>access-list 115 deny tcp any any eq 593
    |>access-list 115 deny tcp any any eq 4444
    |>access-list 115 permit ip any any
    |>
    |>
    |>The port I narrowed down to was 139. The script will run
    |>with all the ACLs in place except for that one DENY
    |>statement that I have marked with the asteriks.
    |>
    |>My question, is there any way that I can get this login
    |>batch to work on this 2000Pro client without using the 139
    |>port? Changing the access-list is NOT an option, so I need
    |>a work-around to have this batch file bypass the router
    |>ACLs. I've tried using a LMHOST file which didn't seem to
    |>work. LMHOST entry:
    |>172.17.1.200 domaincontrl #PRE
    |>
    |> Any help would be appreciated. Let's see how good you
    |>MCSEs and network gurus are on this one.
    |>.


    NetBIOS over TCP traditionally uses the following ports:
    nbname 137/UDP
    nbname 137/TCP
    nbdatagram 138/UDP
    nbsession 139/TCP

    Direct hosted "NetBIOS-less" SMB traffic uses port 445 (TCP and UDP).

    NT 4.0 and Win9x will always use port 139 for a netbios session (net use or
    net view)
    In Windows 2000, however, If both the direct hosted and NBT interfaces are
    enabled, both methods are tried at the same time and the first to respond
    is used.

    In otherwords, you cannot block both port 139 and 445 if you want to map a
    drive from and to a Windows 2000 system through a router. Since you are
    mapping to an ip address instead of a netbios name, you will not need to
    use lmhosts or wins for name resolution.

    This article may be helpful to you as well:

    179442 How to Configure a Firewall for Domains and Trusts
    http://kb/article.asp?id=Q179442


    This posting is provided "AS IS" with no warranties, and confers no rights.
    OR if you wish to include a script sample in your post please add "Use of
    included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm"
     
    Ellen Prater [MSFT], Oct 15, 2003
    #2
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ingo Pakleppa - ingo at kkeane dot com

    How to disable port 135/139/1723?

    Ingo Pakleppa - ingo at kkeane dot com, Sep 22, 2003, in forum: Microsoft Windows 2000 Networking
    Replies:
    2
    Views:
    1,293
    Ingo Pakleppa - ingo at kkeane dot com
    Sep 23, 2003
  2. RSK

    File sharing & Port 139

    RSK, Dec 19, 2003, in forum: Microsoft Windows 2000 Networking
    Replies:
    0
    Views:
    196
  3. Mike Weaver

    WAN Miniport (TTPT) and WAN Miniport (L2TP) on Windows 2000 workstation

    Mike Weaver, Jan 24, 2004, in forum: Microsoft Windows 2000 Networking
    Replies:
    0
    Views:
    483
    Mike Weaver
    Jan 24, 2004
  4. Guest

    Help.. Unwanted network traffic - netbios-ssn port 139

    Guest, Jan 25, 2005, in forum: Microsoft Windows 2000 Networking
    Replies:
    3
    Views:
    1,558
    Phillip Windell
    Jan 26, 2005
  5. J.H
    Replies:
    4
    Views:
    440
    Roger Abell
    Aug 12, 2005
Loading...

Share This Page