Filter rule for web access

P

patrick

Greetings! I hope I can get some help on the filter rules.

I have set up a w2k machine as a VPN server. I noticed that if I don't
set any filter rule on the interfaces, everthing works fine. However,
if I keep the default rules (i.e., deny all except Protocol 47, TCP
1723, UDP 500, UDP 1701) on the input and output filters, I am not able
to ping or browse the web.

What I have found out is that by allowing UDP 53, I can ping IPs and
URLs. But I am still not able to browse the web. I have tried opening
many different UDP ports without success. I have even opened all the
TCP ports, but as long as I restrict UDP to 500 and 1701, I am not able
to browse the web. Does anyone know which UDP port (or protocol) I need
to allow in order to access the web?

Thanks & Regards,
Patrick
 
S

SAMIRJ [MS]

To access web, you need to open TCP port 80 (HTTP), TCP port 443 (HTTPS) and
UDP port 53 (DNS).
 
P

patrick

Hi SAMIRJ,

Thanks for your reply. Opening the TCP ports 80 and 443 helped.
However, I still have to keep all the UDP ports open because if I open
only UDP 500, 1701 and 53, I cannot browse anymore. Any idea why?

Regards,
Patrick
 
S

SAMIRJ [MS]

When you say "cannot browse" - can you explain more or given an example.
My understand of web browsing you want to use IE and try to access some web
site - like www.microsoft.com. And that should have worked by opening DNS
and HTTP/HTTPS ports.
Please clarify your setup and your requirement further
 
P

patrick

Hi SAMIRJ,

Thanks for replying. Yes, by browsing I mean using the web browser to
access web sites. Here are the two scenarios (the one that works and
the one that doesn't):

Scenario 1
---------------
Input and Output Filters set to allow these access. With these
settings, I am able to ping external sites and browse web sites (e.g.,
yahoo.com)

Port 47
TCP 1723
TCP 80
TCP 443
ICMP Any
UDP Any


Scenario 2
---------------
Input and Output Filters set to allow these access. With these
settings, I can neither ping any external site nor browse any web
sites.

Port 47
TCP 1723
TCP 80
TCP 443
ICMP Any
UDP 53
UDP 80
UDP 443

The only difference between Scenario 1 & 2 is that S1 has all UDP ports
opened, while S2 only allows 53, 80, and 443. So, it seems like some
other UDP ports must be opened in addition to 53, 80, and 443.

Best Regards,
Patrick
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

VPN - Error 800 2
Cannot acces VPN outside of network 2
Ports And Protocols which need to be open on Firewall 7
Windows XP port 445 listening on wrong subnet 3
Re: Open a port for a VPN Router 1
XP Pro cannot accept VPN, Remote Desktop connections 2
Ports opened in router show up as closed with external port scan 1
IP Filtering on W2K RRAS 4

Top