Ports for mapping drive

[Guest]

We have Disaster recovery site at two locations, so if at all the current
server goes down we need to access the application from the remote backup
sites between which we have a firewall in Nated environment. To access the
applications we need to map the drive, so if the current server goes down,
what all ports needs to opened in firewall to map the drives.

Server-Windows 2000 AD
Clients-Windows 2000 Prof & Windows XP.

Will opening ports 137-UDP,139 TCP be enough or does it require another
ports for mapping the drive.

Thanks in advance
Innu

 

[Paul Bergson [MVP-DS]]

Just try it and monitor the port activity on your firewall.

I thought these were the ports needed (Both TCP and UDP):
135, 136, 137,139 and 445

I am not sure though that is why I would monitor the firewall when
attempting to see what activity actually occurs.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Herb Martin]

Just try it and monitor the port activity on your firewall.

I thought these were the ports needed (Both TCP and UDP):
135, 136, 137,139 and 445

I am not sure though that is why I would monitor the firewall when
attempting to see what activity actually occurs.

And you are going to need to authenticate so unless the DCs and
DNS servers are all available local to the clients then all that will
need to be available too. Kerberos on 88 and DNS on 53 would
be the main things.

Usually it's easier to just setup up a VPN and punch it through
the firewall for such things -- these (types of) clients will need to
authenticate anyway so the VPN authentication will secure the
open port for that.

 

[Paul Bergson [MVP-DS]]

Good point Herb

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Thanks for all your reply.But if i open all the ports as mentioned,will
Natted env create any prob,any changes to be made on DNS for Nated
environment to work,do i have to map with the NAted IP address of the
internal IP address?
Thanks
Innu

 

[Herb Martin]

Thanks for all your reply.But if i open all the ports as mentioned,will
Natted env create any prob,any changes to be made on DNS for Nated
environment to work,do i have to map with the NAted IP address of the
internal IP address?

Depends on the firewall/NAT. If the NAT is a simple one then likely
everyone of those ports will need to be specifically mapped.

This is yet another reason for punching the VPN through (or at least
"into") the NAT/firewall and using authentication to protect that port
or ports.

Also note that you will be making a security MESS if you let all of
those ports get to sensitive internal servers including DCs and DNS
servers.

Much better to use a VPN.

 

[Guest]

Thanks for all this information.I think VPN is the bst option then but will
Cisco or any Hardware VPN would be preferable or WIndows configured as VPN
would be ok?
Thanks & Regards,
Innu

 

[Herb Martin]

Thanks for all this information.I think VPN is the bst option then but
will
Cisco or any Hardware VPN would be preferable or WIndows configured as VPN
would be ok?

Nothing wrong with Hardware routers. Nothing particular wrong with Windows
Server either.

Use whichever is most effecitive (including cost effective) for you.

 

[Paul Bergson [MVP-DS]]

I agree with Herb, Windows has this functionality built into 2003.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.