Re: Blocking ports

From: x y (jamescagney90210@excite.com)
Date: 07/02/02


From: "x y" <jamescagney90210@excite.com>
Date: Tue, 2 Jul 2002 13:09:15 -0400


I think it's really essential to have logging capabilities whenever you do
port blocking, for troubleshooting issues like this. Windows 2000 IPsec does
not have logging, so I would debate the value of choosing it over some third
party solution.

If you have logging capabilities, checking the log is always the first thing
I would think to do whenever you have a question like this. If you don't
have logging capabilities, install Windows 2000 Network Monitor [under
control panel,add/remove programs, windows components] or ethereal or
windump onto both machines to see what exactly is being sent and received or
not received.

I gave up on doing port filtering betweeen clients and the domain
controllers as it seems that several connections are opened on random ports,
sometimes originating from the domain controller.

"Asanga" <asanga@idnw.com> wrote in message
news:14aed01c221df$846ced70$3bef2ecf@TKMSFTNGXA10...
> I run W2K with AD and I have a member server logging into
> the domain. In the member server I have blocked all
> unnecessary ports accoung to this article -
> http://www.microsoft.com/technet/treeview/default.asp?
> url=/TechNet/prodtechnol/windows2000serv/reskit/tcpip/part4
> /tcpappc.asp
>
> I have opened the domain and kerberos authentication ports
> but still when I log into the domain, it takes very long
> time for me to log into it. It takes about 5 minutes for
> the log in process but it works. Has anyone experience
> this before? and if so what specific ports can I leave
> open?
>
> Thanks
>