Re: Firewall blocking broadcasts in between NT Servers

[Adam Shostack <adam () homeport org>]

Hobbit's CIFS is a load of CACA paper covers this issue.  If you
haven't read the paper, you should, and so I won't tell you the port
numbers.:)

Its on avian.org, as well as any decent collection of security papers.


Adam


(NetQuest) Borkin, Michael wrote:
| Hello,
| 
|   I am on a mailing list for people studying for their MSCE's and this
| problem came across.. no one seems to be able to come up with a solution
| so I thought I would post it here.. b/c Wayne is not on this list I
| would appreciate it if you could  CC: it to him at
| http://wayne.vanvelthoven () nrc ca as well as posting it to the list...
| any help would be greatly appreciated... Below, I have both his original
| e-mail (last Thursday) and an update from Monday morning....
| 
| TIA,
| 
| Mike Borkin
| 
| original message follows----------------------------------
| 
| 
| Hi all,
| I have an NT4 server running IIS, which is a member (non-DC) server in a
| domain and has now been moved behind a firewall. The PDC and the only
| BDC are still in front of the firewall; as are the WINS servers.
| 
| I've punched holes through the firewall for TCP:80, TCP:139, UDP:137 and
| UDP:138, but domain synchronization and authentication no longer work.
| The server can see the PDC and BDC when they're called by name, but it
| can't find them when it's looking for the domain. This error message is
| filling the log:
| 
|         5719
|         No Windows NT Domain Controller is available for domain ABC.
|         (This event is expected and can be ignored when booting with the
| 'No Net' Hardware Profile.)
|         The following error occurred:
|         There are currently no logon servers available to service the
| logon request.
| 
| I enabled an LMHOSTS file on this server to tell it where the DCs are,
| but it didn't help (tried with and without WINS).
| 
| When I run Usrmgr on the server, it comes up with its local accounts, as
| expected.  When I tell it to change domain to ABC, it fails because no
| DCs can be found.  When I tell it to change domain to the PDC, \\ABC-PDC
| it gives me a message saying that ABC-PDC is a controller for domain
| ABC; focus will be set to ABC.  That works.  So, it sees the domain when
| 
| it looks for the DCs but it doesn't see the DCs when it looks for the
| domain.
| 
| The firewall logs (supposedly) all traffic that passes (or attempts to
| pass) through.  It shows nothing being blocked either to or from
| thisserver.  Help?!  What am I missing?  Thanks in advance
| 
| Wayne van Velthoven, MCP
| National Research Council Canada
| wayne.vanvelthoven () nrc ca <mailto:wayne.vanvelthoven () nrc ca>
| 
| 2nd Message---------
| 
| Subject:
|         RE: Firewall problem
|    Date:
|         Mon, 13 Jul 1998 09:40:03 -0400
|    From:
|         "vanVelthoven, Wayne" <Wayne.vanVelthoven () nrc ca>
|      To:
|         "'borkin () netquest com'" <borkin () netquest com>
| 
| 
| 
| 
| Hi,
| 
| No, I haven't gotten it solved, yet.  One person on list suggested using
| an LMHOSTS file, but I had already tried that without success.  He was
| right in that the firewall would be blocking the broadcasts, but I
| thought using WINS and/or LMHOSTS was the right way to deal with that.
| Neither has worked.
| 
| I found a Knowledge Base article (Q179442) that has another port (135)
| listed with the others that I already opened (137, 138 and 139).  So I
| added 135, but again, no luck.  The article also says "All ports above
| 1024 for RPC Communication".  I haven't done that yet - I thought that
| applied to the other end.  Also, the firewall hasn't logged any
| (attempted) activity in that range.
| 
| Here's how the lmhosts file from that server looks:
| 100.10.10.10     ABC-PDC      #PRE #DOM:ABC
| 100.10.10.11     ABC-BDC1     #PRE #DOM:ABC
| 
| Any insight would be appreciated.  Thanks in advance.
| 
| Wayne van Velthoven, MCP
| National Research Council Canada
| 


-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume