Firewall Wizards mailing list archives
Fw: WINS Replication Protocols
From: "Ahmed Ali" <ahmed () allied-chas com>
Date: Thu, 12 Mar 1998 17:01:32 -0500
many people have asked for details on NT/Exchange, so i figured i'd send it to the group... NetBIOS Session services: TCP 139 -takes care of file sharing, user manager, server manager, event viewer. and most other management applets in the Administrative Tools common group -can be handled with plug-gw on Gauntlet or GSP on Raptor (or any similar generic TCP proxy) -must NOT do any NAT or masquerading (otherwise, you'll get a whole bunch of denies on the FW) NetBIOS Name and Datagram Services: UDP 137,138 respectively -name services are what translate the name of the computer to IP address...WINS client to server stuff uses this -datagram services are need for logins, trusts, pass through validation and other admin type stuff - must be handled with packet screen in gauntlet or similar pass-through in other FWs -also must NOT do any NAT WINS Replication: TCP 42 -used for WINS servers to share name databases Exchange stuff: Exchange Client to server- you must do a registry hack on the Exchange server to get this to work -uses RPC endpoint mapper: TCP 135 then negotiates two high ports, one for directory service and one for information store access -add the following entries to registry HIVE - HKEY_LOCAL_MACHINE PATH - SYSTEM\CurrentControlSet\Services\MSExchangeDS\Parameters VALUE - TCP/IP port TYPE - DWORD - make sure to set the RADIX to decimal b4 you type the port # HIVE - HKEY_LOCAL_MACHINE PATH - SYSTEM\CurrentControlSet\Services\MSExchangeIS\Parameters VALUE - TCP/IP port TYPE - DWORD - make sure to set the RADIX to decimal b4 you type the port # **note these two ports must be different -plug-gw's or GSP's or whatever will take care of all three of these ports -once again , you must NOT do NAT -this will also take care of the Exchange Administrator application (unlike what the MS KB says) Exchange Server to Server (in the same exchange site): -this uses TCP 135 and native NT RPC's -once again, another registry edit that limits the range of ports available for NT RPCs must be done... not sure about that one exactly but i'll try to dig it up -it can also be handled with a generic TCP proxy w/o NAT Exchange Server to Server (in different exchange sites): - you can use SMTP connectors - you can use X.400 connectors (TCP 102...can be handled with generic TCP proxy w/o NAT) -if you are crazy, you can use Site connectors which use native NT RPCs and can be handled as described above ***all of the above was verified on NT4.0 SP3 and both MS Exchange 5.0 & 5.5 -ahmed -----Original Message----- From: Burden, James <JBurden () caiso com> To: 'Ahmed Ali' <ahmed () allied-chas com> Date: Thursday, March 12, 1998 4:17 PM Subject: RE: WINS Replication Protocols
Ahmed, I am currently researching installing a firewall in between
the NT
servers and their clients. Could you pass some of this
information my
way? I would greatly appreciate it. TIA, Jim James L. Burden Security Engineer California Independent System Operator Email - jburden () caiso com http://www.caiso.com Disclaimer: The above represents my personal opinions and
not an
official endorsement or position by the California ISO, my
current
employer. I reserve the right to disavow them at my
convenience.
-----Original Message----- From: Ahmed Ali [SMTP:ahmed () allied-chas com] Sent: Wednesday, March 11, 1998 5:01 AM To: Oliver Wainwright; firewall-wizards () nfr net Subject: Re: WINS Replication Protocols WINS replication uses TCP 42...i have had to detail the ports for NT and Exchange recently, so if you need more,
let
me know. -----Original Message----- From: Oliver Wainwright <wainwrio () ing-americas com> To: firewall-wizards () nfr net <firewall-wizards () nfr net> Date: Tuesday, March 10, 1998 11:30 PM Subject: WINS Replication ProtocolsGentlemen, We are in the process of developing an intranet securityprofile whichwill consist of a template of applications/services
which
must be madeavailable to our remote offices via our WAN. I have beenunable to findany documentation regarding a port and protocol forMicrosoft's WINS toWINS replication. WINS client name resolution is
performed
via UDP onport 137. I'm hoping WINS will run replication via TCP
on
port 137 as Iprefer not to pass UDP traffice through our firewalls. Any guidance and or suggestions are greatly appreciated. TIA
Current thread:
- WINS Replication Protocols Oliver Wainwright (Mar 10)
- <Possible follow-ups>
- Re: WINS Replication Protocols Ahmed Ali (Mar 11)
- Fw: WINS Replication Protocols Ahmed Ali (Mar 12)