VPN, file browsing - ref ports 139 & 445

[tookawhile]

I currently use a very simple built-in VPN on W2003SRV and XP clients, to allow a couple of users access to our file server whilst they are out and about - all works fine.

However if I block ports 139 & 445 (I know these are used for browsing etc) then the users cannot find the file server.

How do I get around this?

I'm currently moving data to a central Samba server and this also cannot be found by browsing via My Network unless I open atleast one of the above ports.

 

[ITPangaeaArchitect]

you cant...

139 is for netbios resolution...that is not really needed, what is killing you is port 445..this is SMB, used for all file copy operations in all operating systems. it is not an option, it is required...

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+
Sr. Infrastructure Management Analyst
Distributed Systems Engineering
ACS, Inc.

 

[tookawhile]

Thanks for the reply.

I thought it might be so but was hoping there might be way around it.

 

[ITPangaeaArchitect]

Only option I could see there is to purchase hardware or software capable of encapsulating and isolating incoming networks (ISA 2004 comes to mind...ISA 2006 as well)..you would need to ports open at the front, but ISA could be in back inspecting the traffic as it comes in and dropping invalid packets )

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+
Sr. Infrastructure Management Analyst
Distributed Systems Engineering
ACS, Inc.

 

[SuperJenks]

You could open port 21 and use ftp protocol for file browsing. You could set up virtual directories per user if needed. this would give you much flexibility if you have a problem with opening 139, 445 ports.

 

[ITPangaeaArchitect]

Thats true....

You could also go a step further and encrypt it with SSL and require user certificates for access

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+
Sr. Infrastructure Management Analyst
Distributed Systems Engineering
ACS, Inc.

 

[Daveyd123]

I use Cicso SSL VPN for remote client access. I have pretty much all protocols locked down. I noticed when a user is VPNed in and try and map a network drive to a server share, the client not only uses port 445 (SMD) but also port 88 (Kerberos)

 

[Daveyd123]

Ugh...lack of edit feature...not SMD but SMB

 

[SuperJenks]

There would be no need to use ssl with ftp because the connection would already be encrypted through VPN. If ftp this is the route you choose, now you are only dealing with one protocol rather than 2 or more. Plus, if it is security you are worried about, file sharing (netbios) is one of the most widely probed and exploited protocols and easiest to hack.

 

[ITPangaeaArchitect]

yep thatd be correct, no need to encrypt over an ssl vpn

by simple vpn I assumed you meant RRAS using L2TP or PPTP VPN connections

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+
Sr. Infrastructure Management Analyst
Distributed Systems Engineering
ACS, Inc.

 

[Daveyd123]

No need to use an SSL VPN if you don't mind your credentials passed in clear text

 

[ITPangaeaArchitect]

One thing I never asked...will there be any kind of domain members on the other end of the vpn, say like at home workers and such?

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+
Sr. Infrastructure Management Analyst
Distributed Systems Engineering
ACS, Inc.