[Dshield] DCOM VPN Question

John Hardin johnh at aproposretail.com
Wed Aug 13 19:07:35 GMT 2003

On Wed, 2003-08-13 at 11:54, Jon R. Kibler wrote:
> Greetings:
> I just had an interesting conversation with a network security person
> that was having problems blocking the ports used by the DCOM worm.
> They indicated that they had tried to block 135/TCP on their border
> router, but clients running Microsoft VPN started complaining because
> they could not connect. 

> It appears that Microsoft VPN uses 135/TCP for RPC services used to 
> establish a VPN connections. Is anyone familiar with this issue? What
> if anything is the solution to this problem? It is my understanding
> that these clients have no choice but to use Microsoft VPN.

First off, exactly *what* do you mean when you say "Microsoft VPN"?

There are two VPN protocols in wide use: PPTP and IPsec. Neither one
depends on in-the-clear 135/TCP traffic between the gateways to
establish a tunnel or authenticate.

Traffic between the corporate-side VPN gateway and the corporate-side
Windows servers (PDC et. al.) is different issue. That may be where the
problem lies. Is the VPN gateway *outside* their border router?

What I suspect is that the VPN tunnel is being established, then the
Windows traffic carried over the tunnel is being blocked. (This is the
scenario I was talking about in my earlier post.)

John Hardin  KA7OHZ                           
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
 "...in retrospect, we probably should have turned it on by default."
     - Craig Mundie, Microsoft CTO, on shipping Windows XP with the
       much-hyped "Internet Connection Firewall" turned off by default
 8 days until company picnic and AquaSox game

More information about the list mailing list