[Dshield] DCOM VPN Question

andy.n.willson@exxonmobil.com andy.n.willson at exxonmobil.com
Wed Aug 13 21:50:05 GMT 2003


I certainly don't claim to be an expert in this stuff. Never had to look at
this junk till recently.
I believe John Hardin is correct. The VPN gateway's shouldn't need to "look
up" any services to communicate with each other.

BUT, port 135 is needed for remote admin of services (including PPTP). One
question I would pose back...How/where does IPSec figure into this?


Andy



                                                                                                                                        
                      John Hardin                                                                                                       
                      <johnh at aproposreta        To:      General DShield Discussion List <list at dshield.org>                             
                      il.com>                   cc:                                                                                     
                      Sent by:                  Subject:       Re: [Dshield] DCOM VPN Question                                          
                      list-bounces at dshie                                                                                                
                      ld.org                                                                                                            
                                                                                                                                        
                                                                                                                                        
                                                                                                                                        
                      08/13/03 02:32 PM                                                                                                 
                      Please respond to                                                                                                 
                      General DShield                                                                                                   
                      Discussion List                                                                                                   
                                                                                                                                        
                                                                                                                                        



On Wed, 2003-08-13 at 13:29, Jon R. Kibler wrote:
> Andy:
>
> So, are you saying that if a point in the middle between a remote user
> and their VPN server blocks 135, VPN will not work?

User ===== VPN gateway ----- (internet) ----- VPN gateway ===== corp net

Note that the VPN gateway on the user end may be incorporated into their
computer, giving:

User+VPN ------ (internet) ----- VPN gateway ===== corp net


If 135 is blocked on the local network parts (===) then lots of MS stuff
will break.

If 135 is blocked on the public network parts (---) then it won't affect
the VPN, as the VPN gateways do not depend on 135/tcp to communicate
with each other.

> I read the link. It is not exactly clear how 135 works in conjunction
> with any of the Microsoft VPN services.

That's because it does not.

--
John Hardin  KA7OHZ
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
 "...in retrospect, we probably should have turned it on by default."
     - Craig Mundie, Microsoft CTO, on shipping Windows XP with the
       much-hyped "Internet Connection Firewall" turned off by default
-----------------------------------------------------------------------
 8 days until company picnic and AquaSox game

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list







More information about the list mailing list