any logging when ipsec blocks a port? how to determine which ports need to be opened?

[Les Caudle]

I'd like to be able to lock down some office machines - so that the users can
share files, browse out thru proxy server, log onto the NT4 PDC domain - but
pretty much lock down everything else. (is there an faq on this?)

As ports are blocked by ipsec during configuration, some necessary ports may get
blocked. Is there a way to tell which ports were trying to get in and out (and
were blocked) so that ipsec could be tweaked a bit?

 

[Steven L Umbach]

Not really. The link below is a KB article about troubleshooting ipsec but mostly
relates to negotiation failures.

http://support.microsoft.com/default.aspx?scid=kb;en-us;257225

Your best bet would be to use a packet sniffer like Ethereal to see what packets are
not getting responses from what computers and on what ports. The link below may be of
help on what ports are necessary for network functioning in a NT4.0 domain. ---
Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;179442

Windows NT
Client Port(s) Server Port Service
1024-65535/TCP 135/TCP RPC *
137/UDP 137/UDP NetBIOS Name
138/UDP 138/UDP NetBIOS Netlogon and Browsing
1024-65535/TCP 139/TCP NetBIOS Session
1024-65535/TCP 42/TCP WINS Replication

 

[Mark Swift [MSFT]]

You can also enable IPSec Driver dropped packet event logging. Search for
EnableDiagnostics on this page:

http://www.microsoft.com/resources/...3/standard/proddocs/en-us/sag_ipsec_tools.asp


--

Mark Swift
Software Test Engineer
IP Security
Windows Networking
Microsoft

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm