Windows based file shares - what applications?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Windows based file shares - what applications?

L4 Transporter

Hi.

Can anyone tell me what applications you need to allow in a PA policy rule to allow Microsoft remote disk drive shares to be accessed?

For example, I have a server in my DMZ I want to be able to access drive shares on from my inside network by simply typing

\\<server>\share$

I've added the following

ms-ds-smb

netbios-dg

netbios-ns

netbios-ss

And yet I can't get a share mapped properly through the PA. It fails every time.

Anyone cast some light on what I might be missing?

Thanks.

4 REPLIES 4

L3 Networker

Best practice would be to temporarily allow any application on this policy at which point the traffic log should indicate all applications required to allow the the remote disk share.

gsamuels wrote:

Best practice would be to temporarily allow any application on this policy at which point the traffic log should indicate all applications required to allow the the remote disk share.

Problem with that is two-fold.

1) The traffic you're looking for quickly gets "lost in the wash" - it's difficult to tell which traffic is what you want/need and which is not, especially if the destination server is multi-purpose.

2) This kind of defeats the purpose of having a firewall and DMZ - if I wanted unfetted communications, I would just have the server inside and not put any rules on it at all.

Cheers.

Hi,

if you are using DFS, this should be the open ports:

System service name: DfsApplication protocol Protocol Ports
NetBIOS Datagram Service UDP 138
NetBIOS Session Service TCP 139
LDAP Server TCP 389
LDAP Server UDP 389
SMB TCP 445
RPC TCP 135
Randomly allocated high TCP ports TCP random port number between 1024 - 65535*

Opening any ports between the two devices is the only way to identify how many ports are used. This because any system configurations could vary the ports used/necessary and it's related always to your infrastructure (version of S.O, apps, etc).

Hi dagibbs,

You can always lock the ports and src/dst ip's down while you are performing the application investigation phase.  Then you are no less secure than a traditional firewall until you get the information you need to further lock down the application(s).  It's also very simple to filter the logs by src/dst to see all of the relevant conversations and weed out the others while testing.

Cheers,

Kelly

  • 7922 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!