Required ports

You use either use Active Ports or TCPview (both free) and start the program up in question and view what ports the program is listening on.

Then you need to find out how to open the inbound port(s) forwarding the traffic.

You can also use Google and inquire on the ports that the program is using, if it's a known used by many program.

Duane :)

Reading the documentation of the program used to establish that connection (and probably contacting the vendor) would usually be the first step. If that doesn't help, you could use a protocol analyzer like Ethereal [1] to sniff the network traffic generated during the connection attempts. Also read your firewall logs.

However, you're most likely creating a big hole in your firewall by allowing a guest to estalish connections between your network and the network of his company. I strongly advise against it. Or at least put him into a separate network segment without access to your internal network.

Duane,

Thanks for your advice and suggested utility program.

Regarding the use of Google, could you please explain more how to inquire on the ports that the program is using. The program may not execute successfully when I make the inquiry. Can I still get the answer of the ports that will be used for that program. Thus I can configure the firewall allowing the ports to be used.

Scott

Usually, this is a case for having a DMZ in security zone design. Perhaps you could ask your security/network admins, if you have something like that?

Yours, VB.

Check the firewall logs and find out what it blocked for that user. And what rule blocked it.

-Frank

Thanks for your good advice.

Could you please suggest any simple way to put the guest to a separate network segment. In addition, they also need to access our vpn and network printers so I am unsure how to separate them from our network.

Thanks,

Scott

Frankster,

Good idea and I will try it on.

Thanks,

Scott

Perhaps you should have a printer in DMZ. To let someone in the internal Zone usually is not a good idea (while I know much too less about your concrete case to judge).

What is "VC equipment? I think you don't mean "Venture Capital" ;-)

Yours, VB.

De nada.

Not really, since I know nothing about your network topology. If your guest has a wireless adapter, then maybe setting up a wireless AP with strict filtering rules is an option. That setup would create a DMZ like Volker suggested. But as I said: it heavily depends on your network topology. Best you have a talk with your network guys.

What VPN and why does he need access to it? As for a printer: maybe you can put a printer into the DMZ (e.g. plug it into the wireless AP in case the device supports that).

However, in a situation where your guest must have access to your internal network, you should deny him every connection to external networks, no matter what.

Regards Ansgar Wiechers

If the program is a popular program then you can enter *program name and ports used* or something like that.

Duane :)

Really, what you need is a security concept. Or is there one in your company? What conclusion can you draw based on this concept?

Yours, VB.

You're now describing a much more complicated situation from a security point of view. You're going to have to give us a lot more detail if you want a correct recommendation.

Although I'm starting to wonder, if this is somebody from HQ, are they not subject to the same type of workstastion security that you are? And, are the networks already connected via (all to typically, unfiltered) site-to-site vpn? It may be that little is gained trying to secure this individual -- we have been assuming that a "guest" is from a foreign network.

-Russ.