Restricting source port across sites

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Hi,

I have to deal with a firewall policy where they *insist* on only allowing
comminucation to AND FROM specific ports across sites. This also includes
the infamous DCOM port 135. Which is ironic, bacause I'm beginning to
think this cant be done. (Which is probably the intention!)

I know that RPC can be configured to only use a certain port range
( http://support.microsoft.com/default.aspx?scid=kb ;en-us;Q300083 )

But AIUI, this range only applies to the temporary server port that is
created by the RPC port mapper on the destination machine.
It does not apply to the ehpemeral address range on the client machine.
So the from port could still be any port in the ephemeral range.

A bodge (that might really break the client box) would be to set
\\HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\MaxUserPorts
to a low value. (Shame there is no MinUserPorts setting)

And possibly reduce TcpTimesWaitDelay to 10 seconds or so, so ports get
freed up quciker??

Lordy


Site Timeline