As of Tuesday, I could no longer access the office Microsoft Exchange server from home, so I could not send or receive updates to my calendar. Very bad news. Can't schedule meetings or see what I'm supposed to be doing. Because the office recently moved, I thought at first we were having more firewall adjustment problems. In fact we were, but even when that was resolved, I still couldn't connect and neither could Freada (my wife and partner). Inside the office, from within the firewall, the same laptops had no trouble connecting. From outside, packets sent by Outlook weren't even reaching the firewall.
The clue on which the puzzle turned was that I had no trouble connecting from outside the firewall when I used my Sprint wireless broadband card. The finger was pointing at Pacbell, my home DSL provider. Sure enough, their tech support confirmed they were filtering traffic aimed at port 135 in order to control the Blaster worm. But Exchange needs to receive traffic on this port. Mystery solved, but Pacbell has one unhappy customer. The phone rep was unwilling to give me the name of a senior executive to complain to. Brilliant customer relations tactics.
My rant in brief: I'm not paying Pacbell to deliver my IP traffic on a subset of ports. I'm paying them to deliver full IP connectivity, which they are not doing. This is outrageous. As workaround, Jurgen (OSAF IT guy) is looking into buying a pair of VPN boxes to tunnel the traffic. But obviously I shouldn't have to pay for this.
Falling dominos: Microsoft insecurity, big bureaucracy disregard for customers, and voila, customer screwage. Motivation to make Chandler happen faster.
Posted by mitch@osafoundation.org at August 15, 2003 04:10 PMMitch
Hmm.. Isnt it possible to configure Exchange to listen on another port?
Here are some URLs:
1. http://support.cox.net/custsup/safety/port_135.shtml
2. http://nsit.uchicago.edu/alert/port-135.html
--JYL
--JYL
Posted by: Jacob Levy at August 15, 2003 10:22 PM
The solution offered in the referenced URL's is to use a VPN, as I am planning to do. If there is another way out, I'm not aware of it, nor do I think I should be responsible for figuring it out.
Posted by: Mitch Kapor at August 15, 2003 11:02 PM
And Exchange uses lots of random ports to listen to other stuff on, too, which makes it hard to lock down unneeded ports on your firewall to prevent DOS attacks.
Yes, we do need Chandler to support group calendaring yesterday!
Maybe Moz Calendar in the meantime? (Actually, I don't think that's ready for group stuff either.)
Yahoo calendar!
Posted by: BillSeitz at August 16, 2003 05:15 AM
Gee, I can't imagine why anyone would use Exchange in the first place. I've had no problems getting to my IBM Lotus Domino servers. ;-)
-rhs
Posted by: Richard Schwartz at August 16, 2003 03:30 PM
Exchange? Don't you believe in your own products? Don't you understand the benefits of a Domino/Notes infrastructure over an Exchange one? Please explain. Must be political ;-).
Posted by: Wayne Scarano at August 16, 2003 05:16 PM
Re: "Failed dominos"
I think you mean failed Exchange longs for Dominos.
Posted by: Wayne Scarano at August 16, 2003 05:22 PM
Falling Dominos = Freudian Slip?
You must be really concerned ! :-)
Switch to IBM Lotus Domino, and you can read your mail securely, over port 1352, encrypted, out of the box...
Of course, you can also use SSL and all the other works...
Posted by: George Chiesa at August 16, 2003 10:36 PM
I have to mirror everyone's surprise that you would be using Exchange for your mail system.
Posted by: David Trail at August 18, 2003 06:41 AM
You're mad at your ISP because they had to limit ports to keep their network from saturating from mblaster? If you used an email system that was truly designed from the ground up for security instead of dropping its shorts to every kiddie hacker, you wouldn't have this problem....try Lotus Domino and maybe your company will be more efficient too :-)
Posted by: Ken Yee at August 18, 2003 07:14 AM
You might also be able to get by
* using Exchange just as IMAP server
* having Outlook users publish FreeBusy info to a shared FTP webserver.
I have a little more detail on my wikilog, but note I haven't fully tested - ideas are based on documented features.
http://webseitz.fluxent.com/wiki/GroupCalendaring
Posted by: Bill Seitz at August 18, 2003 08:01 AM
I've posted a new entry to respond to these comments.
Posted by: Mitch Kapor at August 18, 2003 08:40 AM
Mitch -
At our shop (the university of washington) over the last couple of weeks we also took the (for us) unprecedented action of shutting off access to ports (including 135) to try to control the spread of msblaster and the ilk. Our conclusion to date? While shutting the port may have slightly slowed the spread of the worm, once it got inside the institution it was uncontrolled anyway, and we'll probably remove our port blocks this week.
But that may be a different story on a commercial ISP where the majority of their customers don't have local networks with 50,000 devices.
The bottom line is that this is what we get in a world where the operating system vendor has not taken security seriously enough to have shipped the OS in a default state that makes it easy for users to maintain security (e.g. automatic patch downloading enabled, local firewall turned on)...
- Oren
Posted by: Oren Sreebny at August 24, 2003 07:05 AM
NY Times 25th August 2003 "....As a result of the Homeland Security advisory, administrators at Internet service providers...decided to cut their systems off from inbound access to the three ports recommended in the advisory: numbers 135, 139 and 445...one cable broadband supplier, Cox Communications, the company did issue warnings to its users that Exchange connections would be interrupted while Cox dealt with the Blaster attack...."
Posted by: unkamunka at August 25, 2003 10:20 AM
Wouldn't you be better off using a VPN instead of depending on using open ports like 135? Had you been using a VPN your traffic wouldn't have been interrupted. That and it would have been running secure and encrypted.
Fortunately VPN software comes built-into your W2K server. Just configured RRAS and be done with it. The configure your firewall to pass only the needed VPN traffic.
The end result? Nothing extra needed on your firewall and no external ports left open for blocking and/or attacks all while letting you get to whatever you need in a reasonably secure fashion.
Posted by: Bill Kearney at August 28, 2003 06:32 AM
re: VPN
This is the direction we wound up going. I'd had poor success with earlier VPN's as disrutping my usage patterns, but this time it's all working transparently. We still have to configure the VPN for a couple of use cases, as in when I'm on the road.
Posted by: Mitch Kapor at August 28, 2003 09:28 PM
Switch from Pacbell.net to an ISP that shares your goal of unfiltered access.
Little choice exists for DSL backhaul (Pacbell, Covad), but plenty of ISPs offer IP transit over a Pacbell-provisioned circuit. In areacode 415, look into SonicNet, Raw Bandwidth, and Speakeasy. VPNs are handy for other reasons, but don't keep Pacbell's IP transit when it doesn't meet your needs.
Posted by: Troy at September 1, 2003 02:01 PM
You can actually run poptop (a linux pptp server) as your VPN server. Windows has a builtin pptp VPN client thats easy to setup.
Then you're company won't have to spend anything on it.
As to pacbell blocking port 135, I think you're ire should be more directed towards microsoft. First, they (along with the DHS) asked ISP's to filter these ports (and more) saying they shouldn't be used on the internet.
Lack of clue on their part.
Second, it's their software. It repeatedly has vulnerabilities that shutdown whole portions of the internet and then MS asks the ISP's to throw them a bone. Why not ask them to fix their software, and while their at it, make a better way to access Exchange through the internet.
I suppose it's easier to blame the ISP than it is to work to find an optimal solution.
Posted by: Robert at September 13, 2003 04:05 PM
I agree, this is a slippery slope.
Theoretically, if you call the magic number at SBC (877 722-3755), you can get port 135 unblocked for your specific DSL account. This assumes the person on the other end of the line has been briefed on the subject.
See http://www.broadbandreports.com/forum/remark,7945961~root=ilec,swbell~mode=flat
Posted by: Steve Meredith at September 21, 2003 09:36 AM