+ Reply to Thread
Results 1 to 11 of 11
  1. #1
    Registered User
    Join Date
    01-17-2006
    Posts
    10

    VPN + Norton Internet Security

    Im stumped on this one. I can connect to my home pc over a VPN I established with Windows XP and my PPC6600. I can access drives and copy/paste files back and fourth between the PPC and my home pc. The problem I have is when Norton Internet Security (Firewall portion) is turned on it won't connect.

    I've gone into the advanced section in the firewall settings and added Port 1723 for TCP and UDP (PPTP port) to the "permit" list. Even with this ruleset added I still can't get passed the firewall. Any ideas?

    note: I also tested opening ports 50, 51 and 500 with no effect.


    -Trust

  2. #2
    Registered User A.D.'s Avatar
    Join Date
    01-17-2006
    Location
    Charlotte
    Posts
    12
    The ports you need to open in your firewall are the same ports that need to be forwarded from your router, if you're using one.

    look here

    or here

    or maybe here


    Cheers!

    And ummm..... consider also something a little easier to configure than NIS. It's a good firewall, as long as you don't have to configure it for outside access. For the mere mortal, I'd recommend something like Sygate Personal Firewall Pro.
    Last edited by A.D.; 01-19-2006 at 12:49 AM.
    I think we're gonna need a bigger hammer........

  3. #3
    Registered User
    Join Date
    01-17-2006
    Posts
    10
    Originally posted by A.D.
    The ports you need to open in your firewall are the same ports that need to be forwarded from your router, if you're using one.

    look here

    or here

    or maybe here


    Cheers!

    And ummm..... consider also something a little easier to configure than NIS. It's a good firewall, as long as you don't have to configure it for outside access. For the mere mortal, I'd recommend something like Sygate Personal Firewall Pro.
    Those links you gave talk about ActiveSync. Im not doing an Activesync Im connecting over a VPN.

    My Netgear router is setup properly because the VPN works fine with NIS turned off. In the advanced section in NIS I opened TCP/UDP on ports 1783, 500 50 and 51 but it still doesn't connect.
    Last edited by TrustPPC; 01-19-2006 at 01:07 AM.

  4. #4
    Registered User A.D.'s Avatar
    Join Date
    01-17-2006
    Location
    Charlotte
    Posts
    12
    Ohhhhh.... jeez. OK, I obviously misunderstood.... So you're using netbios via pptp? Try opening ports 135-139, available only to localhost and whatever range your host assigns to incoming VPN connections. Also consider whether you really NEED to do this. Unlocking netbios is just asking for trouble, even if it's SUPPOSEDLY only accesible via pptp and with "proper" authorization. I'm pretty sure there's a safer way to meet your needs.
    I think we're gonna need a bigger hammer........

  5. #5
    Registered User
    Join Date
    01-17-2006
    Posts
    10
    The end goal here is the ability to copy files from my home pc to the PPC over the Internet. If there is a better way to do this I'm listening

    The reason why I took the VPN route is because with file explorer I can just click open \\myPCname and I have access to my C$ D$ and E$ shares where I can copy/paste files from directly to my storage card.

  6. #6
    Registered User A.D.'s Avatar
    Join Date
    01-17-2006
    Location
    Charlotte
    Posts
    12
    I couldn't swear the method I use is any better.... but what I do is use remote desktop to access my home system and copy whatever files I need to C:...... \My Documents\PocketPC My Documents\ then let them transfer via activesync. It has the added advantage that any document you modify on the PPC will also update on the home system the next time you sync.

    The problem with NetBios is that it is so easy to exploit, although it can be made to be relatively safe if the admin (in this case, you) takes care to make certain not to expose it over the WAN.

    In Windows XP, make sure you disable the Guest account, set the directory permissions to allow ONLY you to access the shares, consider making any folder which has any kind of financial data totally inaccessable over the network, consider also keeping everything read-only except maybe 1 folder that will allow you to read/write/del for uploads from your PPC, and use a good password (meaning one that is both hard for anyone to guess and hard to crack by either a dictionary-type attack or brute force).

    Ideally you want your firewall to allow access from only specific IP addresses, or even better, specific MAC addresses. You don't mention whether you use a wireless LAN, but this is another potential point of entry for someone with less than benign intent.

    If you are going to expose NetBios on your home (wireless) LAN, be absolutely sure nobody can exploit the wireless part of your security. Turn off SSID broadcast, turn off DHCP and use assigned IP addresses, use WEP, and change the admin password and the IP range on your router from the defaults. One thing I have seen a lot of is that people buy their first router, hook everything up, turn it on and it works, right out of the box. And they either never think about or never get around to tightening up their security.

    One last thing... you didn't specify whether you're running XP Home or XP Pro. For the benefit of anyone who may read this, let me say that ANYONE running ANY type of server (and yes, NetBios and ActiveSync are both servers) NEEDS the tools and options in XP Pro that were stripped out in the Home version. i.e., if you're running XP Home and intend to access your computer from outside, you should seriously consider an OS upgrade.

    Just some suggestions from a retired hacker....


    Cheers!
    Last edited by A.D.; 01-19-2006 at 10:28 AM.
    I think we're gonna need a bigger hammer........

  7. #7
    Registered User
    Join Date
    01-17-2006
    Posts
    10
    Oh I'm sorry I didn't mention that. Yes, I am running Windows XP pro. Guest account is disabled and the pc is ready for remote desktop. So what you're saying to do is:

    1. Create a folder on the pc at home.
    2. Remote desktop in and copy/paste files to that folder
    3. Activesync over the Internet and tell it to sync the items in that folder?

    If so, this definately sounds like a better idea. I take it the links you provided earlier in the post are guides on how to setup ActiveSync via Internet? I'll look into this, thank you.

  8. #8
    Registered User A.D.'s Avatar
    Join Date
    01-17-2006
    Location
    Charlotte
    Posts
    12
    Yes, they will point you in the right direction, although what I found myself when I set up my own system is that no single page will give you everything you need. Do a lot of reading, learn the principles, note the specific ports, and lock that mofo down for anyone else that stumbles across the handful of ports you must expose in order to make it work.

    As our technology progresses, the ability to do more also makes it more complicated. Software writers try to make everything as simple as possible for the end user, and mostly succeed, but in doing so they also expose said user to potential risks the user is mostly unaware of. It is every user's responsibility to ensure his own data security. Read the EULAs.... it's right there in black and white (or whatever your default colors happen to be).


    Having a PPC and being able to access your home system, transfer data, and generally be totally connected at will 24/7 is really cool... but just the same as when the "always on" high speed internet connection blossomed in the consumer market a few years back, we now have a new group of users that need to learn about security, because they want to run servers on their home systems. EVERY server opens security holes, and it's the owner's duty to plug them.

    I made a reply in another thread about setting up ActiveSync... I'll put together a complete step-by-step guide and post it here. I think also I'll post an additional guide about security for always-on connections. It's going to take me a few days, please be patient... I have a lot of demands on my time. But the same as it's everyone's duty to ensure their own security, it's also my duty to help them as best I can.

    I would also invite all the local experts to add their own tips. This is a VERY complex issue and I'm sure there's a lot that I've forgotten.


    Cheers!
    Last edited by A.D.; 01-20-2006 at 01:49 AM.
    I think we're gonna need a bigger hammer........

  9. #9
    Registered User
    Join Date
    01-17-2006
    Posts
    10
    Thanks alot A.D. I look forward to your write ups. I did alot of research on my own. Although I know my way around basic networks to setup software firewalls and configure ports on routers this project had me baffled.

    Until a few days ago I didn't even know what PPTP was. I managed to get this far only to denied by Norton Personal firewall. I tried the alternate route by following ActiveSync setups over the Internet only to find out ActiveSync 4.x doesn't support RAS/internet connections. Tried to rollback to 3.8 and ran into all sorts of critical errors. Now again, I'm back to 4.1

    The way it is setup right now I can remote desktop into my XP box, disable norton, establish a VPN and copy the files I want. Then disconnect, remote in once more and renable Norton. That's alot of work for a simple file copy. It's unfortunate that the Terminal client on the PPC6600 isn't as robust as the remote desktop client (which has the option to map drives once connected) on Windows XP. I did get a break however because my DSL IP address is static (have it memorized).

    --Waiting patiently for a good write up---

    Trust

  10. #10
    Registered User A.D.'s Avatar
    Join Date
    01-17-2006
    Location
    Charlotte
    Posts
    12
    TrustPPC, I wish I had more time to work with you on this, but let's try to correct your ActiveSync issue since it should be relatively easy. If you haven't already tried it this way, follow these steps:

    Copy any files in your current ActiveSync "Files" folder to another location, then set a system restore point.

    Reboot the machine in Safe Mode by pressing the F8 key as the system boots.

    From the menu that appears, select Safe Mode (NOT Safe Mode with networking)

    Log In as Administrator (not ANY Administrator account, but THE Administrator)

    Go to Start>Control Panel>Add/Remove Programs, select Microsoft ActiveSync 4.1 and uninstall it.

    Reboot in normal mode, log in as THE Administrator and install ActiveSync 3.8

    This should give you a fully working install of AS 3.8. Then you'll need to set up a new partnership, and copy the files, favorites, contacts, calendar and mail messages back to your PPC via active sync.

    If you encounter any errors or other problems in the process, I'd like to know about them. If, after all this it still won't work for you, simply do a system restore on the XP box. In the meantime, I'm going to play around a bit with netbios over pptp and see what needs to be done to make it work.

    Cheers!
    I think we're gonna need a bigger hammer........

  11. #11
    Registered User
    Join Date
    01-17-2006
    Posts
    10
    I got it working on Activesync 4.1 at the moment. didn't want to go through the Admin "dance" to get 3.8 working until I heard from you if it worked or not. The thing that baffles me to this day is why when you create a user account with Admin rights it's not 100% admin rights. I've seen this happen in Windows 2000 and now in XP. symptoms like executing an exe and it not opening up on screen but running in processes only.

    anyhow, when you get a chance let me know if you were able to get it to work over PPTP with a firewall intact. Ive searched all over the net and still can't figure out if there is a port I forgot to open or not.

    Odd thing is when I am connected over PPTP and run a netstat it shows I have a connection open to *.myvzw.com (verizon's connection) on port 1130 and other various ports. My understanding was PPTP used 1723 for local and remote, guess not.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts