Port Blocking
- Why does CAEN block certain network ports from off-campus access?
- Which network ports does CAEN block from off-campus access?
- How can I bypass CAEN's port blocking?
- Does the Windows port-blocking affect Remote Desktop Connections?
Why does CAEN block certain network ports from off-campus access?
This is done in response to the growing number of network attacks directed at vulnerable hosts.
CAEN had observed attacks on the network backbone and in an effort to improve security on the network, relevant ports were blocked. Blocking these ports greatly reduces common network scans and attacks, and improves overall network security. ITCS and other campus groups also block these network ports, and most commercial Internet Service Providers (ISP) block these ports to protect their networks; meaning off-campus users may not even notice an additional block on their access to the CAEN network.
The most visible impact of these blocks will be the inability to login to or access Active Directory, Exchange, or Windows online file services from off-campus. On-campus access to these services will not be affected. Access to services from the rest of the U-M campus are not affected.
The U-M VPN remote service provides the best method to bypass this port-blocking and gain access to U-M resources from off-campus. For more information on the U-M VPN, please see:
Which network ports does CAEN block from off-campus access?
The blocked ports are those used by services such as file sharing, directory & domain services, and Exchange; specifically the TCP & UDP ports include 135, 137-139, 445, 1433, and 1434:
| Affected Service | UDP | TCP |
|---|---|---|
| Browsing responses of NetBIOS over TCP/IP | 138 | |
| Browsing requests of NetBIOS over TCP/IP | 137 | |
| Client/Server Communication | 135 | |
| Common Internet File System (CIFS) | 445 | 139/445 |
| DCOM Service Control Manager (SCM) | 135 | 135 |
| DHCP Manager | 135 | |
| DNS Administration | 139 | |
| Exchange Server | 135 | |
| File Sharing | 137 | 139 |
| Login Sequence | 137/138 | 139 |
| Microsoft Message Queue Server | 135 | |
| Microsoft SQL Monitor | 1434 | |
| Microsoft SQL Server | 1433 | |
| NetBIOS Name Service | 137 | |
| NetBIOS Session Service | 139 | |
| NetBT Datagrams | 138 | |
| NetBT Name Lookup | 137 | |
| NetBT Service Session | 139 | |
| NetLogon | 138 | |
| Pass Through Verification | 137/138 | 139 |
| Printer Sharing | 137 | 139 |
| Remote Procedure Call (RPC) | 135 | |
| SQL Named Pipes | 137 | |
| SQL RPC | 137 | |
| SQL Session | 139 | |
| SQL Session Mapper | 135 | |
| WINS Manager | 135 | |
| WINS Proxy | 137 | |
| WINS Registration | 137 |
How can I bypass CAEN's port blocking?
If you simply require access to files stored on CAEN's network-attached storage (NAS) server (storage.engin.umich.edu), you can use Secure FTP (SFTP) to connect. For instructions on using SFTP to access your NAS space, please see our NAS instructions. For information on obtaining SFTP software, see:
If you require access to other services, such as logging into your Exchange account using Microsoft Outlook, then the VPN is your best option. U-M provides remote VPN service to all University students, faculty, and staff. For more information, and instructions on downloading and configuring VPN software, please see:
Mac users, in addition to the campus VPN, can use CAEN's native Mac VPN service. For more details, see:
Does the Windows port-blocking affect Remote Desktop Connections?
Off-campus access to resources that utilize Remote Desktop Protocol (RDP) such as Windows Remote Desktop Connection and Windows Remote Assistance will not be affected by the new port restrictions. Remote Desktop Protocol utilizes the TCP 3389 port. TCP 3389 is not one of the ports affected by the Windows port blocking. However, CAEN users are still encouraged to use the VPN client whenever possible to connect to resources from off-campus.
