locked
Azure P2S VPN Setup To Work Around Comcast Biz Block of Port 445 RRS feed

  • Pergunta

  • Thanks for taking a look at my post.

    My overall goal is to cloudify a Line of Business App that uses MSSQL to scan, index, and store documents with the LOB app running on local machines connected to optical scanners.  To that end I have set up an Azure free account and set up an SQL server and file storage.

    The customer's only available hi-speed ISP is Comcast Business, which blocks port 445 and therefore throws a monkey wrench into the local machines and the app seeing Azure File Storage as a network share.  To workaround the port 445 block I have read that setting up a VPN would work, so using the built-in Windows VPN client, I have set up an Azure VPN Gateway and installed certificates on Azure and two test workstations, one within the customer's Comcast-connected network and one at another location on Verizon FiOS, which at this writing does not block port 445.

    I have been able to get both test workstations (both are W10Pro Build 1703) to connect P2S (point to site) to the Azure VPN Gateway and verified connectivity by noting that ipconfig /all shows the VPN connections are pulling IPs from the range implemented in Azure.

    Following Azure docs, I ran the net use command provided in the File Storage share interface on both test wks.  The one connected via FiOS successfully maps the drive to the Azure share***; the one connected via Comcast does not, failing with error 53, which means a port block issue.  Ran PortQuery to the FQDN for the Azure file share and it says that 445 is still "FILTERED" aka blocked.

    To eliminate computer based issues, I turned off both the Norton firewall and the Windows firewall and restarted, then reattempted the drive mapping which failed again with the same error 53, and PortQuery still reports port 445 is filtered aka blocked.

    Looking for advice on what to check next.  I was under the impression that the P2S VPN would carry port 445 traffic thru the tunnel and escape Comcast's block but apparently that's not the case.  Is it a matter of somehow directing Windows to send port 445 traffic thru the VPN tunnel and not out in the open where Comcast can block it?

    ***Note that the FiOS connected wks will also map the drive without the VPN be connected, since Verizon does not block port 445.

    sexta-feira, 6 de outubro de 2017 19:47

Respostas

  • Hi Dan, 

    Sorry to hear you are having this issue. I took a look at the Comcast site and I can confirm they do block that port. In fact, it appears a good amount of ISPs are blocking that port. 

    Here is a detailed list of those ISPs: Azure: Summary of ISPs that allow/block 445

    One option you could look into is a new feature we released called Azure File Sync. It is now in public preview and you can find information on it here. I am not sure if it would still have the same restrictions as Azure File Share but might be worth a look. 

    Another tool that I have used to look into networking issues Microsoft Message Analyzer and NetStat. Doing some online searching you could also attempt to find some sort of Packet tracer to try and see where the data is being blocked. 

    Hope some of this helps :) 

    -Micah

    sexta-feira, 13 de outubro de 2017 22:14

Todas as Respostas

  • P2S does not use port 445.

    Refer the below articles :

    Azure supports two types of Point-to-site VPN options:

    •Secure Socket Tunneling Protocol (SSTP). SSTP is a Microsoft proprietary SSL-based solution that can penetrate firewalls since most firewalls open the TCP port that 443 SSL uses.

    •IKEv2 VPN. IKEv2 VPN is a standards-based IPsec VPN solution that uses UDP port 500 and 4500 and IP protocol no. 50. Firewalls do not always open these ports, so there is a possibility of IKEv2 VPN not being able to traverse proxies and firewalls.

    https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq

    https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal

    ------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members

    • Sugerido como Resposta Nirushi J quinta-feira, 12 de outubro de 2017 09:12
    quinta-feira, 12 de outubro de 2017 09:12
  • Thank you for your response, but unfortunately it provides nothing useful.

    I do not think the VPN connection is the problem because the test computers have no problem connecting via the VPN to the VPN Gateway and being assigned an IP address from the VPN Gateway.  VPN configuration is of the SSTP variety.

    The problem is that traffic on port 445 is blocked somewhere as reported by PortQuery.  I would appreciate advice on how to determine where the block I taking place so I can exert effort to lift the block, be it correcting a self-inflicted misconfiguration or definitively establishing the block is being caused by Comcast.  If port 445 is blocked, then local clients won't be able to natively see/browse Azure File Services shares.

    sexta-feira, 13 de outubro de 2017 03:38
  • Hi Dan, 

    Sorry to hear you are having this issue. I took a look at the Comcast site and I can confirm they do block that port. In fact, it appears a good amount of ISPs are blocking that port. 

    Here is a detailed list of those ISPs: Azure: Summary of ISPs that allow/block 445

    One option you could look into is a new feature we released called Azure File Sync. It is now in public preview and you can find information on it here. I am not sure if it would still have the same restrictions as Azure File Share but might be worth a look. 

    Another tool that I have used to look into networking issues Microsoft Message Analyzer and NetStat. Doing some online searching you could also attempt to find some sort of Packet tracer to try and see where the data is being blocked. 

    Hope some of this helps :) 

    -Micah

    sexta-feira, 13 de outubro de 2017 22:14
  • Any solution to this yet?  We are trying to be 100% Azure (i.e. 100% cloud).  this means we don't want to install a physical server on site just for Azure File Sync.  We use AT&T and they also block port 445.  In other words, we want to use Azure File Storage so we can drop the Azure VMs that only act as file servers, but we can't because port 445 is blocked.  Does the IKEv2 VPN solve this?
    quinta-feira, 10 de outubro de 2019 17:56