Forefront UAG RSA using ephemeral port below 49152?
-
Friday, November 30, 2012 5:07 PM
This question has to do with ForeFront TMG UAG (on Windows Server 2008 R2) and RSA SecurID. We setup a firewall to allow RSA access from the UAG over udp/5500 and restricted the source port to 49152-65535. This did not work as expected, so we relaxed the source port to 5000-65535 and it worked.
I checked the dynamic port range for udp (and tcp) and were as follows; (we did not change these, so assume TMG / UAG opens wider range).
Is the end 55535 an error? Should it be 65535 instead?
netsh int ipv4 show dynamicport udp
Protocol udp Dynamic Port Range
---------------------------------
Start Port : 10000
Number of Ports : 55535netsh int ipv4 show dynamicport udp
Protocol udp Dynamic Port Range
---------------------------------
Start Port : 10000
Number of Ports : 55535Thanks.
All Replies
-
Monday, December 03, 2012 4:28 AMModerator
Hi,
Thank you for the post.
Based on my test, before installing TMG, the default output on Windows server 2008 r2x64 is “start=49152 num=16384”. After installed TMG, the value is changed to “start=10000 num=55535”, so this is by design behavior of TMG installation.
Regards,
Nick Gu - MSFT
- Marked As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Wednesday, December 05, 2012 5:35 AM
-
Wednesday, December 05, 2012 5:15 PMModeratorThe number of ports value is the total value minus the starting port value (65535-10000=55535). I would imagine the source port range is extended on TMG as it functions as a gateway and therefore you would want to avoid source port exhaustion.
Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
- Edited by Jason Jones [MSFT]Microsoft Employee, Moderator Wednesday, December 05, 2012 5:17 PM
.png)
