10:35 AM
Recorded Demo by Dave Glover: Cool things with Reporting

RSA enVision Monthly Technical Seminar Series

Dave Glover presents Cool things with Reporting



Archived version:


http://www.rsa.com/go/080903_DaveGlover_Cool_Things_With_Reports/index.htm


Dave will present on a different topic each month, please post ideas for what you'd

like to see in upcoming months!


-Regards,
Blackhattrick blog
(sms GeniusHacker on 9870807070)or visithttp://labs.google.co.in/smschannels/channel/GeniusHacker
Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)
Reviewed by BlackHat on 10:35 AM Rating: 5

RSA enVision Knowledge Base Online Organiser

10:29 AM
NEW! RSA enVision Knowledge Base Online Organiser

hi guys, RSA launched new enVISION Knowledge Base Online
Have A look At it!!!!!!!!!!!!!!!!!! and comment:


NOTE: To access above link you need credentials

-Regards,
Blackhattrick blog
(sms GeniusHacker on 9870807070)or visithttp://labs.google.co.in/smschannels/channel/GeniusHacker
Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)
RSA enVision Knowledge Base Online Organiser RSA enVision Knowledge Base Online Organiser Reviewed by BlackHat on 10:29 AM Rating: 5

Speeding Up Report Generation

3:36 AM

Speeding Up Report Generation

Use the following best practices to make reports run faster:

Ø Whenever possible, search on indexed fields when creating reports. Indexed fields

are date and time, message ID, and device IP address. These fields are already

summarized in the database and using them speeds up report generation. Using

non-indexed fields adds significant time to report generation.

Ø Speed up processing by selecting Enable preprocess filters on the Select

Additional Report Options window. This option pushes data query out to the data

warehouse rather than bringing all the data into enVision for local processing,

which is time-consuming.

Ø If possible, do not select Use DNS Resolution (resolving addresses to host names)

on the Select Additional Report Options window as this process adds significant

time to report generation.

Ø Use device groups to improve report performance. Device groups limit reports to

only relevant event sources, minimizing the time needed to retrieve data.

-Regards,

Blackhattrick blog

(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)

Speeding Up Report Generation Speeding Up Report Generation Reviewed by BlackHat on 3:36 AM Rating: 5

Error: License is invalid & IP address shown as 255.255.255.255 in performance tab

3:34 AM

a48919 | Error: License is invalid & IP address shown as 255.255.255.255 in performance tab

Goal

To resolve issue when you see license is invalid in the GUI, as well as an incorrect IP address of 255.255.255.255 in performance tab

Fact

enVision 3.7.x, 4.0.x

Cause

This is a problem related to incorrect name of the LAN network interface. enVision needs to look at the network interface as part of the requirement to verify license. enVision will need to look at the MAC address of the network interface be called LAN in order to verify the license file.

Fix

1. Stop enVision services

2. Rename the network interface "Internal Network" to "LAN"

3. Start enVision services

-Regards,

Blackhattrick blog

(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)

Error: License is invalid & IP address shown as 255.255.255.255 in performance tab Error: License is invalid & IP address shown as 255.255.255.255 in performance tab Reviewed by BlackHat on 3:34 AM Rating: 5

DHCP_SNOOPING Messages

3:32 AM

DHCP_SNOOPING Messages

This section contains the DHCP snooping (DHCP_SNOOPING) messages.

DHCP_SNOOPING-3

Error Message DHCP_SNOOPING-3-DHCP_SNOOPING_INTERNAL_ERROR: DHCP Snooping internal error

Explanation A software sanity check failed in the DHCP snooping process.

Recommended Action This is an informational message only. No action is required.

DHCP_SNOOPING-4

Error Message DHCP_SNOOPING-4-AGENT_OPERATION_FAILED_N: DHCP snooping binding transfer failed([dec]). [chars]

Explanation This message is logged once every 30 minutes and displays the [dec] number of failures that occurred for a given reason [chars] during the past 30 minutes.

This message is a rate-limited version of the DHCP_SNOOPING-4-AGENT_OPERATION_FAILED message.

Recommended Action Based on the reason for the error [chars], look at the explanation for the DHCP_SNOOPING-4-AGENT_OPERATION_FAILED message, and take the appropriate action.

Error Message DHCP_SNOOPING-4-AGENT_OPERATION_FAILED: DHCP snooping binding transfer failed. Unable to access URL.

Explanation The DHCP snooping binding transfer failed. The reason for failure can include any of the following:

http://www.cisco.com/en/US/i/templates/blank.gifThe URL is not available to use.

http://www.cisco.com/en/US/i/templates/blank.gifNot enough memory is available for creating an agent.

http://www.cisco.com/en/US/i/templates/blank.gifThe number of agents reached the maximum supported limit.

http://www.cisco.com/en/US/i/templates/blank.gifThe switch is unable to create an agent.

http://www.cisco.com/en/US/i/templates/blank.gifThe switch is unable to access the URL.

http://www.cisco.com/en/US/i/templates/blank.gifThe switch is unable to start the agent.

http://www.cisco.com/en/US/i/templates/blank.gifThe Abort timer expired.

http://www.cisco.com/en/US/i/templates/blank.gifThe number of entries exceeded the maximum supported limit.

http://www.cisco.com/en/US/i/templates/blank.gifAn error occurred when reading the remote database.

http://www.cisco.com/en/US/i/templates/blank.gifAn error occurred while writing to the remote database.

http://www.cisco.com/en/US/i/templates/blank.gifDHCP snooping expected more data during the read.

http://www.cisco.com/en/US/i/templates/blank.gifThe string type is invalid.

http://www.cisco.com/en/US/i/templates/blank.gifThe version string type is invalid.

http://www.cisco.com/en/US/i/templates/blank.gifDHCP snooping is expecting a new line in the database.

http://www.cisco.com/en/US/i/templates/blank.gif'TYPE' was not found in the remote database.

http://www.cisco.com/en/US/i/templates/blank.gif'VERSION' was not found in the remote database.

http://www.cisco.com/en/US/i/templates/blank.gif'BEGIN' was not found in the remote database.

http://www.cisco.com/en/US/i/templates/blank.gif'END' was not found in the remote database.

http://www.cisco.com/en/US/i/templates/blank.gifThe type string was not found in the remote database.

http://www.cisco.com/en/US/i/templates/blank.gifThe version string was not found in the remote database.

http://www.cisco.com/en/US/i/templates/blank.gifThe checksum failed upon entry into the remote database.

Recommended Action Based on the reason for the error (listed above), take the appropriate action.

Error Message DHCP_SNOOPING-4-DHCP_SNOOPING_DATABASE_FLASH_WARNING: Saving DHCP snooping bindings to [char] can fill up your device causing the writes of bindings to device

Explanation Saving DHCP snooping bindings to a flash file system such as bootflash or slot0 could cause the flash to fill up. Possible consequences include a long delay to regain a console connection, write failures for database configurations, regular squeeze requirements, and reduced life of flash due to regular squeeze operations.

Recommended Action Save the DHCP snooping bindings to an alternate destination. Possible locations for the database agent include a TFTP or FTP server. Please see the command line help for a complete list of options.

Error Message DHCP_SNOOPING-4-DHCP_SNOOPING_ERRDISABLE_WARNING: DHCP Snooping received [dec] DHCP packets on interface [char]

Explanation DHCP snooping detected a DHCP packet rate-limit violation on the specified interface. The interface will be placed in the errdisable state.

Recommended Action This is an informational message only. No action is required.

Error Message DHCP_SNOOPING-4-DHCP_SNOOPING_PVLAN_WARNING: DHCP Snooping configuration may not take effect on secondary vlan [dec]. [char]

Explanation DHCP snooping configuration on the primary VLAN automatically propagates to all secondary VLANs if private VLANs are enabled.

Recommended Action This is an informational message only. No action is required.

Error Message DHCP_SNOOPING-4-IP_SOURCE_BINDING_PVLAN_WARNING: IP source filter may not take effect on secondary vlan [dec] where IP source binding is configured.

[char]

Explanation The IP source filter on the primary VLAN automatically propagates to all secondary VLANs if private VLANs are enabled.

Recommended Action Reconfigure the IP source binding to a known functioning VLAN.

Error Message DHCP_SNOOPING-4-IP_SOURCE_BINDING_NON_EXISTING_VLAN_WARNING: IP source binding is configured on non existing vlan [dec].

Explanation IP source binding was configured on a VLAN that has not yet been configured.

Recommended Action This is an informational message only. No action is required. It may persist unless you define the VLAN in question and then reapply the IP source binding. If you see this message regarding a VLAN that is correctly configured, contact your technical support representative.

Error Message DHCP_SNOOPING-4-NTP_NOT_RUNNING: NTP is not running; reloaded binding lease expiration times are incorrect.

Explanation If the DHCP snooping bindings are loaded by the DHCP snooping database agent and NTP is not running, then the calculated lease duration for the bindings will be incorrect.

Recommended Action Configure NTP on the switch to provide an accurate time and date for the system clock. Then disable and re-enable DHCP snooping to clear the bindings database.

Error Message DHCP_SNOOPING-4-QUEUE_FULL: Fail to enqueue DHCP packet into processing queue: [char]

Explanation DHCP packets are coming into the CPU at a much higher rate than the DHCP snooping process can handle them. These unhandled DHCP packets will be dropped to prevent a denial of service attack.

Recommended Action This is an informational message only. No action is required.

Error Message DHCP_SNOOPING-4-SSO_SYNC_ACK_ERROR:Error is encountered in processing acknowledgement for DHCP snooping binding sync [char]. ack message txn id:[hex]

Explanation There was an error in handling the DHCP synchronization acknowledgement. In most of these cases, the ACK message is ignored.

Recommended Action This is an informational message only. No action is required.

Error Message DHCP_SNOOPING-4-STANDBY_AGENT_OPERATION_FAILED: DHCP snooping binding transfer failed on the Standby Supervisor. [char]

Explanation If the DHCP snooping database supporting SSO is configured as a local device, both supervisor engines will update their database whenever there is an update regarding bindings. This error message is an indication that a snooping database update on the standby supervisor engine failed in the manner mentioned. The most likely cause for these problems is if the snooping database is configured as a slot0 device, but functioning compact flash memory is only present on the active supervisor engine's slot0 while the standby supervisor engine's slot0 is empty or faulty. Possible variations in output include:

"URL not available for use."

"Not enough memory available for creating agent."

"Number of agents reached maximum supported limit."

"Unable to create agent."

"Unable to access URL."

"Unable to start agent."

"Abort timer expiry."

"Number of entries exceeded max supported limit."

"Unable to transfer bindings. Memory allocation failure."

"Error reading the remote database."

"Error writing to remote database."

"Expected more data on read."

"Type string invalid."

"Version string invalid."

"New line expected in database."

"\'TYPE\' not found in remote database."

"\'VERSION\' not found in remote database."

"\'BEGIN \' not found in remote database."

"\'END\' not found in remote database."

"Type string not found in remote database."

"Version string not found in remote database."

"Checksum failed on an entry in remote database."

"No failure recorded."

Recommended Action The switch will continue to function if no action is taken, but the redundancy features will be compromised until both active and standby supervisor engines have working flash memory available. Replace or insert flash memory into the supervisor engine that lacks it if needed.

DHCP_SNOOPING-5

Error Message DHCP_SNOOPING-6-AGENT_OPERATION_SUCCEEDED: DHCP snooping database [char] succeeded.

Explanation DHCP snooping has successfully read from or written to the database.

Recommended Action This is an informational message only. No action is required.

Error Message DHCP_SNOOPING-5-DHCP_SNOOPING_FAKE_INTERFACE: [char] drop message with mismatched source interface the binding is not updated message type: [char] MAC sa: [mac-addr]

Explanation The DHCP snooping feature has detected a host trying to carry out a denial of service attack on another host in the network. The packet will be dropped.

Recommended Action This is an informational message only. No action is required.

Error Message DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: [char] drop message because the chaddr doesn't match source mac message type: [char] chaddr: [mac-addr] MAC sa: [mac-addr]

Explanation The DHCP snooping feature attempted MAC address validation and the check failed. There may be a malicious host trying to carry out a denial of service attack on the DHCP server. The packet will be dropped.

Recommended Action This is an informational message only. No action is required.

Error Message DHCP_SNOOPING-5-DHCP_SNOOPING_NONZERO_GIADDR: [char] drop message with non-zero giaddr or option82 value on untrusted port message type: [char] MAC sa: [mac-addr]

Explanation The DHCP snooping feature discovered a DHCP packet with option values not allowed on the untrusted port, indicating some host may be trying to act as a DHCP relay or server. The packet will be dropped.

Recommended Action This is an informational message only. No action is required.

Error Message DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: [char] drop message on untrusted port message type: [char] MAC sa: [mac-addr]

Explanation The DHCP snooping feature discovered certain types of DHCP messages not allowed on the untrusted interface, indicating some host may be trying to act as a DHCP server. The packet will be dropped.

Recommended Action This is an informational message only. No action is required.

DHCP_SNOOPING-6

Error Message DHCP_SNOOPING-6-AGENT_OPERATION_SUCCEEDED: DHCP snooping database [char] succeeded.

Explanation DHCP snooping has successfully read or written to the database.

Recommended Action This is an informational message only. No action is required.

Error Message DHCP_SNOOPING-6-BINDING_COLLISION: Binding collision. [dec] bindings ignored

Explanation One or more bindings from the database file has a MAC address and VLAN combination for which the switch already holds DHCP snooping bindings.

Recommended Action This is an informational message only. No action is required.

Error Message DHCP_SNOOPING-6-INTERFACE_NOT_VALID: Interface not valid. [dec] bindings ignored.

Explanation The interface that is listed in the database file's binding is not available, that the interface is a router port, or that the interface is a DHCP snooping-trusted Layer 2 interface.

Recommended Action This is an informational message only. No action is required.

Error Message DHCP_SNOOPING-6-LEASE_EXPIRED: Lease Expired. [dec] bindings ignored.

Explanation The DHCP lease expired for the given number of bindings from the database file.

Recommended Action This is an informational message only. No action is required.

Error Message DHCP_SNOOPING-6-PARSE_FAILURE: Parsing failed for [dec] bindings.

Explanation The database read operation failed for the stated number of bindings.

Recommended Action This is an informational message only. No action is required.

Error Message DHCP_SNOOPING-6-VLAN_NOT_SUPPORTED: Vlan not supported. [dec] bindings ignored.

Explanation The VLAN is not supported by DHCP snooping.

Recommended Action This is an informational message only. No action is required.

ARP Snooping Messages

This section contains the ARP snooping message.

Error Message    C4K_ARPSNOOPINGMAN-4-OUTOFRESOURCES: Resources for constructing ACLs are not available.

Explanation Software resources are not available to setup hardware to redirect ARP packets to software. Dynamic ARP inspection will not work if this log message appears.

Recommended Action Unconfigure other TCAM related features to reduce switch memory requirements and reconfigure the ACL.

SW_DAI Messages

This section contains the dynamic ARP inspection (DAIMAN) messages.

SW_DAI-4

Error Message    SW_DAI-4-ACL_DENY: [dec]Invalid ARPs (Req) on [chars], vlan [dec].

Explanation The switch received ARP packets that are considered invalid by ARP inspection. The packets are invalid, and their presence indicates that administratively denied packets are in the network. This log message generates when packets have been denied by ACLs either explicitly or implicitly (with static ACL configuration). The presence of these packets indicates possible "man-in-the-middle" attacks in the network.

Recommended Action To stop these messages from generating, find the source host of these packets and stop the host from sending them.

 
Error Message    SW_DAI-4-DHCP_SNOOPING_DENY: [dec] Invalid ARPs (Req) on [chars], vlan [chars].

Explanation The switch received ARP packets that are considered invalid by ARP inspection. The packets are invalid, and their presence may be an indication of "man-in-the-middle" attacks that are attempted in the network. This message is logged when the IP address and MAC address binding for the sender on the received VLAN is not listed in the DHCP snooping database.

Recommended Action To stop these messages from generating, find the source host of these packets and stop the host from sending them.

 
Error Message    SW_DAI-4-INVALID_ARP: [dec] Invalid ARPs (Req) on [chars], vlan [chars].

Explanation The switch received ARP packets that are considered invalid by ARP inspection. The packets are invalid and do not pass one or more of the source MAC address, destination MAC address, or IP address validation checks. A packet was denied because the source MAC address, destination MAC address, or IP validation failed.

Recommended Action To stop these messages from generating, find the source host of these packets and stop the host from sending them.

 
Error Message    SW_DAI-4-PACKET_BURST_RATE_EXCEEDED: [dec] packets received in [dec] seconds on [char].

Explanation The switch received [dec] number of ARP packets in the specified burst interval. The interface was in the errdisabled state and the switch received the packets at a rate higher than the configured packet rate for every second over the configured burst interval. The message is logged just before the interface entered the errdisabled state and if the configured burst interval is more than one second.

Recommended Action This is an informational message only. No action is required.

 
Error Message    SW_DAI-4-PACKET_RATE_EXCEEDED: [dec] packets received in [dec] milliseconds on [char].

Explanation The switch received [dec] number of ARP packets in the specified duration on the given interface above the exceeded packet rate. This message is logged just before the interface entered the errdisabled state and when the burst interval is set to one second.

Recommended Action This is an informational message only. No action is required.

 
Error Message    SW_DAI-4-SPECIAL_LOG_ENTRY: [dec] Invalid ARP packets [%CC]

Explanation The switch received [dec] number of ARP packets that the ARP inspection considers invalid. The packets are invalid, and their presence may be an indication of "man-in-the-middle" attacks attempted on the network. This message displays when the rate of incoming packets exceed the DAI logging rate.

Recommended Action This is an informational message only. No action is required.

SW_DAI-6

Error Message    SW_DAI-6-ACL_PERMIT: [dec] ARPs (Req) on [chars], vlan [chars].

Explanation The switch received ARP packets that have been permitted because of an ACL match.

Recommended Action This is an informational message only. No action is required.

 
Error Message    SW_DAI-6-DHCP_SNOOPING_PERMIT: [dec] ARPs (Req) on [chars], vlan [chars]

Explanation The switch received ARP packets that have been permitted because the IP and MAC address for the sender match against the DHCP snooping database for the received VLAN.

Recommended Action This is an informational message only. No action is required.

-Regards,

Blackhattrick blog

(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)

DHCP_SNOOPING Messages DHCP_SNOOPING Messages Reviewed by BlackHat on 3:32 AM Rating: 5

Basic Port numbers and services releated to Envision.

3:29 AM

Basic Port numbers and services releated to it :

· Protocol: LDAP
Port (TCP/UDP): 389 (TCP)
Description: Lightweight Directory Access Protocol (LDAP), used by Active Directory, Active Directory Connector, and the Microsoft Exchange Server 5.5 directory.

· Protocol: LDAP/SSL
Port (TCP/UDP): 636 (TCP)
Description: LDAP over Secure Sockets Layer (SSL). When SSL is enabled, LDAP data that is transmitted and received is encrypted. To enable SSL, you must install a Computer certificate on the domain controller or Exchange Server 5.5 computer.

· Protocol: LDAP
Port (TCP/UDP): 379 (TCP)
Description: The Site Replication Service (SRS) uses TCP port 379.

· Protocol: LDAP
Port (TCP/UDP): 390 (TCP)
Description: While not a standard LDAP port, TCP port 390 is the recommended alternate port to configure the Exchange Server 5.5 LDAP protocol when Exchange Server 5.5 is running on a Microsoft Windows 2000 Active Directory domain controller.

· Protocol: LDAP
Port (TCP/UDP): 3268 (TCP)
Description: Global catalog. The Windows 2000 Active Directory global catalog (which is really a domain controller "role") listens on TCP port 3268. When you are troubleshooting issues that may be related to a global catalog, connect to port 3268 in LDP.

· Protocol: LDAP/SSL
Port (TCP/UDP): 3269 (TCP)
Description: Global catalog over SSL. Applications that connect to TCP port 3269 of a global catalog server can transmit and receive SSL encrypted data. To configure a global catalog to support SSL, you must install a Computer certificate on the global catalog.

· Protocol: IMAP4
Port (TCP/UDP): 143 (TCP)
Description: Internet Message Access Protocol version 4, may be used by "standards-based" clients such as Microsoft Outlook Express or Netscape Communicator to access the e-mail server. IMAP4 runs on top of the Microsoft Internet Information Service (IIS) Admin Service (Inetinfo.exe), and enables client access to the Exchange 2000 information store.

· Protocol: IMAP4/SSL
Port (TCP/UDP): 993 (TCP)
Description: IMAP4 over SSL uses TCP port 993. Before an Exchange 2000 server supports IMAP4 (or any other protocol) over SSL, you must install a Computer certificate on the Exchange 2000 server.

· Protocol: POP3
Port (TCP/UDP): 110 (TCP)
Description: Post Office Protocol version 3, enables "standards-based" clients such as Outlook Express or Netscape Communicator to access the e-mail server. As with IMAP4, POP3 runs on top of the IIS Admin Service, and enables client access to the Exchange 2000 information store.

· Protocol: POP3/SSL
Port (TCP/UDP): 995 (TCP)
Description: POP3 over SSL. To enable POP3 over SSL, you must install a Computer certificate on the Exchange 2000 server.

· Protocol: NNTP
Port (TCP/UDP): 119 (TCP)
Description: Network News Transport Protocol, sometimes called Usenet protocol, enables "standards-based" client access to public folders in the information store. As with IMAP4 and POP3, NNTP is dependent on the IIS Admin Service.

· Protocol: NNTP/SSL
Port (TCP/UDP): 563 (TCP)
Description: NNTP over SSL. To enable NNTP over SSL, you must install a Computer certificate on the Exchange 2000 Server.

· Protocol: HTTP
Port (TCP/UDP): 80 (TCP)
Description: Hyper-Text Transfer Protocol is the protocol used primarily by Microsoft Outlook Web Access (OWA), but also enables some administrative actions in Exchange System Manager. HTTP is implemented through the World Wide Web Publishing Service (W3Svc), and runs on top of the IIS Admin Service.

· Protocol: HTTP/SSL
Port (TCP/UDP): 443 (TCP)
Description: HTTP over SSL. To enable HTTP over SSL, you must install a Computer certificate on the Exchange 2000 server.

· Protocol: SMTP
Port (TCP/UDP): 25 (TCP)
Description: Simple Mail Transfer Protocol, is the foundation for all e-mail transport in Exchange 2000. The SMTP Service (SMTPSvc) runs on top of the IIS Admin Service. Unlike IMAP4, POP3, NNTP, and HTTP, SMTP in Exchange 2000 does not use a separate port for secure communication (SSL), but rather, employs an "in-band security sub-system" called Transport Layer Security (TLS).

· Protocol: SMTP/SSL
Port (TCP/UDP): 465 (TCP)
Description: SMTP over SSL. TCP port 465 is reserved by common industry practice for secure SMTP communication using the SSL protocol. However, unlike IMAP4, POP3, NNTP, and HTTP, SMTP in Exchange 2000 does not use a separate port for secure communication (SSL), but rather, employs an "in-band security sub-system" called Transport Layer Security (TLS). To enable TLS to work on Exchange 2000, you must install a Computer certificate on the Exchange 2000 server.

· Protocol: SMTP/LSA
Port (TCP/UDP): 691 (TCP)
Description: The Microsoft Exchange Routing Engine (also known as RESvc) listens for routing link state information on TCP port 691. Exchange 2000 uses routing link state information to route messages and the routing table is regularly updated. The Link State Algorithm (LSA) propagates outing status information between Exchange 2000 servers. This algorithm is based on the Open Shortest Path First (OSPF) protocol from networking technology, and transfers link state information between routing groups by using the X-LSA-2 command verb over SMTP and by using a Transmission Control Protocol (TCP) connection to port 691 in a routing group. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260995 (http://support.microsoft.com/kb/260995/ ) Definitions of key transport components in Exchange 2000 Server

· Protocol: RVP
Port (TCP/UDP): 80 (TCP)
Description: RVP is the foundation for Instant Messaging in Exchange 2000. While RVP communication begins with TCP port 80, the server quickly sets up a new connection to the client on an ephemeral TCP port above 1024. Because this port is not known in advance, issues exist when you enable Instant Messaging through a firewall.

· Protocol: IRC/IRCX
Port (TCP/UDP): 6667 (TCP)
Description: Internet Relay Chat (IRC) is the chat protocol. IRCX is the extended version offered by Microsoft. While TCP port 6667 is the most common port for IRC, TCP port 7000 is also very frequently used.

· Protocol: IRC/SSL
Port (TCP/UDP): 994 (TCP)
Description: IRC (or Chat) over SSL. IRC or IRCX over SSL is not supported in Exchange 2000.

· Protocol: X.400
Port (TCP/UDP): 102 (TCP)
Description: ITU-T Recommendation X.400 is really a series of recommendations for what an electronic message handling system (MHS) should look like. TCP port 102 is defined in IETF RFC-1006, which describes OSI communications over a TCP/IP network. In brief, TCP port 102 is the port that the Exchange message transfer agent (MTA) uses to communicate with other X.400-capable MTAs.

· Protocol: MS-RPC
Port (TCP/UDP): 135 (TCP)
Description: Microsoft Remote Procedure Call is a Microsoft implementation of remote procedure calls (RPCs). TCP port 135 is actually only the RPC Locator Service, which is like the registrar for all RPC-enabled services that run on a particular server. In Exchange 2000, the Routing Group Connector uses RPC instead of SMTP when the target bridgehead server is running Exchange 5.5. Also, some administrative operations require RPC. To configure a firewall to enable RPC traffic, many more ports than just 135 must be enabled.

· Protocol: T.120
Port (TCP/UDP): 1503 (TCP)
Description: ITU-T Recommendation T.120 is a series of recommendations that define data conferencing. Data conferencing is implemented on the server side as a Conferencing Technology Provider (CTP) in the Multipoint Control Unit (MCU), which is one component of the Exchange Conferencing Services (ECS). Data conferencing is implemented on the client side as Chat, Application Sharing, Whiteboard, and File Transferring in Microsoft NetMeeting.

· Protocol: ULS
Port (TCP/UDP): 522 (TCP)
Description: User Locator Service is a type of Internet directory service for conferencing clients, such as NetMeeting. Exchange 2000 Server and Exchange 2000 Conferencing Server do not implement a ULS, but rather take advantage of Active Directory for directory services (by TCP port 389).

· Protocol: H.323 (Video)
Port (TCP/UDP): 1720 (TCP)
Description: ITU-T Recommendation H.323 defines multimedia conferencing. TCP port 1720 is the H.323 (video) call setup port. After a client connects, the H.323 server negotiates a new, dynamic UDP port to be used for streaming data.

161931 (http://support.microsoft.com/kb/161931/ ) Configuring MTA TCP/IP port # for X.400 and RPC listens

H.323 Video Conferencing is implemented on the server side as a CTP on the MCU in ECS. On the client side, it is implemented as Video in NetMeeting.

· Protocol: Audio
Port (TCP/UDP): 1731 (TCP)
Description: Audio conferencing is enabled in much the same way as H.323 video conferencing is enabled in Exchange 2000 Server. After clients connect to TCP port 1731, a new dynamic port is negotiated for further streaming data.

· Protocol: DNS
Port (TCP/UDP): 53 (TCP)
Description: Domain Name System (DNS) is at the heart of all of the services and functions of Windows 2000 Active Directory and Exchange 2000 Server. You cannot underestimate the impact that a DNS issue can have on the system. Therefore, when service issues arise, it is always good to verify proper name resolution.

-Regards,

Blackhattrick blog

(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)


Basic Port numbers and services releated to Envision. Basic Port numbers and services releated to Envision. Reviewed by BlackHat on 3:29 AM Rating: 5
Subscribe to: Posts ( Atom )


SastiPrice.com Store

Powered by Blogger.