0

I have a licensing manager software installed on Azure VM and a client tool tries to connect to it using a DCOM request, which I believe uses port 135. However, I get an 'access is denied' error when it tries to establish a connection.

Port scan

I did an nmap scan of the server and as you can see in the image above, it says port 135 is filtered. How do I open it? I believe this might be causing the issue.

Security Group

As you can see in the image above, I have added port 135 to the inbound rules in the security groups section already. I don't know if this group is assigned to the VM instance though.

Firewall

Firewall is completely disabled on the server. The DCOM services are set for Everyone in DCOM configuration settings. RPC service is running and set to automatic start.

And finally, here is the actual error I get:

Error

I've been trying to fix this without success for days, any help is greatly appreciated.

Inception
  • 111
  • 7
  • Likely middle box firewall, either ISP firewall or otherwise since exposing that Port to the internet unencrypted is a terrible idea. – Jacob Evans Nov 12 '17 at 21:09
  • Also, removing the first 2 octets isn't the best privacy... Since azure ranges are public knowledge https://www.microsoft.com/en-us/download/confirmation.aspx?id=41653 – Jacob Evans Nov 12 '17 at 21:12
  • Do you check the server is running? Please show the result `netstat -ant|findstr 135` – Shui shengbao Nov 13 '17 at 02:14
  • @Walter-MSFT: Server is running according to Azure dashboard. Here is a screenshot of netstat: https://i.imgur.com/TycDLMj.png – Inception Nov 13 '17 at 04:40
  • @JacobEvans: I don't think it's an ISP firewall since my colleague who is at a different location gets the same error. – Inception Nov 13 '17 at 04:44
  • I assume you both have an internet service provider... https://www.google.com/search?q=port+135+isp+block&oq=port+135+isp+block&aqs=chrome..69i57.9529j0j4&client=ms-android-verizon&sourceid=chrome-mobile&ie=UTF-8 – Jacob Evans Nov 13 '17 at 04:46
  • @Inception Do you use classic VM or ARM mode VM? – Shui shengbao Nov 13 '17 at 04:58
  • @Inception If possible, could you show your VM public IP, I want to test connection. – Shui shengbao Nov 13 '17 at 04:59
  • @Inception For test port 135 connection, you could try `telnet IP 135` – Shui shengbao Nov 13 '17 at 05:02
  • @JacobEvans: Sorry, I should have been more specific. My colleagues at two different countries were getting the same error, hence why I presumed it's not an ISP block. Also, I just googled port 135 block for my ISP and didn't see any reported cases. – Inception Nov 13 '17 at 05:03
  • @Walter-MSFT: I believe it is classic VM. I do not remember ever selecting ARM mode VM while creating the instance. Public IP is: 40.118.70.104 – Inception Nov 13 '17 at 05:07
  • @Inception For a classic VM, you need create a endpoint for port 135. Please refer this https://docs.microsoft.com/en-us/azure/virtual-machines/windows/classic/setup-endpoints – Shui shengbao Nov 13 '17 at 05:09

2 Answers2

1

You MUST have a private network connection to communicate over known insecure ports. This is where you must use things like IPSEC VPN, DMVPM, MPLS, SD-WAN.

Port 135, among MANY others are blocked.

http://www.dslreports.com/forum/r7673039-Per-homeland-security-qwest-blocking-ports https://www.xfinity.com/support/internet/list-of-blocked-ports/

An Easy solution would be to install Something like ZeroTier on your server and cients, free for up to 100 endpoints.

Jacob Evans
  • 7,636
  • 3
  • 25
  • 55
  • Can you help me out on using this? I have installed it on both server and client, I created an account and a network. I managed to connect to the network using the ID on both server and client, now what should I do? – Inception Nov 13 '17 at 06:00
  • Use the new server IP on the Private interface to connect – Jacob Evans Nov 13 '17 at 11:41
  • Hi Jacob, quick question, would the same solution work on AWS EC2 instances as well? I had the exact same issue on EC2 hence why I thought of trying Azure. Now that there is a potential solution, I was thinking maybe I can go back to my preferred AWS if it works. – Inception Nov 14 '17 at 09:26
  • Yes the above solution is provider agnostic – Jacob Evans Nov 14 '17 at 10:05
  • Ah alright. When I connect on both server and client machines, it shows up in the 'Members' section in my ZeroTier account. But which new server IP are you talking about? Do you mean the one under 'Managed Routes'? By default it reads 172.23.0.0 and I can pick other addresses as well. – Inception Nov 14 '17 at 11:20
  • Pick what you want, you should read the docs and stop setup a basic ACL, you can also make the server static. – Jacob Evans Nov 14 '17 at 11:45
0

I believe it is classic VM. I do not remember ever selecting ARM mode VM while creating the instance.

For a classic VM, you need create an endpoint for port 135. Please refer to this link.

enter image description here

Update:

According to long chatting, it seems Azure NSG and firewall configuration is all right. Your ISP and company firewall also could block port 135, you have a choice. Creating a point-to-site VPN. Access your server with private IP(not public).

Community
  • 1
Shui shengbao
  • 3,503
  • 1
  • 10
  • 20
  • Extremely sorry for my ignorance, but it seems I'm not on classic VM as it simply displays 'Virtual machine' without classic on my dashboard. And I do not have Endpoints settings tab either. – Inception Nov 13 '17 at 05:13
  • @Inception But the port is not enable, https://imgur.com/a/pDTku . Currently, it is a firewall issue. If you want to access it from public IP, you need ensure you could access the port. – Shui shengbao Nov 13 '17 at 05:14
  • I have added an inbound security rule to enable port 135: https://i.stack.imgur.com/jDGbV.png Is there anything else I have to do to enable it? – Inception Nov 13 '17 at 05:16
  • @Inception Azure NSG could be associated to Azure NIC and VNet subnet, do you all check it. In your resource group, do you find how many NSG resource? – Shui shengbao Nov 13 '17 at 05:18
  • @Inception You could check like [this](https://imgur.com/a/89zmF). – Shui shengbao Nov 13 '17 at 05:21
  • It does not show subnet in the dashboard: https://i.imgur.com/NhCcOgn.png NewRG2 is the Resource group name. https://i.imgur.com/A07AUGy.png Here are all the resource groups: https://i.imgur.com/Xns8D74.png – Inception Nov 13 '17 at 05:32
  • Hi, could you show resources in the resource group? – Shui shengbao Nov 13 '17 at 05:34
  • Here is the resource group page: https://i.imgur.com/m1q5lsg.png – Inception Nov 13 '17 at 05:38
  • Azure NSG should be right. For test, could you create a VM in the same VNet and test connect your server with private IP. – Shui shengbao Nov 13 '17 at 05:39
  • 1
    As Jacob Evans said, your ISP or company network maybe block port 135. – Shui shengbao Nov 13 '17 at 05:39
  • @Inception If your ISP or company firewall block port 135, you could create [a point-to-site VPN](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal). Then you could access your server with private IP. – Shui shengbao Nov 13 '17 at 05:47
  • Thank you Walter. Should I try Zerotier or the one you just suggested?. Is there a recommended way? – Inception Nov 13 '17 at 05:58
  • For a Azure VM, I suggest you could use a point-to-site VPN, but you need use private IP to connect your service from your local PC. – Shui shengbao Nov 13 '17 at 06:00
  • Alright, I'm trying it out. For the 'address range' and 'Address space', should I use the default values? https://i.imgur.com/XYebfux.png – Inception Nov 13 '17 at 06:06
  • Hi, don't overlap for your local address. – Shui shengbao Nov 13 '17 at 06:08
  • Sorry, I don't understand. Should I give my private IP in both fields? – Inception Nov 13 '17 at 06:12
  • Hi, if your local is 192.168.*.*. You could use the default one. If your local address ranges is 10.0.0.*, you need change the default one. – Shui shengbao Nov 13 '17 at 06:13
  • It is 10.0.. So I should change both address space and range to 10.0.0.0/24 right? Here is ipconfig on server: https://i.imgur.com/voQQnsH.png – Inception Nov 13 '17 at 06:17
  • For Azure VNet, you could not 10.1.0.0/24. Your local IP is 10.0.0.0/24. But I suggest you could use 172.168.0.0/16 for VNet because you could use more IP ranges. – Shui shengbao Nov 13 '17 at 06:19
  • Hi, if you have question about Azure, you also could send e-mail to me. `v-shshui@hotmail.com` – Shui shengbao Nov 13 '17 at 06:25
  • I get this when I try to create gateway subnet: https://i.imgur.com/pL5uXYt.png – Inception Nov 13 '17 at 06:26
  • What is your default subnet. When you create VNet, VNet should be 172.168.0.0/16, default subnet is 172.168.0.0/24. Gateway subnet could be `172.168.1.0/24`. Default subnet don't use all IP ranges. – Shui shengbao Nov 13 '17 at 06:28
  • Thank you, that worked. But now in the next step(Create a virtual network gateway), I'm stuck after clicking 'Create' in Create network gateway page).. https://i.imgur.com/vqN4KBn.png – Inception Nov 13 '17 at 06:52
  • It seems a browser issue, could you refresh your browser or change other browser. – Shui shengbao Nov 13 '17 at 06:54
  • Hi, currently could you create vpn gateway? – Shui shengbao Nov 13 '17 at 07:28
  • Hi, thank you. I just finished creating certificates. Now in point-to-site configuration, what value should I give in 'Address Pool'? – Inception Nov 13 '17 at 07:29
  • Your local IP subnet, it should be `10.0.0.0/24`. – Shui shengbao Nov 13 '17 at 07:30
  • When the VPN is connected, you could test RDP your VM with private IP firstly, then test port 135 connection. Using `telnet 135`. – Shui shengbao Nov 13 '17 at 07:32
  • Sorry for my mistake... Your VM should be in the VNet(172.168.0.0/16). If your VM is not in it, you need create a new one or migrate to it. – Shui shengbao Nov 13 '17 at 07:33
  • I have still not finished creating VPN gateway. I'm stuck in step 9, I did point-to site configuration: https://i.imgur.com/flf04pp.png Then after I download and install VPN client, when I try to connect it, I get error: https://i.imgur.com/y28NKt6.png – Inception Nov 13 '17 at 07:42
  • Do you check your local certificate, according to the error log, it seems could not find your local certificate. – Shui shengbao Nov 13 '17 at 07:44
  • You install certificate on your PC, step 8? – Shui shengbao Nov 13 '17 at 07:45
  • I generated the certificate on this PC. Do I need to install it again? I skipped step 8 because of this, – Inception Nov 13 '17 at 08:50
  • I suggest you install it. – Shui shengbao Nov 13 '17 at 08:51
  • I'm still getting that error. In step 5, after the thumprint step, is it supposed to display something? I get no output: https://i.imgur.com/ZHo1vvm.png – Inception Nov 13 '17 at 09:02
  • Hi, could you execute `certmgr.msc ` and check like this https://imgur.com/a/ivsTR – Shui shengbao Nov 13 '17 at 09:06
  • It shows the certificate: https://i.imgur.com/L8m1mrR.png – Inception Nov 13 '17 at 09:13
  • @Inception If your step is right, the certificate is right. Could you check your step again. I test in my lab before, the link works for me. – Shui shengbao Nov 13 '17 at 09:15
  • OK now it worked, however I'm still getting 'Access is denied' error when I try to connect :( – Inception Nov 13 '17 at 09:28
  • Do you mean VPN connect or connect your license server? – Shui shengbao Nov 13 '17 at 09:29
  • Sorry for not being specific. I can connect to VPN, but not to the license manager. – Inception Nov 13 '17 at 09:31
  • Your VM should in the VNet which has VPN gateway, also, you could not access your service with public IP(ISP block port 135). You connect your service with private IP(VPN tunnle directly to your service). – Shui shengbao Nov 13 '17 at 09:31
  • You should ensure you could rdp to your VM with private IP. Azure VPN connection could help you bypass ISP firewall directly to Azure. – Shui shengbao Nov 13 '17 at 09:32
  • Oh, I'm not able to connect to it using private IP. It says RDP maybe disabled, or machine may be turned off etc. The private IP is 10.0.0.4. – Inception Nov 13 '17 at 09:38
  • Could you ping 10.0.0.4 from your local PC? Now, Windows Firewall is disabled, you could ping it. – Shui shengbao Nov 13 '17 at 09:39
  • Pinging did not work. Firewall is completely disabled, also I'm connected to the VPN. – Inception Nov 13 '17 at 09:44
  • No, your Azure VNet ip address is 172.168.0.0/16? Your Azure VM is 10.0.0.4? No, your VM should be in the VNet. – Shui shengbao Nov 13 '17 at 09:45
  • Your local create a VPN connection from your local to Azure VNet, your Azure VM should be in the VNet. If it is not in it, you could not connect it with private IP. – Shui shengbao Nov 13 '17 at 09:46
  • If possible, you could create a new VM and install license software in it. – Shui shengbao Nov 13 '17 at 09:48
  • Is there any way to do it without creating new VM? I think the current VM is in old Vnet: https://i.imgur.com/fAZc2P8.png VNet1 is the one I created today: https://i.imgur.com/JfWIS5m.png – Inception Nov 13 '17 at 09:51
  • I check it, no your VM is not in your VPN gateway VNet. You use managed disk, if you want to migrate to new VNet, you need copy VM's VHD to stroage account and use the VHD to create VM. – Shui shengbao Nov 13 '17 at 09:54
  • If possible, I suggest you could create a new VM. I think it is save more time. Note: VPN gateway is expensive. – Shui shengbao Nov 13 '17 at 09:55
  • Sorry for my mistake, at the beginning, I did not remind you of this.. – Shui shengbao Nov 13 '17 at 09:56
  • Hi, I need go home in my country, if you have question, you could post here or e-mail me :--) – Shui shengbao Nov 13 '17 at 10:01
  • Hi, that is perfectly fine, thanks a lot for your help. I will keep in touch. Let me try to migrate it. – Inception Nov 13 '17 at 10:05
  • One another question, does this VPN gateway I created cost extra money? Also, will using Zerotier help me avoid migrating the subnet step and save money? – Inception Nov 13 '17 at 10:13
  • Hi, Zerotier is a software, if you install it on Azure VM, maybe you need open some ports. If you use point-to-site VPN, after you use it, you could delete VPN gateway. – Shui shengbao Nov 14 '17 at 02:49
  • Sorry I am not in office, if you have question, I will answer you tomorrow. – Shui shengbao Nov 14 '17 at 02:50