Need help using Netmeeting with CF. CF not allowing a remote netmeeting to connect unless I disable CF.
My goal is two parts:
use the desktop sharing function of netmeeting without using DMZ on router (working)
have CF enabled before and during a netmeeting connection. (not working)
#1 is done. #2 does not work- I have to disable CF before remote user attempts to call me in netmeeting, otherwise no response at all on my PC. If I disable CF before remote user makes the call, we can connect.
Using:
-cable modem
-Linksys Cable/DSL 4 port Router
-Xp Home
-Netmeeting 3.01
-Comodo Firewall (CF)
my router setup:
I have set the router to port forward the 5 tcp netmeeting ports (522, 389, 1503, 1720 and 1731) to my host pc, but no UDP ports are forwarded (I want to avoid using DMZ so DMZ is not enabled). I only need netmeeting for desktop sharing, not video/audio.
When CF is disabled and set for ALLOW ALL, netmeeting works- remote user calls me on netmeeting, I answer, and remote user can share desktop. But CF had to be disabled to allow the initial connection.
When CF is set for Custom, remote user tries to call me on netmeeting, but nothing happens, even though conf.exe is setup in Application Monitor and set for Allow All Activities for the Application. No connection.
So it works the way I want, but only IF I disable CF before the remote user initiates the call. Once connected, I can turn CF back on. If I have to do it this way, that’s fine. But is there a way to configure CF to allow a netmeeting connection with CF enabled?
Update: I got netmeeting working with CF enabled by setting up a Trusted Network Zone. However this requires knowing the IP from the remote person initiating a netmeeting session. This is good but a hassle to set up a different Trusted Network Zone for each remote netmeeting person (I have over a dozen).
Is there any way to avoid having to setup a Trusted Network Zone and just have an alert pop up (that I can accept) when a remote IP is initiating a netmeeting session?
I’m pretty sure the only thing you’re missing is the Network monitor rules to allow the NetMeeting ports through.
CPF uses a three layer security model - network, application and component. For all inbound data, there must be a network rule set that allows traffic through on specific ports for specific protocols. If this rule exists, the traffic is allowed through the network monitor, where it is then tested against the application monitor. For outbound, three tests are applied to each app or component attempting to get out - component, then application, then network.
Try adding rules for netmeeting in the network monitor.
Makes sense. I got it working as best as possible I think. I discovered that with the firewall disabled, netmeeting opens a different port every time it makes a new connection somewhere in the 2700-3100 range. Since the port is always changing I had to create a Network Control Rule with a range of ports of 389-3100.
This works but I have to manually Allow the rule just before using netmeeting, and then I manually Block the rule when I’m done with netmeeting.
QUESTION 1: When I use netmeeting I Allow the rule which opens ports 389-3100- are all of these ports exposed to the internet even though my router only has the five tcp ports forwarded? Or are these ports only available to netmeeting?
QESTION 2 Isn’t this much better than opening all ports via DMZ without a software firewall? (which is what I was doing before I got CF)
QUESTION 3: The tricky part is the different port # netmeeting opens each time. My range is working so far. But is there a better, safer, easier way?
Do the remote users have a static IP that you could use in a rule to allow the required TCP and UDP ports to be open only when they connect. Even using dynamic IP’s they will usually get the same address assigned as long as they haven’t disconnected from their network. If by chance they are on the same domain as you and your network uses Active Directory then you might be able to use machine names and then you wouldn’t have to have a hard coded IP address. Now if they are laptops connecting that travel then this theory wouldn’t work.
I realize you would have to make at least one or two rules for each IP(IN and OUT) up front but this would limit your exposure thru the firewall to just those IP addresses and then you could use the full features of the program by opening the correct ports.
You might have already read this but here is MS’s instructions on how to set up netmeeting thru a firewall:
I thought of doing it as you suggest, restrict by IP#, but I decided it was too much hassle to keep track of several dozen remote sites I connect to at times. And there is no way I see to name a network rule? That makes it harder to know which rule to allow/block out of dozens. So I’m deciding to just use a range, and I got it working ok so far (see next post).
Thanks for the info. I changed my range so it’s not below 1056 as you recommended. See how my setup looks now. I tested and found I only need three ports to receive a remote netmeeting call (I only use desktop sharing, not audio/video): 1503, 1720, and 1731.
So I changed my router to port forward only those three ports. Then I set up two network rules in CF:
(1) a list of only these three: 1503,1720,1731
(2) a range from 2000-3000
The remote side always initiates a netmeeting session to me. We speak on phone first, then if I need to connect to them with netmeeting, I will manually ALLOW both rules above. During the netmeeting session, all those ports are open. After closing netmeeting, I will manually BLOCK both rules. Seems to work so far. But not sure if/when netmeeting will want to open ports out of this range, I will have to watch it.
Thanks, I realise that now. Here’s how I got it all set up- I tweaked port ranges as small as I could that still let remote netmeeting pc’s call me to connect. See if this looks ok:
MY ROUTER:
on linksys router I port forward three of the five netmeeting tcp ports to my pc: 1503, 1720, 1731 ( I tested and dont need the other two tcp ports that microsoft says netmeeting uses, they are for a directory service, port 389 and 522 are not port forwarded)
IN CPF:
In Application Monitor I setup conf.exe (netmeeting ) for: Allow, TCP, In/Out, Any Dest IP, Any Dest Port
In Network Rules I have 0 and 1 as an allowed LAN zone, and 2 as an IP In block which moved down to ID 3 when I inserted the new allow range at 2 for netmeeting:
ID
0 Allow | IP Out | Any | Zone: [LAN] | where IPPROTO is any
1 Allow | IP In | Zone: [LAN] | Any | where IPPROTO is any
2 Allow | TCP In/Out | Any | Any | where source port is 1057-5000 and dest port is 1057-5000
3 Block | IP In | Any | Any | where IPPROTO is any
This is working, as remote netmeeting pc’s can call me, I can answer, they can share their desktop. I will not be do anything manually before/after netmeeting sessions (except run netmeeting itself).
How is this looking now? My concern is the open tcp ports from 1057-5000. I’ve been watching the random port netmeeting establishes, and I’ve seen it range from 1220 to 4800, so this range seems to be working ok.
I could manually allow/block ID rule #2 before and after using netmeeting. Do I need to? Are these open ports on rule #2 opening a threat? Or will CPF warn if something other than netmeeting attempts to use them?
They look OK. Because the conf.exe ports are above 1056 any incoming data has to be going to an application. If the application isn’t running, there’s nothing to receive the data stream.
