There is a server from the entry, has been unable to connect to the extranet, the specific phenomenon is that the outside can access it, it does not access the outside, even antivirus software also upgrade the program also failed to connect. Because the previous has been sister Wang, before leaving also did not account for what operation, consulted her have no impression did what operation, also do not remember. So it is difficult to find the source of the problem, can only have free time, after a layer of little bit of the investigation, until yesterday, the problem finally all solved.
There are two main problems: 1, the TCP/IP filtering policy is not set properly. 2, KB951748 caused by DNS does not resolve
Improper TCP/IP Filtering policy settings
Since the TCP ports were only open 80 and 21 before, Remote Desktop has been unable to log in. After research, a proper port opening strategy is set up to block the remaining ports that are not necessary to be opened.
UDP 53 port is a domain Name resolution service, DNS parsing needs to reserve a group of dynamic UDP port. You can choose a few at the beginning of 1024.
The port can be divided into 3 main categories:
1) Accepted ports (well known Ports): from 0 to 1023, they are tightly bound to some services. Usually the communication of these ports clearly indicates the protocol of some kind of service. For example: Port 80 is actually always HTTP traffic.
2 registration port (registered Ports): from 1024 to 49151. They are loosely bound to some services. This means that there are many services that are bound to these ports and are used for many other purposes. For example, many systems handle dynamic ports starting at around 1024.
3 dynamic and/or private ports (dynamically and/or private Ports): from 49152 to 65535. In theory, these ports should not be assigned to services. In fact, machines typically allocate dynamic ports from 1024. But there are exceptions: Sun's RPC port starts at 32768.
DNS resolution caused by KB951748
Internet Explorer cannot open a search page with a domain name when the TCP/IP filter is complete and can be accessed with IP. Use G search, find new suspect kb951748,dns in the vulnerability can allow deception. And said there are two ways: one is to uninstall this patch, the second is not uninstall this patch, do not uninstall this patch is the reason that the patch is only the DNS request of the local port from 1024-5000 to the same as Vista, that is 49152-65535, modify the firewall corresponding rules can be. Then look at how the DNS Client service for the service item system stops and restarts the service. Reboot the computer and the problem is solved. http://support.microsoft.com/?kbid=951748