| When a network infrastructure includes router-based | | | | with Windows Server 2003 in the |
| firewalls, the function of the firewall, which is to | | | | Valueadd\Msft\Net\Tools folder of the Windows |
| silently discard traffic that the firewall has not been | | | | Server 2003 product CD-ROM. |
| configured to forward, can impair specific networking | | | | Test TCP differs from Port Query in the following |
| functions. For example, if a firewall between two | | | | ways: |
| Microsoft Windows Active Directory directory service | | | | With Test TCP, you can configure a computer to |
| domain controllers has not been configured to allow | | | | listen on a specific TCP or UDP port without having |
| all of the different types of traffic that domain | | | | to install the application or service on the computer. |
| controllers use to synchronize the Active Directory | | | | This allows you to test network connectivity for |
| database, replication can fail. | | | | specific traffic before the services are in place. For |
| When troubleshooting networking functions and | | | | example, you could use Test TCP to test for domain |
| reachability, a common step is to use the Ping tool | | | | replication traffic to a computer before you make |
| (Ping.exe) and ping one computer from another. | | | | the computer a domain controller. |
| However, the Ping tool uses Internet Control | | | | Test TCP also supports Internet Protocol version 6 |
| Message Protocol (ICMP) Echo and Echo Reply | | | | (IPv6) traffic. |
| messages, which is typically not the same traffic | | | | The basic syntax for Ttcp.exe on the listening node |
| being used for the network function that is impaired. | | | | (the receiver) is the following: |
| The firewalls between the two computers might be | | | | ttcp -r -pPort (to listen on a TCP port) |
| allowing ICMP traffic or might be dropping it. In either | | | | ttcp -r -pPort-u (to listen on a UDP port) |
| case, because the network function that is impaired | | | | The basic syntax for Ttcp.exe on the sending node |
| is not using ICMP Echo traffic, the connectivity test | | | | (the transmitter) is the following: |
| with the Ping tool does not provide conclusive | | | | ttcp -t -pPort (to send to a TCP port) |
| diagnostic information about the traffic that is being | | | | ttcp -t -pPort-u (to send to a UDP port) |
| discarded (dropped) by the intermediate firewalls. | | | | For additional command line options, type ttcp at the |
| For definitive diagnostic information, you must be able | | | | command prompt. |
| to duplicate the exact type of traffic of the impaired | | | | Ttcp.exe can only listen on or send to a single port. |
| network function using a tool that can report | | | | To configure a computer to listen on multiple ports, |
| connectivity success or failure. Once you have | | | | run Ttcp.exe in separate command prompt windows. |
| determined the types of traffic that are being | | | | Top of pageTop of page |
| dropped by intermediate firewalls, you can configure | | | | Common Types of Traffic Problems |
| the firewalls to forward the dropped traffic to | | | | The most common types of traffic that are blocked |
| restore connectivity for the impaired network | | | | by firewalls and can impair Windows networking |
| function. | | | | functionality are the following: |
| Tools for Testing Network Paths for Specific Types | | | | Active Directory domain traffic |
| of Traffic | | | | DNS traffic |
| Microsoft provides the following tools to test | | | | VPN traffic |
| network paths for specific types of traffic: | | | | ICMP traffic |
| Port Query | | | | Other traffic |
| PPTP Ping | | | | Active Directory Domain Traffic |
| Telnet | | | | Active Directory domain traffic includes the following |
| Test TCP | | | | domain operations: |
| Port Query (Portqry.exe and Portqueryui.exe) | | | | Active Directory replication between domain |
| Port Query is a free tool from Microsoft that you | | | | controllers |
| can use to help troubleshoot TCP/IP connectivity | | | | Promotion of a new domain controller with the |
| issues for specific types of Transmission Control | | | | Dcpromo.exe tool |
| Protocol (TCP) and User Datagram Protocol (UDP) | | | | Domain logon |
| traffic. Port Query has a command-line version | | | | Domain authentication |
| (Portqry.exe) (available at PortQry Command Line | | | | Establishing domain trusts |
| Port Scanner Version 2.0) and a graphical user | | | | The traffic used for these types of domain |
| interface version (Portqueryui.exe) (available at | | | | operations is described in detail in the How to |
| PortQryUI - User Interface for the PortQry | | | | Configure a Firewall for Domains and Trusts Microsoft |
| Command Line Port Scanner. Both versions run on | | | | Knowledge Base article and includes the following: |
| Windows 2000, Windows XP, and Windows Server | | | | TCP port 135 for Remote Procedure Call (RPC) |
| 2003-based computers. | | | | traffic |
| Portqry.exe has the following features: | | | | TCP port 389 and UDP port 389 for LDAP traffic |
| A command-line mode that you can use to query | | | | TCP port 636 for LDAP over Secure Sockets Layer |
| TCP, UDP, or both for a single port, an ordered list of | | | | (SSL) traffic |
| ports, or a sequential range of ports. | | | | TCP port 3268 for LDAP Global Catalog (GC) traffic |
| An interactive mode from which you can issue | | | | TCP port 3269 for LDAP GC SSL traffic |
| sequential commands more easily and use a series of | | | | TCP port 53 and UDP port 53 for DNS traffic |
| shortcuts, or predefined queries for common traffic | | | | TCP port 88 and UDP port 88 for Kerberos traffic |
| such as Domain Name System (DNS) or Lightweight | | | | TCP port 445 for Server Message Block (SMB) (also |
| Directory Access Protocol (LDAP). | | | | known as Common Internet File System [CIFS]) |
| A local host mode that you can use to obtain | | | | traffic |
| detailed information about the TCP and UDP ports | | | | You can test your network paths for domain traffic |
| being used on the local computer on which | | | | on an individual port basis with the Portqry.exe tool if |
| Portqry.exe runs. | | | | the domain controller is already in place or with the |
| For details of the three different modes and | | | | Ttcp.exe tool to listen and send domain traffic if the |
| command syntax, see New features and functionality | | | | computer that is being promoted to a domain |
| in PortQry version 2.0. This Microsoft Knowledge | | | | controller has not yet been promoted. |
| Base article contains example commands and sample | | | | The easiest way to test for all of these ports at one |
| output. | | | | time is to use Portqueryui.exe and the "Domains and |
| Portqueryui.exe allows you to more easily query | | | | Trusts" predefined service, which by default queries |
| ports with a Windows-based graphical user interface. | | | | the following sets of ports: |
| From this window, you can specify the name or IP | | | | TCP port 135 (RPC traffic) |
| address of the computer to query, select a | | | | TCP port 398 and UDP port 389 (LDAP traffic) |
| pre-defined service, manually specify the port, ports, | | | | TCP port 636 (LDAP over SSL traffic) |
| or port ranges to query in a specified order, and the | | | | TCP port 3268 (LDAP GC traffic) |
| protocol to query (TCP, UDP, or both). When you | | | | TCP port 3269 (LDAP GC SSL traffic) |
| click Query, the results are displayed in the Query | | | | TCP port 53 and UDP port 53 (DNS traffic) |
| Result portion of the window. | | | | TCP port 88 and UDP port 88 (Kerberos traffic) |
| To determine the set of ports queried for the | | | | TCP port 445 (SMB traffic) |
| predefined services, click Help, and then click | | | | UDP port 137 (Network Basic Input/Output System |
| Predefined Services. You can modify the set of ports | | | | [NetBIOS] name service traffic) |
| queried for each predefined service or create your | | | | UDP port 138 (NetBIOS NetLogon and browsing |
| own predefined services by modifying the contents | | | | traffic) |
| of the Config.xml file. For information about the | | | | TCP port 139 (NetBIOS session traffic) |
| syntax for specifying ports in the Config.xml file, see | | | | TCP port 42 (Windows Internet Name Service |
| the Portqueryui.doc file. Both the Config.xml and | | | | [WINS] replication traffic) |
| Portqueryui.doc file are stored in the Portqueryui.exe | | | | The set of ports queried with the "Domains and |
| installation folder. | | | | Trusts" predefined service includes all of the ports |
| When either version of the Port Query tool queries a | | | | listed in the How to Configure a Firewall for Domains |
| port, it reports the status of a port as being in one | | | | and Trusts Microsoft Knowledge Base article. |
| of the following states: | | | | DNS Traffic |
| LISTENING | | | | To test for DNS traffic, you can use the following |
| Port Query received a positive response and a | | | | methods: |
| process is listening on the TCP or UDP port that was | | | | Use Portqry.exe with the following syntax: |
| queried. | | | | portqry -n DNS_server_name_or_IP_address -p |
| NOT LISTENING | | | | BOTH -e 53 |
| Port Query received a negative response and a | | | | Alternately, you can use the q dns shortcut |
| process is not listening on the TCP or UDP port that | | | | command at the Portqry.exe interactive command |
| was queried. For a TCP port, Port Query received a | | | | prompt. |
| TCP connection reset segment. For a UDP port, Port | | | | Use Portqueryui.exe and the "Networking" predefined |
| Query received an ICMP Destination Unreachable-Port | | | | service, which queries DNS along with other |
| Unreachable message. | | | | networking protocols |
| FILTERED | | | | VPN Traffic |
| Port Query received no response to the query. A | | | | To use PPTP Ping to test for PPTP-based VPN |
| process may or may not be listening on the port. | | | | traffic, do the following: |
| The FILTERED status indicates that the query traffic | | | | 1.On the VPN server computer: |
| could have been dropped by an intermediate firewall. | | | | If needed, stop the Routing and Remote Access |
| By default, Port Query tries TCP ports three times | | | | service using the Routing and Remote Access or |
| and UDP ports once. | | | | Services snap-ins. This step ensures that Pptpsrv.exe |
| PPTP Ping | | | | can use TCP port 1723 and IP protocol 47. |
| PPTP Ping is a set of two tools (Pptpsrv.exe and | | | | Run Pptpsrv.exe. |
| Pptpclnt.exe) that are provided with the Windows | | | | 2.On the VPN client computer: |
| 2000 or Windows Server 2003 Support Tools, | | | | Run Pptpclnt.exe with the following syntax: |
| located in the Support\Tools folder of the Windows | | | | pptpclnt.exe servername_or_IP_Address |
| 2000 or Windows Server 2003 product CD-ROMs. | | | | When prompted, type some text to send to the |
| After installing the Support Tools, Pptpsrv.exe and | | | | VPN server computer and then press ENTER. |
| Pptpclnt.exe are stored in the Program Files\Support | | | | If PPTP traffic can be successfully exchanged |
| Tools folder on the Windows system drive. For | | | | between the VPN server and VPN client computers, |
| Windows XP Service Pack2, you can obtain an | | | | Pptpsrv.exe on the VPN server computer will display |
| updated versions of Pptpsrv.exe and Pptpclnt.exe | | | | the text that was sent by the VPN client computer |
| from Windows XP Service Pack 2 Support Tools. | | | | and an exchange of five GRE messages. If not, |
| PPTP Ping allows you to test whether Point-to-Point | | | | Pptpsrv.exe will indicate what types of PPTP traffic |
| Tunneling Protocol (PPTP) traffic, consisting of TCP | | | | were unsuccessful. |
| port 1723 traffic for PPTP tunnel maintenance and IP | | | | If you are using a site-to-site VPN connection (also |
| protocol 47 for Generic Routing Encapsulation (GRE) | | | | known as a router-to-router VPN connection) to |
| traffic for PPTP tunneled data, can be successfully | | | | connect two sites of your organization and both |
| sent and received between a client and server | | | | Routing and Remote Access server computers can |
| computer. PPTP Ping does not verify that a | | | | initiate the VPN connection, use the above procedure |
| successful PTPP connection can be made (which | | | | again, reversing the roles of the two computers. |
| requires a user authentication process), only that | | | | Because either server computer can initiate the |
| PPTP traffic can be exchanged with a specified | | | | connection, you must ensure that both servers can |
| destination. | | | | act as both VPN clients and VPN servers. |
| For PPTP traffic, the problem is typically a firewall | | | | ICMP Traffic |
| that filters GRE traffic. To correct this problem, | | | | ICMP traffic is used by protocol stack components, |
| configure your firewalls to forward GRE traffic (IP | | | | system services, and applications for various |
| protocol 47) to the VPN server computer. | | | | networking functions. Here are some examples of |
| Telnet | | | | Windows networking functions that use ICMP traffic: |
| Telnet (Telnet.exe) is a tool included with Windows | | | | To determine whether the link to the Active |
| that you typically use to login to a Telnet server. You | | | | Directory domain controller is a fast link or a slow link |
| can also use the Telnet tool to test TCP connectivity | | | | for the purposes of downloading Group Policy |
| for any TCP destination port. To verify that a TCP | | | | settings, Active Directory clients send ICMP Echo |
| connection can be established using the known | | | | messages. |
| destination TCP port number of the application of the | | | | To automatically determine the path maximum |
| destination, you can use the telnet IPv4AddressPort | | | | transmission unit (PMTU) between two peers, the |
| command. For example, to verify whether the Web | | | | Windows TCP/IP stack uses the receipt of ICMP |
| server service on the computer with the IPv4 | | | | Destination Unreachable-Fragmentation Needed and |
| address of 131.107.78.12 is accepting TCP connections, | | | | Don't Fragment Set messages. For more information, |
| use the telnet 131.107.78.12 80 command. | | | | see Path Maximum Transmission Unit (PMTU) Black |
| If the Telnet tool is successful in creating a TCP | | | | Hole Routers, the July 2004 The Cable Guy article. |
| connection, the command prompt window will clear | | | | In either case, you can test for intermediate firewalls |
| and-depending on the protocol-might display some | | | | that block ICMP traffic with the Ping tool. |
| text. This window allows you to type in commands | | | | Other Traffic |
| to the service to which you have connected. Type | | | | For other types of traffic, you can use the following |
| Control-C to exit the Telnet tool. If the Telnet tool is | | | | methods: |
| not successful in creating a TCP connection, it | | | | Use Portqry.exe to specify individual ports at the |
| displays the message "Connecting To | | | | command line or use the shortcuts in interactive |
| IPv4Address...Could not open connection to the host, | | | | mode. |
| on port Port: Connect failed". | | | | Use Portqueryui.exe to specify individual ports or use |
| Test TCP | | | | the predefined services. |
| Test TCP (Ttcp.exe) is a tool that you can use to | | | | Use Telnet.exe to test for TCP connectivity on |
| listen for and send TCP segment data or UDP | | | | specific ports. |
| messages between two nodes. Ttcp.exe is provided | | | | Use Ttcp.exe to set up listening and sending nodes. |