Blocked Ports from Off Campus Networks
Modified on: Fri, 26 Jan 2024 9:39 AMIntroduction
The University of Alberta is required to safeguard the confidentiality, integrity and availability of all University information. These safeguards ensure that University information is only accessed by those who are authorized to access it, the information is true to what it should be and the information is accessible when it needs to be.
Applicability
This article will assist users with troubleshooting connectivity to computing resources from off campus. The article is intended for all members of the University community, users at other institutions who access University of Alberta resources from off campus, for third-party vendors, and in certain situations as noted. Note that it is not intended to describe the different methods for connecting to campus systems. It is only describing ports that will not work.
Procedure
Blocked Ports from Off Campus Networks
As part of a new initiative to better secure University of Alberta computing resources, we are disabling access to several high risk ports from off-campus networks. Currently, the following ports are affected:
DNS over TLS (DoT - outbound blocking only)
DNS over HTTPS (DoH - outbound blocking only)
13: Daytime
17 UDP: Quote of the Day
19 UDP: Chargen
23: Telnet
37: Time
69 UDP: TFTP
79 TCP: Finger - User Information Protocol
110 TCP: pop3
111 TCP: SunRPC
123: NTP
135 TCP: Remote Procedure Call (RPC)
137-139/445: SMB (Inbound AND Outbound blocking)
161: SNMP
177: xdmcp
389 UDP: LDAP
427 TCP/UDP: SLP
515: Printing
554 TCP: rtsp
623 TCP: ipmi
873: Rsync
902 TCP: VMWare daemon
995 TCP: pop3 secure
1099 TCP: Java RMI
1434: MSSql
1883: IBM scada
1900 UDP: SSDP
2323: Telnet Alternate
3283 UDP: Apple Remote Desktop
3306 TCP: MySQL
3389: RDP
3668: Drac
3702 UDP: WS-Discovery
4786 TCP: - Cisco Smart Install
5009 TCP: Apple Airplay remote admin
5353: Multicast DNS
5432: Postgresql
5672 TCP: amqp
5869: drac
5900-5910: VNC & VNC Alternates
6000: XServer
7777: cbt
9100: Printing
9600 TCP: ICS
9999: Telnet Alternate
11211 UDP: memcache
16992-16993: Intel AMT
30718: Lantronix
27017 TCP: MondoDB
44818 TCP: Common Industrial Protocol (CIP) to Ethernet
Common programs that use these ports*:
- Windows Remote Desktop
- Apple Remote Desktop
- Windows File Sharing & Network Discovery
- Samba (including connections to samba.srv.ualberta.ca)
- Putty connections using Telnet
- RealVNC Remote Access Software
*Please note this is not an exhaustive list. Other programs may be affected. This article is not intended to describe how to use these programs to connect. It is only to list which ports are affected.
To access your devices you must first connect to the University's Virtual Private Network (VPN) service. The VPN service protects both you and the university with respect to remote connectivity. Please see the instructions for installing the VPN client here.
For those devices accessed by external researchers or third party vendors, we have two alternatives:
- Preferred Method: Request creation of a Guest CCID from your department's HR contact or from IST. This will allow non-UAlberta affiliates to authenticate to the VPN service, and then to the internal computing resource.
- Alternate Method: Request an exception. Note that there must be a clear business justification for this exception that cannot be solved by the creation of a guest CCID. Requests can be submitted to ciso@ualberta.ca for review.
Other high risk network ports are currently under consideration. This article will be updated to reflect the list of ports if any other changes are made.
Keywords: rdp, remote, desktop, telnet, ssh, off-campus, outside, access, guest, ccid, vpn, windows, smb, samba, file, sharing, blocked, ports, chargen, ssdp, block, tftp, rsync, mysql, off campus access