New Contributor
•
3 Messages
Business-Class Customer Requests Outgoing Port 445 To Access Microsoft Azure File Services
I am posting on behalf of a Comcast business-class customer whose operations would be enhanced by using Microsoft Azure File Services.
Azure File Services allows local computers to connect to Azure File Servers natively within Windows File Explorer and Mac Finder as a share or mapped drive, a real breakthrough feature that allows Line of Business Apps to interact with cloud servers as if they were on the local network. This functionality leverages SMB 3.0's encryption feature, and SMB 3.0 is the default for W8, W8.1, and W10, as well as Mac El Capitan (OS 10.11) and newer.
The problem is that the above functionality requires that the firewall and the ISP's network (in this case, Comcast Business Class) allow outbound traffic on port 445. Unfortunately, Comcast Business Class blocks all activity, in and out, on port 445.
So far, support calls to Business Class support to request opening outboud 445 have been dismissed out-of-hand, with the support reps referring me to the list of Comcast blocked ports at https://business.comcast.com/help-and-support/internet/ports-blocked-on-comcast-network/
Note the stated reason for blocking port 445 is to mitigate threats from "Sasser" and "Ninder" (sic). Sasser was from 2004, and "Ninder" (sic) was from 2001....so long ago that the author of the list forgot (or is too young to know) that it's Nimda, not "Ninder."
Business Class customers wanting to use modern cloud-based services need a Business Class ISP that is not using ancient criteria and throw-the-baby-out-with-the-bathwater thinking that hobbles the modern cloud-based functionality that today's Businesses are looking for. Comcast Business needs to take a long, hard look at this, and should work with Microsoft to come up with a way for its Business Class customers to connect to Microsoft Azure File Services.
Hopefully one of the Comcast support people who monitor this forum can forward this to decision makers within Comcast.
Accepted Solution
jibe-espresso-bar
New problem solver
•
3 Messages
7 years ago
Comcast was correct in blocking the port to halt the spread of the virii when infections were endemic 15 years ago, like a fire break in a forest fire. That won't reduce the population of unpatched Windows machines out there. Instead they are blocking a common and popular SMB file sharing protocol which the Azure Files product secures.
If Comcast truly cared about customer service they could open the port for machines that are patched, in fact it could be another revenue stream for them (since we all know how much they drive their business decisions on the almighty dollar rather than customer service) by having customers pay for comcast's own patching service. Another option would be to allow people who have unpatched machines to suffer the consequences of having unpatched machines. We're all big boys and girls and don't need them restricting our ability to conduct business because most people don't have patched machines due to simply being uneducated about the dangers of doing so. If they had a customer service mentality they would set up their customers to automatically be patched at the machine level when they come onboard, thereby leaving it up to those in the know to open ports on their own machines at their own risk. But, of course, that might cost their techs an extra 10 minutes which would translate to millions annually for them so I guess that's out.
But taking a hardline stance to simply keep it shut down due to an epidemic approaching two decades ago is far from the correct choice. To think they are doing it to protect consumers is naive. The Code Red worm traveled over Port 80. May as well shut that one down and prevent people from browsing the web. But of course not, that's where their market is. Rather they shut down the easy ports which reduce support calls which is a major cost center and produces no profit for the company.
As the owner of a multi-Gold certified Systems Integration company responsible for migrating many enterprise and SMB customers to the cloud and hybrid environments, this is one major reason I will be steering my own clients away from Comcast whenever possible.
0
0
user_Phil
Advocate
•
1.1K Messages
7 years ago
Hi AJS and welcome to the business support forums.
Thank you very much for your feedback regarding port 445. You're correct as we do have that blocked which is illustrated in the link you provided. Your concerns are important to us. I'll definitely have your feedback reviewed. Please do let me know if you need any assistance.
0
0
xz4gb8
Problem solver
•
117 Messages
7 years ago
AJS wrote,
Note the stated reason for blocking port 445 is to mitigate threats from "Sasser" and "Ninder" (sic). Sasser was from 2004, and "Ninder" (sic) was from 2001....so long ago that the author of the list forgot (or is too young to know) that it's Nimda, not "Ninder."
AJS, you might consider the plethora of unpatched Windows machines out there. At this time, the consensus of the security community is that Comcast is correct in blocking port 445, among others. Perhaps Azure can suggest a solution.
0
0
AJS
New Contributor
•
3 Messages
7 years ago
I understand the concerns of the "security community" (whatever that is) and probably share them. Having said that, I am disappointed that Comcast's Business Internet does not seem capable of adjusting its supposedly Business-oriented newtwork to support modern cloud services such as Azure. It seems to me that Comcast should be able to shape their network to selectively allow traffic on certain ports such as 445 from Business Class customers to established Microsoft Azure servers while still maintaining an overall block of traffic on port 445 to non-Azure destinations.
Microsoft publishes a list of the IPs used by their Azure datacenters every week: https://www.microsoft.com/en-us/download/details.aspx?id=41653&751be11f-ede8-5a0c-058c-2ee190a24fa6=True
0
0