Robocopy Port Problem
Here are the ports that you’ll need to open on a firewall for Robocopy replication.
I want to program a task to copy files between two servers; one is an Internet server and the other one is a intranet server. My Internet server runs Windows 2000 and my intranet server has Windows 2003. I plan to use Robocopy to replicate files between the two servers and would like to know what ports I need to open for this communication. Can you help?
Tech Help—Just An
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
at mailto:[email protected];
the best questions get answered in this column and garner
the questioner with a nifty Redmond T-shirt.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.)
Good question, Claudia. Robocopy uses the Server Message Block (SMB) protocol to copy files between two hosts. SMB-based communications use the following ports:
- 137 (TCP/UDP) -- NetBIOS Name
- 138 (UDP) -- NetBIOS Datagram
- 139 (TCP) -- NetBIOS Session
- 445 (TCP) -- SMB over TCP
With a default installation and network parameters, Robocopy will attempt to connect to the remote host using TCP port 139. If you would like to force Robocopy to use the newer SMB over TCP port (445), then you can disable NetBIOS over IP on the source system. Since your target system is exposed to the Web, I recommend disabling NetBIOS on that system as well.
You can disable NetBIOS on a network interface by accessing the interface’s TCP/IP properties, clicking the Advanced button, then clicking the WINS tab, and finally clicking the "Disable NetBIOS over TCP/IP" radio button. With NetBIOS disabled, Robocopy will automatically connect to the target system using TCP port 445. So you need to allow access through your firewall from the source system to the target system with port 445 as the destination.
Now, if you decide to secure the traffic in transit by configuring each host to use IPSec encryption, then you will need to set the firewall to allow IPSec traffic between the two hosts. For more information on configuring a firewall to allow IPSec traffic, see Microsoft KB article 233256. If your two Windows computers are not joined to a domain, you can configure IPSec pre-shared key authentication by following the steps outlined in Microsoft KB article 240262.
While determining default ports for operating services is usually pretty well documented, sometimes determining port usage for third-party applications can be a little bit of a challenge. In these instances, you can view attempted port connections in real time by using the netstat command.
Another tool that's very handy in determining which port an application is trying to connect to is Active Ports. Active Ports displays all port connections in real time, along with the connection’s associated application -- very helpful in trying to determine the ports being used by a particular program.
If you want even more detail, then you can never go wrong by capturing the data transmission using a capture tool such as Ethereal. When trying to determine a firewall rule base, my first preference is to always configure two test systems on the same LAN. I’ll then duplicate the operation and monitor the port connections using Ethereal or Active Ports. Once I have this documented, I’ll know exactly what is needed to allow the program connection and data transmission to traverse a firewall.
Hopefully, this will help you to get Robocopy running in your organization. In this column, I set out to answer Claudia’s question, but there are several methods that IT shops use to replicate or copy data to a Web server. If you have a few moments, please post your favorite tools and techniques as a comment to this column.