BESClient outbound port 135?

Usage and Config
1

Hey everyone,

We are testing out a new firewall policy in our lab and I came across this while monitoring blocked events. Does anyone know what the client is trying to do using port 135? It isn’t listed in any network and port requirement doc that I have found. Thanks,

The Windows Filtering Platform has blocked a connection.

Application Information:
Process ID: 2448
Application Name: \device\harddiskvolume2\program files (x86)\bigfix enterprise\bes client\besclient.exe

Network Information:
Direction: Outbound
Source Address: 10.223.69.11
Source Port: 50034
Destination Address: 10.40.0.56
Destination Port: 135
Protocol: 6

Edit: I should note that the destination address is an active directory controller.

1 Like
2

Tcp/135 in Windows is the RPC Endpoint Mapper. Windows does a lot over RPC and it’s a core requirement for Active Directory.

I would expect the BigFix client to use this port (along with other, dynamic RPC ports) to the Domain Controllers when looking up AD properties - like user and computer group membership, mapping login names to user full names, etc.

3 Likes
3

Thanks Jason. I’m still confused about it in general though. If the client is trying to reach out and is getting blocked then I would expect something to fail - a relevance property, a task, something. But I see nothing in the client log and nothing appears to have failed to inspect or run properly.

4

You might check that Active Directory properties are being resolved correctly, I’m not sure if anything outside a debug-level log would show that (i.e. we wouldn’t want it to report errors every time you’re not connected to AD).

Maybe @alanm could comment.

5

Good idea - I’ll enable the debug log and see what that show. Thanks,

EDIT:

Thu, 01 Oct 2020 15:21:03 -0500 DebugMessage ActiveDirectory: Refreshed Computer Information - Domain: ScrubbedDomain
Thu, 01 Oct 2020 15:21:03 -0500 DebugMessage ActiveDirectory: User logged in - Domain: ScrubbedDomain User: ScrubbedUsername
Thu, 01 Oct 2020 15:21:04 -0500 DebugMessage User interface process started for user ‘ScrubbedUsername
Thu, 01 Oct 2020 15:21:04 -0500 DebugMessage [ThreadTime:15:21:03] SetupListener success: IPV4/6
Thu, 01 Oct 2020 15:21:04 -0500 DebugMessage [ThreadTime:15:21:03] A2AThread: A2AThread::operator () thread A2AMainThread
Thu, 01 Oct 2020 15:21:04 -0500 DebugMessage [ThreadTime:15:21:03] A2AThread: Named Pipe Created ok.
Thu, 01 Oct 2020 15:21:04 -0500 DebugMessage [ThreadTime:15:21:03] A2AThread: Pipe open succeeded.
Thu, 01 Oct 2020 15:21:04 -0500 DebugMessage [ThreadTime:15:21:03] A2AThread: Pipe Inactive state.
Thu, 01 Oct 2020 15:21:04 -0500 DebugMessage ActiveDirectory: Refreshed User Information - Domain: ScrubbedDomain User: ScrubbedUsername

This debug activity correlates to the firewall block, but It doesn’t seem to indicate any errors. Because nothing seems to be broken or misbehaving with my client then I will just leave it blocked.